Disaster Recovery Plan for IT Company

Disaster Recovery Plan for IT Company (DRP)

Introduction

Most of the organizations strive harder to maintain their dominance in the global market irrespective of the stiff competition with the daily changing technology. Day-to-day operations of the business are predisposed to a lot of risks which unfortunately are inevitable. The most important worry is the occurrence of a disaster since it has adverse negative effects. Therefore, most of the organizations develop a recovery plan for responding to the catastrophe upon its appearance. Disaster is regarded merely as a natural or human-made sudden catastrophe that disrupts the ordinary conditions of life and causes significant permanent suffering that exceeds the capacity of its control by the victims (Blaikie, 2014). Similarly, the disaster recovery plan is a business plan that documents how the affected firm can resume to its operations very fast and effective after its hit by a disaster (Oloruntoba et al., 2018). The project involves a lot of strategies and procedures.

Key stages in preparing DRP

Preparing the plan involves five key steps that are very critical for it to be valid and reliable. The stages are as discussed below.

Stage 1: project initiation

Most of the global companies with a highly competitive advantage in the market developed guidelines for disaster recovery.  There is emphasis created on the initiation process being one of the critical stages since it establishes the need for business continuity. It also defines the business project plan and provides management support to the organization. The success and completeness of an organization’s DR strategy highly depend on the initiation process; thus, it must be done effectively (Badewi, 2016). Several factors are attributed towards the initiation of a project:

Securing management support: Disaster recovery planning usually disrupts the ordinary business operations especially when the employees are pulled away from their regular tasks to participate in such activities that do not provide direct revenue to the business. Again, convincing the management to offer support for such a project becomes daunting because they need a robust convincing evidence; therefore, there is a need to speak to them from a business view. For instance, let the management understand that DRP is a tool for disaster preparedness and avoidance and protection of costly losses by due diligence and care. Hence, documenting such business needs plays a vital role in challenging the management to support the projects in preparing for disaster disruptions in the business.

Organizing the planning team: to achieve an active DRP, empowered strategic decision makers in collaboration with business data and process specialists must be involved for a fast recovery process (Speier & Sheman, 2017). Logically, including those who understand the business unit on data and procedures should be considered to be members of the disaster recovery planning, as they can establish more relevant insights in the plan.

Setting up the project management process: The establishment process should meet the fromsl project requirements. For instance, in the organization, an experienced IT project manager proves to help develop a definite and clear DRP process. Regardless of the choice of operation by the project manager and senior management, a kick-off meeting is essential for establishing the DR planning. Usually, the kick-off meeting significantly aligns all the stakeholder’s objectives, creating more familiarity and trust amongst them. Again, the kick of meeting should be inclusive of all the representatives of all parties involved in the project.

Obtaining the required resources: availability of resources is a very critical factor for organizations. In this regards, very many organizations do not have a DRP due to their insufficient funds. Majority of the business executives usually restrict resources for such projects, with assumptions that the risk and costs of a catastrophe cannot justify the costs for establishing a disaster recovery plan with a backup plan for the IT systems accurately. However, such doubts involve effectively communicating and showing that the cost of developing a DRP is lower compared to the real impact on recovery after a disaster. For instance, the IT farm can invest in having a backup set location at least to safeguard their data in case of an emergency. The recovery plan would be more effective and relatively low compared to recovery after the real disaster has destroyed everything since most of the assets and data will be lost.

Developing project objectives: every project must have its goals. Setting specific objectives are the grounds for a disaster recovery plan since the objective ae the guide for the planning team. In the setting of a purpose for the project, the planning team should have a focus on creating context- relevant groups to address the three primary goals of preventing the disaster from occurring, maintaining their preparedness and speed the recovery of the IT systems after the disaster. For example, the objective would be to establish the capacitance to recover time-critical system data within a favorable time frame.

Stage 2: Carrying out a Business Impact Analysis (BIA)

BIA is significant to the organization as it helps in determining the resources that warrant the efforts and expenses of inclusion in the DRP. It also specifies the priority for recovery of each time critical system after a disaster and identifies positive changes that improve service quality or reduce chances of system disruption. BIA plays an integral part in developing a disaster recovery plan. It also involves some key activities;

Information gathering: while carrying out business impact analysis, the main primary ways of obtaining information includes interviews, documents, questionnaires, and research. This activity involves management staff, auditors and DR experts so that only the necessary data are gathered and where the information is stored or retrieved from. The process is always systematic, to bring certainty of accuracy for the intended results.

Identifying the time-critical IT systems: the time-critical IT systems entails the technology within which the business processes depend on. They define the success for every business organization; hence they form part of the big priorities for immediate recovery after a disaster. Enough data should be gathered by the planners to authenticate the systems of their relevance in DR planning. In gauging the time-critical IT systems for the DRP (Meshal, 2016), considering the process that is highly critical in operation is very necessary especially those that attaches to the customer, operational or regulatory matters. Nonetheless, tracking the location of the devices especially hardware, software, and electronic data matters to the company.

