Fernando Aparicio. Professor. Instituto de Empresa
21 October 2003
A concept that covers a range of terms dealing with recovery of business operations in the wake of disasters, such as fires, floods, hurricanes, earthquakes, power cuts or terrorism.
What are they?
The name Disaster Recovery Plan is given to the document that deals with restoring normal operations after an unexpected incident (disaster); it deals with the technological side of the recovery, i.e. the capacity for reconverting information systems to the state that existed before the disaster. To compare, a Business Continuity Plan would only address the critical business operations necessary to keep the company functioning after such an unplanned incident. The difference between the two intimately linked concepts is that business continuity involves greater urgency. It takes care of reestablishing - in the shortest time possible - the minimum operational requirements so the company can provide services to clients and users.
What implications for the company?
Like any event that affects the firm’s situation, it requires the leadership of general management and a clear definition of its role. Nonetheless, as is normal for everything related to investing in security, boards of directors tend not to grant special priority to handling a one-off situation - with an indeterminable probability of occurrence and barely any chance of a return on the investment - until they find themselves bleeding from a gaping wound. The tectonic situation in California, hurricanes in Florida or events such as 9-11 have made Americans the world reference for considering the importance of having adequate contingency plans. In Spain, just ask the state airline, Iberia, after the recent electrical fire in its control system, whether it is better to weigh these questions before or after they happen.
A study at the University of Minnesota divided businesses into sectors, according to the maximum length of time a firm could be out of action without endangering its survival. The two extremes were the insurance sector (five to six days) and the financial sector (two days). All other sectors studied (manufacturing, industrial and distribution) were situated between these two. An obvious conclusion of this survey is that, if an event could lead me to bankruptcy within a couple of days, I’d better plan for an appropriate response. And the principal objective of any business continuity plan is simply to survive in the face of this kind of situation.
Moreover, as in any plan that affects all company departments, participation of all personnel is required. They should be organized into teams that share emergency duties in the event of an incident. Every department must participate in drawing up the plan, both in prior analysis of the impact a disaster might have, and when participating in testing that plan.
Typically, questions involved when analyzing impact on the business include classification of the business’ critical resources and processes, and the period of time within which they must be restored before losses reach a significant or unacceptable level. Evidently, results of this analysis have repercussion on the costs of the plan, as a shorter recovery time will require greater investment to ensure effective reestablishment of normality.
Analysis of the impact of disasters on business requires, for appropriate prioritization, classification of all information assets. Categories used generally range from critical (those functions that cannot be performed unless they are replaced by identical capabilities) to non-critical (those that may be interrupted for a prolonged period at little or no cost). There are also intermediate states, such as vital or sensitive, where functions may be performed manually for a short period and at an acceptable cost level.
In today’s organizations, more prolonged and costly interruptions generally require recovery alternatives at a different venue from the primary location, in such a way that the habitual critical processes may continue - ideally without clients even being aware of the disaster. When choosing these processing alternatives, several options exist, with significant cost variations among them. They are known as hot sites, warm sites or cold sites, according to the degree to which compatible hardware and software elements, facilities or redundant telecommunications connections are available which permit continuity of critical business operations. Recovery times, according to the option chosen, may range from several hours to several weeks.
Other alternatives, more feasible on paper than in practice, include the possibility of establishing a reciprocal agreement between similar companies for providing mutual processing assistance in the event of an emergency. While this is the least expensive alternative, in practice the differences in system configurations usually pose serious compatibility problems.
Science fiction? Overprotection of information at over-the-top cost? As the financial and telecommunications sectors know only too well - being habitual sufferers and, as such, those which spearhead contingency plans - prevention is certainly cheaper than cure, and a well-designed and tested contingency plan may prove to be the only guarantee of survival. Why not ask yourself how much leeway you would give your bank if it could not guarantee an immediate restoration of its service?