Disaster Planning News   ---  

The United States set a record with 12 separate billion-dollar weather/climate disasters in 2011, with an aggregate damage total of approximately $52 billion, according to the National Oceanic and Atmospheric Administration. That is just continuing the trend of the past 30 years.

These incidents have prompted many organizations to reconsider the human element during a crisis or major news event and evaluate how they communicate with employees, suppliers, investors and customers. Emergency and mass notification systems are designed to help organizations communicate to stakeholders during an incident or disruption. However, in response to the high occurrence of prominent disasters in recent years, the marketplace has been flooded with products to address emergency and mass notification needs. The need to diligently evaluate vendors is critical to ensure that services will meet an organization's specific requirements.

To help you mitigate impact to your core processes, your plan should address three key phases:

• Business Continuity Response - these are the steps you take immediately to sustain your core processes, your primary business priorities
• Disaster Recovery Response - these are the steps you take to extend your core processes indefinitely and address your secondary priorities
• Restoration Planning Response - these are the steps you take to restore your business to its pre
  -incident level

As a result, the cost and complexity of using traditional disaster recovery products to address data replication needs in highly virtualized environments forces many organizations to forego disaster recovery altogether.

And although not possible to avoid all risks, business continuity management (BCM) can minimise the disruption to a business to a great extend, protecting its share price, stakeholder relations, and reputation, among others.

With that said, BCM is a critical strategic function that cannot be neglected by any organisation whatsoever.

Still, managers often neglect charting a strategic course for their company's future survival, which in itself poses a huge risk, seeing that there are many internal and external events that could impact on a company's overall performance, such as:

• the death of the CEO, owner or key staff member
• fire, flood or earthquake damage - this could hamper operations while organisations repair damages or settle insurance claims
• an interruption in the supply chain
• the loss of a major client
• production line failure or breakdown
• failure to stay abreast of technological innovation
• product failure or contaminationinterruption in telecommunications or power supply

These requirements build a basis for using tape for data protection in the mid‐market, in part because of the high likelihood that organizations already use some form of tape in their IT set‐ups. Tape continues to be the preferred home for nearly 70 percent of the world's data. Using tape for DR automatically builds on existing infrastructure and practices, and provides cost‐effective long‐term storage that addresses DR and legal compliance.

RIM's problems raise some important issues for all business continuity managers:

• Successful tests do not guarantee that business continuity strategies will work.
• Holistic business continuity plans need to consider the failure of failover systems and require that strategies are in place to deal with such a situation.
• High availability systems are not a substitute for conventional business continuity and disaster recovery solutions. The latter provide the belts and braces required for total system assurance.

According to RIM the downtime was the result of the failure of a core network switch and then the failure of business continuity processes which were meant to kick-in.

RIM explained the situation in a service message posted on Facebook:

"The messaging and browsing delays being experienced by BlackBerry users in Europe, the Middle East, Africa, India, Brazil, Chile and Argentina were caused by a core switch failure within RIMÂ’s infrastructure. Although the system is designed to failover to a back-up switch, the failover did not function as previously tested. As a result, a large backlog of data was generated, and we are now working to clear that backlog and restore normal service as quickly as possible. We apologize for any inconvenience, and we will continue to keep you informed."

Issues include, failing over to the backup site is a manual process and most systems do not include a mechanism to fail back to the primary site. Getting the primary site back online is a labor- and network-intensive process. Another is that most email systems do not utilize compression, which results in additional network bandwidth consumption.

BlackBerry users in Europe, the Middle East and Africa were unable to use email, BBM and various other services due to a major fault. To inform users of the incident, Blackberry chose to utilize social media, posted a message stating:

"Some users in EMEA are experiencing issues. We're investigating, and we apologise for any inconvenience."

This basic message resulted in a stream of abuse and negative comments, with 2,500+ messages being posted on Facebook alone.

The theme of many of the complaining comments were:

• Questions about when services would be restored;
• Questions about whether Blackberry would provide compensation for the downtime;
• Questions about why Blackberry customer services employees were not responding to comments posted by users;
• Generally abusive comments by people using the incident as a means of venting existing frustrations with Blackberry.

The incident shows that companies need to think very carefully about whether unrestricted social media is an appropriate medium for customer service information. If organizations decide to go down this route, it is critical that messages are not just posted and left; they must be monitored and customer care employees must proactively engage with customer responses.

• How are business departments designed and deployed throughout the company globally?

  

• How are critical functions dispersed through the various locations?

An efficiently run business is always looking at its model and adapting to change -not only within the four walls of the company, but also global changes. As we operate in a flat world, businesses need to consider factors that 20 years ago did not exist to the level they do today. Economic and social changes occurring around the globe on a regular basis force businesses to look at all factors from a comprehensive cost perspective. Business models need to adapt when it becomes disadvantageous being in a specific country. Issues such as unstable governments, civil unrest, devalued currency or inflation that cause the cost point to increase and push the business out of a market, (for example, due to increased salaries and cost of living, or industries that are more favorable drawing on your employee pool). There are many more but the point is the dynamics of change outside of a company can greatly influence the inner workings of that company. And where the company goes, so does business continuity and disaster recovery.

Business continuity and disaster recovery programs must align and adapt with business models no matter how fluid they become, rather than react to those changes once they are in place.