Carry out a risk assessment: Organizing for a risk assessment is another vital activity in the BIA. Apart from quantitative information gathering, performing a risk assessment for the plan is vital and necessary. The action demands the planners to meet with key stakeholders in the company to analyze the potential risks that may overlap or hit the company. When a calamity strikes, the impact spreads to every organization, hence assessing the risk the organization is faced with provides a framework for which the DR plan can be based on. The disaster risks in an IT company may involve fire, floods in the server rooms, hurricanes, earthquakes among others that are capable of even pulling down the whole facility. The other risks that cannot be ignored are the utility and communication outage upon the occurrence of the disaster. In regards to risk assessment, some approaches are suitable for the activity. It begins with identifying the potential hazard, then asses the likelihood of each of the disasters identified. It is followed closely by rating the potential impacts on the IT systems in case it takes place on a scale, then evaluating the likelihood values by the estimated costs for the occurrence. Sorting the results in a list with the ones with the highest values is then finally done, and the one with the most top result becomes the most potential risk for the company.

Prioritizing the recovery efforts: prioritizing the recovery efforts after a successful risk assessment make planning more easily. Most importantly allocation of the resource is done based on the priorities given to the recovery of each time critical IT system. Therefore, the team focuses the available resources on the IT systems that are evaluated and proved to be critical putting the company at precarious state. The advantage of prioritizing is that it prevents hindrance on the implementation of the system recovery after disaster outage. The prioritization process also involves some process. The first step is to define the maximum tolerable downtime for every time critical IT system that states how long the business can continue functioning if the system fails. Next is to calculate the recovery time objective (RTO) that depicts how quick the order should be restored. Finally, it’s significant to establish a recovery point objective (RPO) that indicates the amount of data the business is likely to lose permanently from each system in case of a disaster.

Stage 3: Coming up with a Disaster Recovery Plan

A quality precise and strategized recovery plan is an important aspect of DRP. To adequately arrest and mitigate a disaster, the business must incorporate a complete relevant documented disaster recovery plan (Meshal, 2016). Moreover, it’s in this stage that the organization learn on how to respond to the disaster scenes, when to initiate the DR plan, how to recover each IT system and finally who to perform the recovery process tasks. The critical elements of this stage include:

Choosing the strategies for risk management: In managing the risks identified in BIA, the disaster recovery planners must first accept the risk by taking no action, then either transfer the risk to the third party through outsourcing for an insurance cover or reduce the level of company’s exposure to the risk through mitigation by reducing the adverse effects (Trautwein, 2016).

Determining the severity level of the disaster: a disaster may be very destructive or less depending on how it occurs. Determination of the severity of the disaster upon the planners. In this regards the potential failures are identified and categorized then each is given a recovery approach to address the issue. The levels may be in terms of minor, intermediate or significant and each is given its strategy. For big firms like IT, they can categorize farther in terms of the impact of the outage, the number of people affected and recovery time needed. It’s proper for the planning team to develop strategies for each severity level for disaster mitigation or response.

Identifying activation triggers: in an occurrence of a disaster, the team or the company must have a way of declaring an emergency and alarming the staff to activate the disaster recovery action. One method is by identifying core decision-makers in the organization which assembles in the event of a disaster outage and agree on commencing the recovery efforts (Oloruntoba & Sridharan, 2018). An alternative process of declaring a disaster is by identifying a standard set of criteria for evaluating a potential disaster risk. There should also be a checklist criterion for the staff in regards to determining whether or not the DR should be initiated.

Definition and documenting distinct recovery procedures: the primary objective if a company after a disaster outage should be to replace the affected IT systems. For each method, the DR plan should stipulate the recovery process and channel of activities, data restoration, and software installation strategies, the dependencies for each operation and finally the individuals responsible for each event. Separation of the step by step recovery process documentation makes the plan attain its objectives with minor or no revisions that demand critical attention. Apart from the high-level process of recovery, documentation of two additional lists should be done to facilitate prompt communication in a situation of disaster, and the other list for crucial customers who are notified immediately of an interruption due to the calamity.

Selecting a response team member: the success of the DR plan depends on the participants who have accepted to play their role overwhelmingly. Choosing the team member hence should be based on skills and expertise in the disaster recovery. The managers and high-level individuals are most preferable for disaster response teams since they can respond quickly to software and hardware issues and even prevent data loss from the storage promptly.

