Disaster Recovery Journal

features the organization needs to consider and address; even if the organization’s plan is to initially document the needs and goals, develop a road map to achieve the goals, and construct mitigation plans to ensure continued operations can be maintained until those recovery features can be addressed.

This is where the planning and effectiveness of an organization’s BC/DR program come into play; to identify from the onset the comprehensive recovery and continuity needs of an organization, to bridge the gap of what is needed, what is expected, what is wanted, and what is delivered to ensure the needs of the organization’s BC/DR needs are met.

Isn’t one the same as the other?

Where does business continuity stop and disaster recovery begin? Having a strong DR program does not guarantee a successful BC program and vice versa. Each program covers its own critical unique need, its own distinct set of deliverables and responsibilities, and is equally necessary to the operational recovery of an organization in a disaster or other impacting event.

Breaking down to the simplest com-
ponents, borrowing from the project life-
cycle methodology where requirements
can be defined as the “what” and design
is the “how,” business continuity could
be described as the “what” and disaster
recovery as the “how.”
Business continuity will help define
from the organizational level on down,
what needs to be recovered and what
needs to be available based on business
critical need in the event the organization,
its systems, and/or its people are not avail-
able due to a disaster or an event prevent-
ing business operations.

Disaster recovery will document and deliver systems to be recovered at time of disaster based on business critical need, develop how and when the systems will be recovered, and ensure through proper design, equipment implementation, documentation, review, and testing that systems and services can be recovered and made available as designed.

Business continuity and disaster recovery programs working together can ensure operational needs are identified, strategies are clearly defined, solutions are deliv-

ered, and roadmaps and mitigation plans are established to bridge operational gaps, in order to keep the business continuity and disaster recovery programs of the organization effective and in alignment of themselves.

What happens when fast isn’t fast
enough?

Let us say, for example, the RTO for a system or business process has been established. For example a two-hour RTO from time of disaster is in place. Now a business stakeholder steps up and declares that due to the critical nature of said system or process, two hours is too long, availability needs to be immediate. At this point coordination and communication are key. Trying to resolve this need by operating in a vacuum is a recipe for disappointment or failure.

Depending on the architecture design, the system or process may be able to be designed for automatic or near auto-failover. If additional hardware, licensing, re-design, or other features need to be acquired to achieve the goal, these requirements need to be identified and communicated up front for consideration.

If a human element needs to be involved in its recovery or failover, achieving the immediate or near immediate system delivery may be problematic or not realistically achievable. Again, in this instance work with the stakeholder and/or organization and impacted user group to define what is the need, identify what is needed to achieve the goal, and identify the gaps if the goal cannot be achieved which allows them to build a road map to achieve the goal if not acted on today, and mitigation plans to continue operations during the interim.

Often times, these types of decisions need to be made, with full transparency of information by the organization’s leadership, especially if the decision is driven by investment of capital expense versus operational risk.

All dressed up and nowhere to go

At this point is where separation may occur between need and delivery. In a BC/DR program solution delivery there are three core questions. The answers to the questions may not be the same for all three.

n What does the organization need (based
on environment, business impact and risk
analysis, system reviews and prioritization,
and other considerations)?
n What does the organization want (what
is the selected solution, what does the
organization choose to address, or choose
not to address)?
n What can the solution provide deliver (are
there services or solutions that are outside
the delivery scope of the solution providers)?

Through the due diligence of an organization, the determination may be made that what is needed for full BC/DR readiness is greater than what they want to or choose to invest in at a given time. Needed but non-critical legacy systems or a critical system whose cost may be greater than what the organization wishes to spend at this time may be services needed but not wanted at this time.

On the solution provider’s end, the organization may be desiring hardware, services, or technologies that are not part of what the provider currently offers.

When everything needed for BC/DR program readiness for an organization is not implemented, the organization should not lose sight of the big picture, road maps for the work still needed, and mitigation plans to ensure continued business operations should be created to bridge the time and operational gaps until those services are in place.

Are we there yet?

The opinion has been voiced that a BC/ DR program may reach a level of steady state-maintenance mode. Is this a realistic point of arrival, a utopian ideal, or might it be posturing by an organization in preparation to justify cutting back on BC/DR spending?

The most direct answer may be ... as long as the organization is growing, then the BC/ DR program is growing. As the organization, its technologies, people, and services continue to grow and evolve, the organization’s BC/DR programs need to adapt to provide the proper support and protection or else run the risk of losing effectiveness and true readiness in a disaster.

v

Jeff Garrison is founder of Disaster Readiness Solutions, specializing in disaster recovery preparedness from boutique recovery strategies to enterprise-wide solutions.