When the director of technology states that the IT infrastructure is up and available after a disaster, many believe it means that an organization can now begin to operate as normal. This is not completely correct; it’s only part of the solution. It’s like a car salesman pointing out a car on the lot; just because it’s sitting there doesn’t mean it’s ready for use – you need gas, a key and other bits before it’s ready for use. So, just because the technology infrastructure is ready, doesn’t mean it’s ready for use.
What’s happened is that the infrastructure has only been restored; the organization still needs other components in play before it can safely say it is back to operations – not necessarily ‘normal’ operations (Is it ever ‘normal’ to operate in disaster mode??). Yet when technology is restored there is the misconception that all must be well.
I like to keep 4 R’s in mind when an organization is getting back up on its feet after a major situation. Below describe four key stages that an organization must go through before it can state – confidently – that it’s back open for business – albeit, no doubt at reduced capacity and capability.
1. Response: Basically, this relates to the initial responsive activities an organization takes when a disaster occurs. It would include such things as evacuation & assembly procedures, communications (internal, external), crisis management, DR team activation, 1st aid/CPR assistance and other basic activities.
2. Restoration: This focuses on the restoration of technology/IT equipment and services. It does not automatically mean that once a server or application is restored that all is ‘well’ once again in the world. That’s not it al all. What it does mean that the organization has been able to get all the pretty green lights on and systems are restored. All the systems can ‘see’ each other, cables are connected and power is running to everything. The technology infrastructure is now ready for the next step.
3. Recovery: Recovery focuses on data. What data do you have? Have you lost any? Is it corrupted? What was lost when systems failed (regardless of the trigger)? Can you access it? It means obtaining the data (from whatever source) and validating that is usable (i.e. not corrupted) and available for users. It’s also to ensure that systems are actually speaking to each other; that files will pass from one system application to another, as expected. If they can’t, then there is an issue with the technology set or potentially with the data itself. In some instances, an IT and business user will validate that data has not been corrupted and if it is OK, it’s time to move to the next phase. If not, IT must go back and obtain the last set of data files that are OK and not corrupted but if not, users are now brought in for resumption.
4. Resumption: Resumption relates to the end user; the person using the recovered data that moves between the restored systems. This is the final step in the 4 R’s. Once systems are available and data has been validated and available for use, the user now can begin to perform their business operations in the order and frequency dictated by the departments Business Continuity Plan.
Some might say you can incorporate a 5th “R” to the mix; review. However, ‘review’ would actually fall into the maintenance category and the continued review of existing plans and procedures that aren’t just attributed to a disaster occurring. Review would occur after testing and validation for lessons learned and ensuring that disaster team members are kept up to date on expectations and reviewing various other BCM/DR program components (plans, processes etc) to ensure they are current and maintained on a regular basis. The 4 R’s strictly relates to a disaster situation.
The other part with review is that you can do this after a disaster has occurred or some other organizational incident, as a lessons learned. Review how you did and what needs to change.
Sometimes using quick little items like “the 4 R’s” can help illuminate the minds of executives that don’t fully understand – or pay attention to – BCM/DR.
(C) StoneRoad (A.Alex Fullick) 2013
Alex Fullick is the author of several books including his latest, “Business Impact Analysis: Building the Foundation for a Strong Business Continuity Program” (Available at http://www.amazon.com or http://www.stone-road.com/shop.)