DISASTER RECOVERY
FOR
BUSINESS &
COMMERCIAL ENTERPRISES
It is vital that any organization takes the development
and maintenance of their Disaster Recovery Plan "DRP"
seriously. It is not a task that can be left until someone
finds enough time to deal with it. A serious incident can
occur at any time.
PLANNING
If a DRP does not already exist, it will be necessary to
initiate the preparation of the first version of such a
plan. In order to initiate a planning project for the first
time, the Board and/or top level management would normally
receive a proposal.
Projects as important as DRP development should be approved
at the highest level to ensure that the required level of
commitment, resources and management attention are applied
to the process.
The proposal should present the reasons for undertaking
the project, and could include some or all of the following:
| |
Increased dependency by the business over recent
years on computerized production and sales delivery
mechanisms, thereby creating increased risk of loss
of normal services
Increased dependency by the business over recent
years on computerized information systems
Increased recognition of the impact that a serious
incident could have on the business
Need to establish a formal process to be followed
when a disaster occurs
An intention to lower costs or losses arising from
serious incidents
Increased likelihood of inadequate IT and information
security safeguards
Need to develop effective back up and recovery strategies
to mitigate the impact of disruptive events
Avoidance of business failure from disruptive incidents.
|
Having obtained the full backing of the organization, the
person or team developing the plan needs to prepare carefully.
A good start is to create a list of all necessary documents
and information. Where this includes documents containing
sensitive information, care must be taken to ensure that
confidentiality is not compromised.
The disaster recovery plan should include a descriptive
list of the organization's major business areas. This list
should rank the areas in order of importance to the overall
organization.
Each item should include a brief description of the business
processes and main dependencies on systems, communications,
personnel, and information / data.
Useful documents and information to help you create your
disaster recovery plan could include the following:
| |
Organization chart showing names and positions
Existing plan (if available)
Staff emergency contact information
List of suppliers and contact numbers
List of emergency services and contact numbers
Premises addresses and maps
Existing evacuation procedures and fire regulations
Health and Safety procedures
Operations and Administrative procedures
List of professional advisers and emergency contact
information
Personnel administrative procedures
Copies of floor plans
Asset inventories
Inventories of information assets
IT inventories
IT system specification
Communication system specification
Copies of maintenance agreements / service level
agreements
Off-site storage procedures
Relevant industry regulations and guidelines
Insurance information |
Functional areas to rank within your disaster recovery
plan could include the following:
| |
E-commerce processes
E-mail based communications
Other on-line real-time customer services
Production line
Production processes Human resources management
Information technology services
Premises (Head Office and branches)
Marketing and public relations
Maintenance and support services
Quality control mechanisms
Customer service handling
Sales and sales administration
Finance and treasury
Research and development activities
Accounting and reporting
Strategic and business planning activities
Internal audit |
IMPACT AND RISK ASSESSMENT
A major part of the disaster recovery planning process is
the assessment of the potential risks to the organization
which could result in the disasters or emergency situations
themselves. It is necessary to consider all the possible
incident types, as well as and the impact each may have
on the organization's ability to continue to deliver its
normal business services.
This can be complex and demanding. To assist in this area
therefore there are a number of tools available. The most
widely known of these is COBRA, which employs a method aligned
to various international standards.
The science of risk assessment is currently beyond the
scope of this portal, but hopefully the information presented
below may give you some insight into this task and some
guidance in terms of what is included.
THE THREATS
Part of the risk process is to review the types of disruptive
events that can affect the normal running of the organization.
There are many potential disruptive events and the impact
and probability level must be assessed to give a sound basis
for progress. To assist with this process the following
list of potential events has been produced:
Environmental Disasters
o Flood
o Snowstorm
o Drought
o Earthquake
o Electrical storms
o Fire
o Subsidence and Landslides
o Freezing Conditions
o Contamination and Environmental Hazards
o Epidemic
o Tornado
o Hurricane
Organized and / or Deliberate Disruption
o Act of terrorism
o Act of Sabotage
o Act of war
o Theft
o Arson
o Labour Disputes / Industrial Action
Loss of Utilities and Services
o Electrical power failure
o Loss of gas supply
o Loss of water supply
o Petroleum and oil shortage
o Communications services breakdown
o Loss of drainage / waste removal
Equipment or System Failure
o Internal power failure
o Air conditioning failure
o Production line failure
o Cooling plant failure
o Equipment failure (excluding IT hardware)
Serious Information Security Incidents
o Cyber crime
o Loss of records or data
o Disclosure of sensitive information
o IT system failure
Other Emergency Situations
o Workplace violence
o Public transportation disruption
o Neighbourhood hazard
o Health and Safety Regulations
o Employee morale
o Mergers and acquisitions
o Negative publicity
o Legal problems
Although not a complete list, it does give a good idea
of the wide variety of potential threats.
REVIEW & MAINTENANCE
Performing a regular review and audit of your contingency
and back-up arrangements is nothing short of due diligence.
It is essential for your assurance - to help ensure that
you are able to withstand and recover from a major incident.
As obvious as this is, it is a fact that many organizations
rarely if ever perform such a review. This is not a good
short cut to take!
AWARENESS
It is good practice for the organization's Board or Governing
Body to demonstrate a clear commitment to establishing and
maintaining an effective disaster recovery planning process.
All management and staff should be informed that a disaster
recovery plan is required in order to ensure that essential
functions of the organization are able to continue in the
event of serious adverse circumstances
Disclaimer:
The material published on R&GIB's site is provided
for information purposes and as a convenience to visitors.
While R&GIB has tried to provide accurate and
timely information, there may be inadvertent technical
or factual inaccuracies and typographical errors for
which we apologies. Neither R&GIB nor any of its
employees or agents shall be liable for any losses
or injuries caused by negligence or contingencies
caused beyond its control in procuring, compiling,
interpreting, reporting, or delivering the service
and its information.
When considering insurance from information contained
on this website you should ensure that you have examined
R&GIB's Financial Services Guide (FSG) -and- Statement
of Advice (SOA) in relation to any particular insurance
product, the insurance policy covering any insurance
product and any other pertinent information referenced
or recommended.
A copy of the "Insurance Contracts Act",
along with the aforementioned material is available
to read and download from R&GIB's home page or
alternatively such can be forwarded by fax or post
upon request.If in doubt about any matter concerning
the site and/or the information contained on the site
please contact R&GIB so that your concern can
be addressed. In some cases it may be necessary for
you to obtain independent legal advice. All references
in this site to '$' or 'dollars' are references to
Australian currency unless otherwise stated. |
|
