Disaster Recovery Plan - Confidence Tomorrow for the Whole Company and IT Quiet Sleep

Common situation?

There is such a thing - business continuity. This area is already quite developed and implies that your business can continue to work without incident even after a meteorite hits the data center or office.

It is interesting that now in Russia the successful implementation of disaster recovery business plans has a side effect in the form of a rapid career growth that has been proposed and implemented.


It will not be easy to convince top managers to invest big money in defense of what is unlikely to ever happen. To do this, you need to collect evidence base and demonstrate with figures in your hands that business losses will be many times more than investments in reserves. This will help a long-formed methodology for analyzing the impact on business - Business Impact Analysis.

In addition to IT, other resources that are necessary for a company to work in a crisis situation — personnel, office space, production facilities, and so on — are often often considered. In the standard "B525999-1: 2006. Business Continuity Management ”, this definition crystallized: “ Business continuity is the organization’s strategic and tactical ability to plan its actions and respond to incidents and disruptions in the normal course of business in order to continue business operations at a certain acceptable level ”

Why do I need a DRP plan or even a BCP?

Any company that cares about its own business should conduct work to ensure business continuity. Yes, we were lucky to live in a seismically stable area, away from tornadoes, mudflows and volcanic eruptions. But for the business reputation of a company, the loss of customer information due to a fire, server flooding, or terrorist attack can be no less destructive - continue on your own. Even a commonplace outage of electricity and communication channels can lead to serious losses of money. For example, for a bank, this may turn into a panic among depositors who will rush to take their deposits, fearing that their money is about to disappear. This, by the way, is a terrible dream of any banker.

Moving in this direction will help increase the resiliency of IT systems in general. Many technological and organizational solutions work not only for catastrophic failures, but also for frequent failures of individual systems. Therefore, your nightly sleep will be more powerful.

If, in addition, you work in a bank, then in accordance with the instruction of the Central Bank No. 2194-U, your employer must have a plan for ensuring continuity and restoration of activity (ONiVD). It is very possible that formally this document is, but about IT there are only general words. Concretizing and enriching it will be a very right step.

In addition to its main goal, the work of writing DRP (IT infrastructure restoration) and BCP plans(all that is required for a particular business process) allows you to understand your IT systems and business processes. Very often, knowledge is not formalized and is in the heads of individual experts, while no one has an understanding in general, especially in the form of a document.

Today, for many, this area is an opportunity for rapid career growth, since the implementation of such projects is not the strongest part of the formed IT departments. Often in companies, the theme of business continuity began to grow precisely with the submission of IT specialists, and not consultants working with risks.

Project implementation

Continuity projects have several phases. To get the best result, it is better to go through them sequentially, although variations are possible.

1. Business impact analysis and risk analysis. At this stage, the damage from the downtime of business processes (at least at the level of expert opinions) is assessed, the business process depends on IT, key employees, equipment, communications, etc. If your project is purely IT, or if you do not have the described business processes, you can start not from the BP, but from IT systems. It also determines what risks we will consider. An analysis is being conducted of how the implementation of these risks will affect our business processes.

Example: a simple favorite social network (or online game) causes a sharp panic and outflow of users, plus the growing popularity of competitors. Analysts determine the possible amount of damage and likelihood - and form a budget for protection. It may turn out that maintaining a backup site with full duplication is significantly more economical than even regular failures of small systems that cause 2-3 minutes of downtime.

2. Audit of current security . Very rarely, companies have comprehensive information about the infrastructure, including the information required for everyday work. The goal of the stage is to roll up our sleeves to examine everything and understand how much we are protected now, where are the weak spots, and what needs to be done to minimize risks. Some "bottlenecks" can be eliminated immediately and without high costs.

3. The third stage involves the development of a continuity strategy - technical and organizational measures that increase the company's preparedness for emergency situations. Upon its completion, a reserve office can be rented, equipment purchased, canals rented, contracts concluded with contractors, etc.

4. At the fourth stage, business continuity plans ( BCP ) or IT systems ( DRP ) are actually written . They include a clear sequence of steps - what to whom and when to do when an emergency occurs. This means that every specialist should understand what and how to do specifically instead of panic running around the office and making calls to everyone.

5. Follow up exercisesaccording to plans, their adjustment and the launch of the mechanism of constant updating. Keeping a company prepared for an emergency is an ongoing process. Every quarter, plans should be updated, and it is advisable to conduct exercises every six months. Only if these two conditions are met, will all your efforts be paid off when the problem happens.


Happens

How to start and what to strive for?

1. Learn the materiel . There are a lot of terms and approaches in this area, and the exact meaning may not be so obvious "from the point of view of banal erudition." In order to proceed to the second step, you yourself must understand exactly what you want and speak the same language with industry specialists.
2. Bring the idea to high leadership . Without support, the idea is doomed to failure. Spend several hours, days, weeks to very clearly and figuratively convey to the management what consequences catastrophic failures can lead to, it is advisable to digitize them. It is very simple to make a rough estimate - take the annual turnover or profit in any direction or the company as a whole. Divide by 365 and get a rough estimate of the lost profit for the day of downtime (unless, of course, this area is tied to IT). Direct losses and damage to reputation must be added to it, but this can be done later.
3. At this point, or even a little earlier, it makes sense to attract an external consultant . His experience can be a decisive factor for success at the initial stage, when one's eyes are diverted from the number of tasks, people whose systems must be taken into account in the project. But even if the most experienced consultants are involved, you and your team must have a great desire to bring the project to the end - it will be a long and difficult journey.
4. Limit the scope of the project . It’s better to do it for several of the most critical by the time of downtime business processes / IT systems, than to tackle everything at once and not achieve the result.
5. Form a steering committee consisting of top managers and appoint a professional and respected project manager. Great, if that's what you are.
6. Prepare a realistic project plan . Depending on the size of the organization, work can last from several months to a year. If your project is supposed to be longer, it is better to split it into several subprojects, or limit the scope.
7. Get the best experts possible . In many ways, this requires leadership support. Usually, experts are already loaded and it is necessary to adjust their priorities.
8. Go through all the stages , and in no case do not refuse to test and run emergency situations in the spirit of "training alarms".
9. Regularly update plans , add new systems to them, always ask yourself the question “what will I do if it fails”?

If it’s further interesting, I can tell you what specific measures lead to 80% of the result with 20% of work and costs. Simply put, with a number of simple actions you can prepare the company for an emergency , then if this situation does happen (even if not very serious), prevent the consequences and collect data that will help convince the management of the need to implement the complete process.

And one more thing: if you had examples when thoughtful planning of a “rainy day” really helped, please tell us in the comments.