|
Many IT departments have some kind of disaster plan in place. However, as recent headlines have demonstrated, the scale and business impact of a disaster in today’s interconnected world have ambushed many a CIO. Typically, a disaster plan will establish a recovery point and a recovery time objective for restoring infrastructure operations, while leaving many other businesscritical processes unaddressed. Such as how will your employees get to work? Will they be able to maintain focus if their families’ health or safety is threatened? What happens if your backup tapes are damaged? What if power is not restored within 24 hours? What if your operations are unaffected, but your partners and suppliers are unable to deliver what your business needs? IBM’s global crisis management team has been on site at more than 70 disasters in the past decade. We’ve seen that the typical IT plan for infrastructure recovery only scratches the surface of the issues that bring organizations down. The most common gaps were employee unavailability, communications breakdowns, extended power outages, damaged backup tapes, and travel and transportation restrictions. Many companies and agencies failed to take into account a disaster that was regional in nature and believed that, as long as they had multiple facilities and local cell phones, they would be able to maintain business operations. Here are some of the lessons we’ve learned:
Personnel issues will be your primary concern — your plans should take into account your employees’ personal needs.
Power failures take down telecommunications — network providers and individual phone batteries require electricity.
Travel and transportation will be restricted — plan for disabled vehicles, limited rental car availability and dwindling fuel supplies. Critical facilities should not be located in close proximity.
Resources should be staged in safe areas — switching equipment, generators and fuel tanks should be located above flood levels.
Data management challenges will arise — backup systems should not require physical connectivity to your infrastructure.
Insurance coverage is often inadequate — understand your coverage before disaster strikes, and document activities for adjusters.
Hardware may be damaged — develop and test a plan for replacing equipment and for disposing of unusable devices.
Cleaning up after Hurricaine Katrina
A leading American manufacturer of household cleaning technology is headquartered in New Orleans, with its main manufacturing facility in southern Mississippi. Prior to Hurricane Katrina, it considered itself well-prepared for disaster, and in fact it had a plan that was more complete than most. It was operating in a distributed environment and storing backup tapes offsite. It also had planned for call center partners to take over communications, and for a local hosting partner to manage Web and retail recovery.
Even so, the company drew some critical lessons from the Katrina disaster. The company saved its business operations by moving key employees and their families out of the disaster area, so that they would be free to focus on restoring the business without the distraction of worrying about the safety of loved ones. It became clear that business continuity was not just an IT function, but rather a mindset and the result of an enterprise culture. The company also learned that political relationships are critical, and that business continuity planning must include and involve call center, supply chain and hosting partners.
On the IT side, the company learned that a simple shutdown and restart of operations was not enough to make the business operational. In a regional disaster, tape-based backup was not as reliable. In terms of restoration, it was reminded that the network is a critical system, and e-mail is the first application that needs to be recovered. One key lesson was that a flexible architecture could decrease recovery times and costs.
A proactive approach
As you create or update your business continuity plans, you’ll need to consider a number of areas that extend beyond the strict province of IT. An effective business continuity plan calls for an interdisciplinary, organization-wide approach. It should take into account the potential for a disaster to strike across an entire region, bringing down external infrastructures and supply chains. And it should incorporate both proactive and reactive elements. Many components, such as meeting service levels, data continuity and regulatory compliance, deliver additional business benefits. In our view, each aspect of such a comprehensive program complements the others; how much you need of each will depend on your existing state of readiness, your industry and your overall business goals.
|