Step 4: testing the DR plan

Organizations that adopt the DR plan should not wait until the actual event for them to prove their plan; it is likely to fail. Testing can be done prior as an audit tool to validate the application of the DR plan. Some of the key elements considered in this stage include;

Developing a test strategy: it’s a prerequisite that every organization has its test strategy to maximize using testing tools and resources. The critical success factor in DR plan testing relies heavily on the selection of key objectives of the test and the choice of reliable test procedures. The set strategy should cover the scope of the testing process to ensure that the tests will validate the significance of the recovery procedures, sites, and documentation. Besides, the tests are expected to familiarize the individuals with the recovery process, determine the possibility of achieving the RTOs and finally identify any necessary adjustments on the DRP (Supriadi & Pheng, 2018).

Training the recovery staff: the effectiveness of the response team is the key to a successful disaster recovery process; hence all the team members must be included in training and testing. Involvement in the training process can be through recovery testing, seminars, conferences, and any other suitable place, for effective execution of the DR planning and operation.

Performing test procedures: in most cases conducting a test depends on the organization’s culture and preference of the leader. For instance, it can be done spontaneously to depict an actual crisis, or intentional to cultivate a calm and rational implementation. The methods are both suitable and depend on the choice of the firm. There are other tests which are applicable, but for this case, the premediated test would fit better due to the larking damage in case of spontaneous reaction by the staff.

Establishment of the test frequency: due to constant changes in IT systems and business processes, regular testing of is recommended to update the continued effectiveness of the DR plans. Most of the tests are conducted, but it’s prudent to do it semiannually or quarterly basis. In the determination of the frequency of testing, the company must consider some key factors like the cost of performing a test, severity of the identified risks, rate of changes to the processes and IT systems, degree of training necessary for the disaster team, demand by customers and partners and finally the applicable regulatory requirements.

Stage 5: maintaining a DR plan

Due to predominant changes of risk, the business must ensure that it updates its DR plans to match the current business environment. Keeping the project proves to be challenging to most organizations, but establishing an explicit strategy may be a remedy. Some steps ensure that a DR plan is effectively managed, as discussed below.

Identification of a potential source of change: the DR plan is considered to experience compulsory change process due to regular transformation in business and technology. Transformation, in this case, may only occur in five major categories, for instance, technology, corporate, business personnel, operations, and external business environment (Quarshie et al, 2016). Some of the changes may be minimal to a slight revision on specific recovery procedures while others may affect the whole BIA process.

Choosing the change management strategy: change management in a DR plan involves two approaches. The first is continuously monitoring business procedures with expectations of prompt response if a change is needed. The other strategy is by putting a schedule of periodic reviews for business process changes. The need for change can also be instigated by testing the plan or the validation process. In the application of the strategy, changes without impact are ignored but those likely to cause an effect on the DR plan are signaled and given necessary attention. In most cases the planning team is tasked with reviewing change notifications, which witness the delay in responding to changes when necessary, hence having a common strategy of evaluating revisions is more advantageous as it automatically improves the efficiency of the team in amending the disaster response plan.

Maintaining the planning documentation: towards the end of the DR planning initiative, many documents are usually created in regards to the DR plan. The organization should have a policy or strategy of protecting and maintaining such significant reports, especially by pushing for approval by the committee or board members. When a company approves of a change in a DR planning, some critical details are necessary for documentation; they include change description, reasons for the change, the change author, the change version number and the person who approved the amendment (Quarshie et al., 2016). After the change approval, one member of the DR team should review the change and confirm, and his name also to be documented. It is imperative to note that maintenance of detailed recovery process for the IT systems should be done independently by the response team members who are the most likely team to respond during a disaster.

References

• Badewi, A. (2016). The impact of project management (PM) and benefits management (BM) practices on project success: Towards developing a project benefits governance framework. International Journal of Project Management, 34(4), 761-778.
• Blaikie, P. C. (2014). At Risk: Natural Hazards, People’s Vulnerability and Disasters. London: Routledge.
• Meshal, A. (2016). Disaster Recovery and Business Continuity. International Journal of Scientific & Engineering Research,, pp 1-6.
• Oloruntoba, R., Sridharan, R., & Davison, G. (2018). A proposed framework of key activities and processes in the preparedness and recovery phases of disaster management. Disasters, 42(3), 541-570.
• Speier, A. H., & Sherman, R. (2017). Why Is Integrating Emergency Management Essential to Disaster Behavioral Health? Challenges and Opportunities. In Integrating Emergency Management and Disaster Behavioral Health (pp. 73-97). Butterworth-Heinemann.
• Supriadi, L. S. R., & Pheng, L. S. (2018). Business Continuity Management (BCM). In Business Continuity Management in Construction (pp. 41-73). Springer, Singapore.
• Trautwein, C. (2016). Risk, Response, and Recovery. In Official (ISC) 2 Guide to the SSCP CBK, Second Edition (pp. 367-411). Auerbach Publications.
• Quarshie, A. M., Salmi, A., & Leuschner, R. (2016). Sustainability and corporate social responsibility in supply chains: The state of research in supply chain management and business ethics journals. Journal of Purchasing and Supply Management, 22(2), 82-97.