Leveraging Documentation: In some cases, you may be “rediscovering” knowledge, and this is extremely important. As many of us are painfully aware, there are countless systems out there that were put into place by people long gone from the organization. These are “mystery systems” – the people utilizing them and counting on them hope that they keep working. Often, no one knows how to service them, or how to upgrade them for currency. Perhaps associated vendors and companies have gone out of business, or sold their product to someone else. Maybe you have systems that were developed in-house, and that were never properly documented. Some of these systems’ technical concerns are too complicated to understand in the fast moving environment of the usual business day – imagine trying to recover them following a disaster.
These systems drifted so far off the maintenance map that only through Herculean effort can we bring these systems back into the ‘zone of known’: A nice benefit of DAPR is that it often helps your ongoing business efforts by identifying and documenting all areas so that you have comprehensive, “bullet-proof” knowledge that is independent of employee turnover and other change. Therefore, DAPR should also prevent any business process or system from drifting into an undocumented and poorly maintained state. The DAPR posture and the documentation you build also contributes to content, and its management.
Assessing Risk: Once these key business areas have been ranked, they should be assessed for risk. Risk can influence how you direct your resources, and can even re-order some of your key areas in terms of priority for protection and recovery. You may have an internal business process that is critical, and which, at first glance, occupies a high order on your list for protection, recovery, and resources. However, this process may be in the exclusive control of internal, trustworthy, personnel, within a physical security space. Perhaps equipment and process are in a secure laboratory at a business site. The site may already have “local” departmental control and protection that already makes demands on resources, and which are sized to protection in accordance with DAPR. In this circumstance, the DAPR policy can nod to this condition, and better utilize the organization’s resources elsewhere on the list.
Other conditions may take seemingly lower-priority areas to a greater elevation on the list. Let’s say you’re transferring data on a daily basis to business locations that have unreliable connectivity due to surrounding, relatively undeveloped, infrastructure. Here you may choose to place alternate, backup, means to transport data to these locations. You may employ redundant point-to-point connections that rely on different service providers and transports, for example. In this example, you may allot greater resource to the external business locations than you would have at first surmised necessary – having assumed data-transfers to be “mundane”.
There are other influencers as you develop your plan. For example, you may have a critical business function that is an absolute necessity for business continuity. However, if that process is hosted – that is, if it is being supported mainly by a vendor, at their site – it largely falls under their DAPR-equivalent plan. The continuity of business mission, beliefs, values and standards would translate as a service level agreement (SLA) within your contract with that vendor. That vendor should provide test results, and also conduct any testing in concert with your organization, to your satisfaction. Thus, realize that your DAPR resources will not always weight in direct proportion to risk, or even importance, of key areas. There will be many influencers that will evidence themselves as you plan – another important realization for the need to bring DAPR into focus. Once the organization has a good understanding of how to rank process and systems within the scope of critical business functions, their dependencies, and risks – a definition of the mission will begin to take shape, and an assignment of resources can be made. Resources such as money, personnel, and time must be fairly and proportionately budgeted according to accurate requirements for prevention and recovery.
People: In the review of various organizations’ “disaster recovery” postures, and even when appraising “model” plans on the web, we will notice something curious. Many plans don’t account for the loss of people. Likely, it is because of the simple fact that we don’t like to think about losing co-workers, friends, and other associates. We also don’t like to think about our own risk in this regard. Yet, this omission is surprising, and we should expand on a concept here: People are our biggest challenge, our biggest resource, and, from a pure business perspective, they are a huge investment and a critical asset. We hope that we never lose people, but none-the-less have to plan for their loss – not planning for this contingency would be irresponsible.
Hopefully your organization already has a model in place to “cover” for absences. Vacations, arrivals of new children, emergencies, promotions, dismissals, turnover, all contribute to the necessity for a plan of coverage to essential duties and support of systems and processes. Here again DAPR assists in the normal course of business by helping us to establish an awareness, and subsequent construction of a “weave” of backup. We have personnel who are trained to a necessary degree and who know enough to step in as an alternate “player” to cover absences to positions. In the formal case of the DAPR policy and plan, people know what their duties are regarding recovery, and they know how to shift given specific absences of personnel. Let’s note here that unavailability of personnel doesn’t have to be related to death or injury from disaster. You may find that key people simply cannot reach the worksite due to environmental problems, as an example.
Next: A Plan.