This has been the focus of much of the discussion of continuity planning: how to make data redundant for safety. Typically, this entails a combination of approaches collectively described as defense in depth. Typically, some attention is paid to making data redundant at the transactional level—to protect against the accidental deletion or corruption of a file or database transaction and to enable recovery to a point in time just prior to the event itself. A number of technologies are available for this purpose, and the term Continuous Data Protection (CDP) has become an umbrella concept.

A disaster recovery is a response to a declared disaster or a regional disaster. It is the restoration or recovery of an entire Agent computer. A disaster recovery plan describes how an organization is to deal with potential disasters. Just as a disaster is an event that makes the continuation of normal functions impossible, a disaster recovery plan consists of the precautions taken so that the effects of a disaster will be minimized, and the organization will be able to either maintain or quickly resume mission-critical functions. Typically, disaster recovery planning involves an analysis of business processes and continuity needs; it may also include a significant focus on disaster prevention.

The Disaster Recovery Planning Template (DRP) can be used for any sized enterprise.  The template and supporting material have been updated to be Sarbanes-Oxley compliant.  The complete package includes:

• Disaster Recovery Plan Template
• Business and IT Impact Analysis Questionnaire
• Work Plan

Questions to consider during assessment:

• Could a newly hired IT professional quickly handle the situation?
• Could a remote IT engineer talk a novice through the procedures?
• Could a smart phone web browser provide all needed access to bring your business back online?
• Could all this happen within the RTO and RPO requirements?

In addition to reviewing your Business Continuity Plan, survey your executive team to get a realistic picture of their expectations. You could spend too much time thinking of costly alternatives to cover aspects of daily operations that may not be critical. When doing so, ask yourself and your executive team:

• Specifically, what level of protection is necessary (RTO, RPO, LOS)?
• Which aspects of your companyÂ’s business must stay operational in an emergency?
• Are your physical, as well as virtual servers, protected?

•  Establish BC program lifecycle processes within your organization
• Assess business and technology requirements for a BC plan
• Evaluate business continuity risks to your organization
• Identify and select cost-effective BC recovery strategies
• Organize an effective BC team
• Develop a BC plan document
• Coordinate BC plan with external entities
• Develop an effective test plan for testing the BC plan
• Organize and conduct successful BC plan tests
• Establish a process for maintaining the BC plan
• Implement a BC plan change management process
• Understand the main differences between a disaster recovery plan, emergency response plan, crisis management plan, and business continuity plan

Over 30% of all Disaster Recover Business Continuity Plans are not current according to data gathered by Janco

There are plenty of partial, outdated, or ineffective disaster and business continuity plans out there - why is it so difficult to get it right?

• Data collection
• Data inconsistency
• Categorization
• Manageability
• Maintenance

Almost all good disaster recovery together with contingency plans with developing a good solid backup associated with data. Although systems and applications could be reinstalled and reconfigured, data shouldn't be rebuilt out of thin air. The key to working with a good backup is to check the data is correct and that can be successfully restored. That isn't always as easy because seems. One company had such an issue. Their backup administrator didn't correctly follow procedures and once he thought he was performing a backup, he actually weren't writing anything. When they tried to restore a database, they determined all the tapes were definitely blank.

These show that 94 percent of their customers that invoked their business continuity plan did so due to IT problems, with only six percent accounting for more dramatic incidents such as fire or flood. This means that the day-to-day causes of invocation, such as hardware failure or infrastructure loss, are 15 times more likely to occur than a flood or fire.

The director of Business Continuity and Infrastructure at the company, said: "In our experience, many organizations focus on the likelihood of a major disaster, such as terrorism, extreme weather events, or fire, when deciding to implement a business continuity plan. However, our invocation statistics prove that it is the ordinary and not the dramatic that can also have significant impact."

"In today's just-in-time world, customers are highly transient and the excuse that the IT system is down is no longer acceptable to them. If they can't get what they want, when they want it, they will quickly go elsewhere - every minute the IT is down, customers are lost. Businesses therefore need their IT to be back up and running quickly, and without an effective business continuity plan in place that is an unlikely scenario."

Business continuity managers have to obtain replacement hardware, reinstall operating systems, and reconfigure all software applications. In a traditional DR model, prior to virtualization, all of these processes can be very difficult and timeconsuming since it is essential to restore every setting to exactly the way it was before the disruption.

The decision, issued by NFA's Business Conduct Committee, is based on an NFA Complaint filed and a settlement offer submitted by CMS.

The complaint alleged that CMS failed to implement adequate business continuity and disaster recovery plans and that CMS failed to report all system outages experienced by the firm to its customers and NFA. These outages left customers unable to enter new orders or manage their existing orders. In addition, the Complaint charged CMS with failing to adequately supervise the use of its electronic trading platforms.

NFA Compliance Rule 2-38 requires that 'Members establish and maintain a written BCDR plan to be followed in the event of an emergency or significant business disruption'.

• Minimize downtime: The consequences of extended downtime can be severe, not only in terms of lost business and lost productivity, but even in terms of survival for small organizations.
• Minimize risk: Not having a disaster recovery plan often constitutes an unacceptable level of risk—but simply having a disaster recovery plan in place does not eliminate risk if its reliability is uncertain.
• Control costs: Traditional disaster recovery plans are often limited in scope because of the costs associated with building and maintaining a recovery site, training staff members in disaster recovery processes, testing those processes, and so on.