WhatIs.com defines Disaster Recovery (“DR”) as “an area of security planning that aims to protect an organization from the effects of significant negative events. DR allows an organization to maintain or quickly resume mission-critical functions following a disaster.” I think this is a fairly good definition. Your DR plan must first identify what those significant negative events might be, and then set about planning how to deal with them should they occur.
When it comes to business DR planning, your business operating systems (ERP, Billing, Order Taking, Inventory Control, CRM, etc.) are usually the first things most people think of because they will affect all businesses. But this is just part of your total DR review, as there are many non-system related issues that could cause temporary or permanent disruption to your business. I am going to break this down into two segments: Operating systems (servers, data files, ERP systems, etc.) and everything else.
Regarding operating systems DR planning, many people confuse systems DR with data backup. Backup generally aims to secure data and allows you to recover that data should it get lost or corrupted. DR is aimed at getting you up and running again after something disrupts or destroys a portion or the entirety of your system(s). That backed up data is just one piece of the DR plan, albeit a critical piece.
The first step to DR planning is committing to the process. Find the time. Next identify what systems/processes should be functioning to operate your business effectively and how quickly you need them to begin. Start by listing them and then prioritizing them. ERP systems that allow you to take orders and process production or services will probably be first on the list. Others can follow. IMPORTANT: Be sure you are speaking with your whole organization, including IT and production groups when you go through this process. You may not realize the interdependencies between all these functions.
Now you should identify how quickly you need these functions to get back up and running. Your first instinct may be to demand they all be available immediately. The reality is, the more seamless and timely the recovery, the more expensive and complex it will usually be. You must take a serious look at how much downtime your business can accept without doing too much damage and perform a cost/benefit analysis. So much of this really depends on how your business operates. Some businesses can afford to be down a full business day without great repercussions, while others will suffer greatly after only a couple of hours.
Next consider from where you are going to recover. Was your facility damaged by Mother Nature and and therefore unusable? Do you have a secondary location that is far enough away geographically that the same storm would not have damaged? Do you have a separate location available if needed with the proper services, electrical, internet, water, loading areas, etc. that could be up and running in short order? How about a Cloud-based solution to allow you remote access to continue business? These are all viable options depending on your situation. The Cloud is becoming more attractive everyday with the expansion of capabilities coupled with ever-reducing prices. Remember the Cloud is nothing more than a network of servers housed in various locations, with the intention of offering security and redundancy of your operating capabilities and data storage. It could be a location down the street or the use of several locations nationwide.
Don’t forget that your plan should define who does what and in what order, and this plan needs to be periodically tested and practiced. I have seen situations with what appeared to be a great backup and redundancy plan, but when tested years later, it did not work. Things change, people come and go, so periodic testing is imperative.
Aside from operating systems, DR must consider all the other potential threats to your business. This side of DR is often referred to as Business Continuation (Continuity) Planning. It could include:
- Loss of a key vendor, customer or employee. If you only have one source for a critical component or only one person knows how to do something important, that’s a risk.
- Inadequate liability or property insurance.
- Data breach (as opposed to general system issues discussed above).
- Lack of a backup production site.
- Power outage.
- Dependence on one key piece of machinery.
- The shaky bridge a mile down the road that leads to the interstate that is your main route for deliveries.
- Changes in industry/government regulations.
- Changes in tax laws if you are taking advantage of something relevant to your business/industry.
You can see where I am going with this. It could be almost anything. You should survey your entire organization to get people’s thoughts on the risks they perceive. You may be amazed at the things “Management” hasn’t considered. You should do an occasional review of the things that could have a material negative impact on your business and plan how to deal with them. There are some you may not be able to insure against, but it is best to identify these.
Now is a good time to assemble your team and review your current plan or start putting one together. It is just like insurance, because while you may never need it, you will be very happy you have it and may very well avoid a costly disaster.