In your business, you are probably the only one tasked with understanding what types of disasters can strike your business and the task of planning to prevent those disasters from bringing down the business. As Alan Lakein said many years ago, “Failure to plan is planning to fail”. As an information technology professional, one of your many tasks is to understand the risks to your business systems and plan to prevent or overcome those risks from impacting your business.
About 40% of businesses do not re-open after a disaster and another 25% fail within one year according to the Federal Emergency Management Agency (FEMA). Similar statistics from the United States Small Business Administration indicate that over 90% of businesses fail within two years after a disaster.
Understand The Risk
Do you even understand the risks to your business? Have you looked at the systems you business uses and depends on each day and though about what would happen if they systems were unavailable? Have you though about the common risks for the area, including tornadoes, earth quakes, hurricanes, floods, etc.?
Maybe there are risks unique to your location, like frequent power outages, danger of break-ins, poor building construction, etc. Each of these unique threats can be just a dangerous as natural disasters. You don’t want someone stealing your servers or hard drives in the middle of the night, or cracks in the walls leading to mice chewing through your network or power cables.
You need to think about each of the risks scenarios, an write down you plan for how you and your team would address those scenarios to keep the business up and running with minimal down time. You may have to adjust the plan to address concerns about cost and time, but there may be periodic changes as system and risks change.
- List of Employees (what they do, when they do it, why the do it, etc.)
- Inventory Systems (office equipment, servers, laptops, etc.)
- Office Space Requirements (can everything be done remotely, or will the users need office space to access restored systems)
- Insurance and Budget Concerns (who will provide money during an actual recovery)
- Share The Plan (make sure you aren’t the only one with a copy of the plan, and the plan can survive the disaster)
Just like database backups aren’t useful if you can’t restore them, a Disaster Recovery Plan is worthless if you can’t implement the plan. You should conduct a formal test at least once each calendar year, testing if the plan will work for one or more of the scenarios you are planning against. The test should be a realistic as possible, and make sure you have a method of measuring the level of success.
There will be issues, like a system that wasn’t included in the written plan, or a technical issue that you didn’t know existed, to something a simple as unknown system passwords or missing software installation keys. But that is what a test is all about. You have to test tot find those little things that were forgotten or unknown, and then update the written plan to make sure it isn’t an issue during the next test. Eventually you will have everything you need addressed in the plan, and the next test will go smoothly. That means in the event of a actual disaster, when you are confused and under an elevated level of stress, you are more likely to get these core production systems up and running quickly.