“In the last three to four years, organizations have cut back the amount that they are testing and updating their disaster recovery plans,” Janulaitis says. “That’s something they can’t put off. Organizations have to step up and keep these plans up to date.”
For insurers, the responsibility extends beyond operational data and systems, Janulaitis adds. “The real issue in the insurance industry is the statutory reporting that they have to do at the end of the year, and it’s different for each one of the states,” he says. “They have to make sure they don’t lose any of the statistics or data that they need for those reports, or else they have regulatory compliance issues they have to deal with. That’s a mission-critical application for an insurance organization.”
Even among those companies that do plan, disaster recovery and business continuity (DR/BC) plans often fail, Janulaitis says. Based on his experiences, Janulaitis has compiled a list of the 10 most common reasons disaster recovery and business continuity plans fail:
1. Backups do not work.
It does not matter how good a disaster recovery and business continuity plan is if the data is out of date, is in a location also affected by the disaster, or has become corrupted. Perform backups at rigidly enforced, regular intervals to protect information integrity. Test and test again.
2. Not identifying every potential event that can jeopardize the infrastructure and data upon which the enterprise depends.
In addition to the security and network threats: viruses, Trojans, worms, etc., planners need to identify any forces that are unique to their geography. Are their facilities on an earthquake fault, tornado alley, or in a flood zone? Does the region experience frequent power interruptions from storms or rolling blackouts?
3. Forgetting or ignoring the cross-training of personnel in DR/BC.
Businesses often create a DR/BC plan that depends on just a few people. Planners and DR/BC team leaders need to identify and cross-train a pool of employees who are capable of responding in an emergency. It helps if this pool of resources is geographically dispersed in case of a large environmental disaster that affects all local employees.
4. Not including a communication processes that will work when your communication infrastructure is lost.
If the power goes out in a facility and no one is there to report it, will your DR/BC staff be informed? Planners and DR/BC team leaders can arrange with a third-party service provider to monitor your facility and notify a pre-defined set of individuals that are trained to execute your disaster recovery business continuity plan.
5. Not having sufficient capacity and duration of backup power.
If a facility is affected by a widespread environmental disruption, companies may find they are without power for an extended period. Plan to have sufficient fuel on hand to run the back-up generators for more than a week. In addition, purchase the longest-life, most uninterruptable power supply available.
6. Having a recovery plan in place, but not listing priorities of which resources need to be restored first.
Which of an enterprise’s IT applications need to be accessed first? Are there some that can wait a day or two without affecting the business? Planners need to be selective about the order in which applications and services are brought back on-line after a disaster. For example, planners might choose to reactivate your company’s email application before they restore departmental file servers. There may be politics involved in this decision, so make sure planners get buy-in beforehand, to avoid the “me firsts!”
7. No physical documentation of your DR/BC plan.
After creating a plan, DR/BC managers need to be sure that they create detailed “physical” systematic instructions on how to execute the recovery plan. Ensure that every process is well documented. Describe the location of all system resources needed to accomplish the recovery. Be sure to store the documentation at multiple locations and verify that all key personnel have easy access to the manuals.
8. Disaster recovery and business continuity plan that has not been tested adequately.
DR/BC managers need to make sure your recovery plan actually works in an emergency! They should regularly conduct data fire drills to test every possible scenario, from basic power failures to catastrophic events that could result in multiple months of devastation.
9. Passwords are not available to the DR/BC team.
Though password protection is a key goal for data security, DR/BC managers need to store system passwords in at least two geographically separate, secure locations. Make sure that more than one IT staff person has access to all passwords and codes. Change these passwords promptly if key personnel leave the company.
10. Disaster recovery and business continuity plan is not up to date.
Planners should never stop updating the DR/BC plan. Once a plan is created, planners should revisit it at least on a quarterly basis. Establish and document a list of trigger points that should invoke changes to the plan, like personnel, equipment, location or application changes, to name a few.
“If you go back to Katrina, the organizations that did not move their facilities out of New Orleans, very few of those organizations actually survived. The survival rate, if you haven’t implemented a plan, for a small- or mid-sized company is fairly low,” Janulaitis says. “Organizations can’t recover. They’ve lost all of their records, they’ve lost intellectual property, their customer list, their catalogs, and when you have anything that is water or fire related event, you’ve lost the physical devices. If you don’t have a recovery plan in place for your electronic assets, you’re out of business. There is only so much institutional memory that will help your organization survive.”