Organizations, vendors, and practices have created a ready handle for recovery from disastrous harm – Disaster Recovery – with the attendant “Disaster Recovery Plan.” The venerable Disaster Recovery Plan is meant to secure business continuity in the face of disaster. However, security is ill served by this handle, and so too are many of the plans (and associated realities) that fall under it. “Recovery” is reactive, when we should have a plan that includes prevention of disaster. Some measure of prevention is within our internal control, and some lies within our ‘agility’ in sidestepping much of outside disaster’s influence. And, we strive to make disaster “transparent” to those whom we serve.
Too, mere “disaster recovery” is often given short shrift in terms of attention, resources, and any sort of test or proof of concept. Many people, particularly Business people, are left to assume their disaster recovery efforts are in place, and will work, when in fact there is no reliable evidence to support this assumption:
“Can you recover from disaster?”
“I guess so – we have a disaster recovery plan.”
Many don’t really know, because there’s never been an event to recover from. But they have a plan. (Place a check in that box. Sleep well).
Absent are identified, known, and agreed upon missions, beliefs, values, standards, and tests. Here, again, we’re building awareness.
¨ Mission will be defined by your requirements for prevention, recovery, subsequent assignments, and exercises. The mission will be associated with a policy, and the policy’s manifestation is achieved through a plan.
¨ Beliefs include ‘prevention’ as a standard; the understanding of prevention’s true value; those things that need protection according to assessed risk and available resources; and your confidence and control.
¨ Values support your beliefs – those things valued as necessary for sustenance of business. Values will help establish that which is protected to the best point of prevention from harm. There are also those valued business elements that determine the order of recoveries according to priority.
¨ Standards establish the degrees, or levels, to which your protection is certified, in supporting preventions. Too, when recovery from damage is made, standards establish a period of time for how quickly full recovery is expected or necessary. Standards can define increments of recovery, and they support the prioritization of the valued business elements through ranking of them.
¨ Tests will be those simulations of harm that you employ to expose your level of success in preventions, recoveries, restorations, and the employment of identified alternative resources.
You must satisfy yourself (believe) that you can meet your organization’s identified values and standards of business continuity in the face of disaster. These things are necessary in order to provide some assurance that the best efforts have been made according to acceptable risks and available resources.
When we arrive at that place, we find that what we really have is a policy, plan, posture – a mission – for:
Disaster Awareness, Preparedness, and Recovery (DAPR)
To be continued…