Well, after finished the draft on book #4, completing a newsletter for the TIEMS organization and working on some marketing initiatives for StoneRoad (and Madaemen, a division of StoneRoad), I can finally get back to a few blog/article postings. Enjoy…
Having been in the industry for many years (17 and counting) I get asked quite a few questions; from what is BCM (get that one allot) to how do I get started? I’m happy to help with answers and try to provide a knowledgeable and suitable response, tailored to the person(s) asking. Recently, I was asked by a friend what his company needed for an IT Disaster Plan? Well, I could be sarcastic and say ‘you’ll need technology’ though I didn’t think that would go over well. I decided to take a different approach and first find out how far along his company was on the BCM/DR road. Turns out, not very far at.
I started asking a few basic questions to help gauge where they were. I could tell my his initial question that the company wanted to start building an IT Disaster Plan immediately, skilling many of the other BCM program development components that help lead to the proper development of the IT DR plan. This occurs for many corporations, where they jump into the solution building before they even know what the solution should be or why they are building the solution and for what the solution supports. Kind of like trying to do a puzzle without knowing what the picture is.
Not to recreate out entire conversation, here are some of the questions I posed to him – to take back to the office – to help determine what the company should / shouldn’t consider.
- What are your critical processes/services/departments? – If you don’t know this, what are you building for?
- What is your critical data? – For many, not all data is critical. Is development data (dummy data) critical? Probably not.
- When do you need it? – If you don’t know when you need your data (and services/process) up and running, then you’re really in trouble because you don’t even know when to restore/recovery IT, let alone what you need to do it.
- How much can you loose? – This is the question ain’t it? What’s it gonna cost for me (the company) to be off-line and how long can I suffer loosing money?
- What’s the Maximum Acceptable Outage (MAO) for systems/services to be off-line? – How long I can tolerate an outage will help determine what I need to have in place for backup, restoration and recovery equipment/resources.
- What’s core to your business? – You’ve got to know what is core to the business so that your key/core service/product/system is highlighted as the topIT DR priority.
- What’s you’re current backup strategy? – Always good to know where you stand in the present day, as it helps determine where you’ve got to go in the future.
- What is your current Recovery Time Objective (RTO)? Recovery Point Objective (RPO)? – Where did the numbers come from? Who decided on what they are? You might know the RPO based on your current situation but that doesn’t mean it’s acceptable. All to often business units believe data will be available first-thing, when that’s not the case at all. They also don’t realize that there is the possibility of lost data because an entire day’s work can potentially be lost.
- Who is determining what is critical to the company; business users, IT Management or Senior/Executive Management? – Let’s face it, if the Sr. Execs haven’t told you what’s important to the company, then you better find out cause you might be on different playing fields with different expectations before you ever get started.
- What were the results of your Business Impact Analysis (BIA)? – This is key and ensures that the final findings are agreed-to by the executive; otherwise the BIA findings are just the results of each individual department, which may not be in line with what executives believe to be critical/key/important to the company. If they valid the findings, you’ve got your marching orders for the next steps. If they don’t agree with them, you’re going back to square one to find out where the discrepancies are (i.e. inter-dependencies, identified core processes in line with corporate strategy and direction…).
We talked more but these were some of the key questions I touched upon. The lastone – #10–was actually the first question asked.
He then asked a 2nd question; “How do we know if we should use a vendor or not?” The context related to a decision on when to utilize a vendor DR Site
Really, there’s only one answer; what were the results of your BIA? When you know the answers you can then move on to answer the other questions need that will inevitably be asked:
- Do we need an IT DR strategy at all? – Based on the BIA results, what is our current capability?
- Can we do it internally? – Do we have the resources available to build/configure an appropriate restoration/recovery strategy?
- Do you have the facility(ies) if we go internally? – You may have multiple locations and one of them has a floor that is completely empty…could this become the alternate IT location? You’ll need to investigate but it’s an option.
- What’s the cost to do it internally? – Again, it’s the main question; how much will it cost the corporation to put an acceptable strategy in place?
- What resources (physical & financial, employees) to we need to meet the RTO? – Based on what the corporation currently has available (and current restoration/recovery strategy in place) what would be need to ensure that the RTO’s can be met?
- What are our options if we go external? (I.e. cold, warm, hot site configurations) – Investigate your options, as to what vendors to speak to and determine what is needed to meet the RTO’s. You may only need a warm sit over a hot site depending on the BIA findings and current (internal) configurations.
Building an IT Disaster Recovery Plan or as I like to call it, a “Technology Recovery Plan (TRP)” can’t just happen without proper inputs. You can’t build a house for someone without knowing what they need and want, so how can you build anIT DRplan without knowing what’s required and why? You can’t. What’ll happen is that a restoration/recovery strategy will be developed – at considerable cost – and yet it won’t meet the needs of the organization. It can over-deliver and exceed the need but then you’ve spent allot of money you didn’t have to. It’s better to build what you need – with the ability for it to grow – rather than building something in the dark that won’t meet any requirements. Then the re-work begins and it’s like starting over; again, by spending more money, which you may not have.
Well, when we finished out conversation my friend said he had lots to take back to his boss. The last time I spoke to him they were deciding on the BIA… Hmm, wonder if they need some help with that? ;)
(C) Stone Road Inc (2012)
“Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility” and “Made Again Volume 1 – Practical Advice for Business Continuity Programs” and “Made Again – Volume 2.”
by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3