To be useful, a DRP disaster plan must be updated regularly
Thursday, October 20, 2011
Often a disaster recovery plan (DRP) focuses on preventative actions, with documentation written as a necessary chore to satisfy insurance companies, then filed away, to provide false comfort and no real benefit to the business.
There is also the temptation for management to put its head in the sand and hope that nothing bad will happen. However, as the explosion affecting MI Print showed, the threat of serious disruption exists, and an up-to-date, relevant DRP will have a significant impact on the health or even survival of the business.
Statistics show that a high proportion of companies fail within two years of major disruption, even if the company has appropriate insurance. Fire is the most frequently cited cause of business disruption, but it is only one of the potential dangers. So what can your business do to protect itself?
In line with the best-practice guidelines and BS25999, there are actions that need to be carried out with the preparation of a DRP. Senior management needs to be involved and committed to the project; there should be someone with suitable seniority to be responsible for the DRP, and it should be an agenda item similar to health and safety and human resources.
Stakeholder analysis is essential to identify continuity solutions based on their expectations. Clients are key stakeholders, but stakeholders also include employees, suppliers, shareholders, banks and insurance companies.
A clear understanding is needed of which products and services would, if disrupted, have the greatest impact on your business. The greater the impact, the higher the priority. To do this, calculate the maximum period that your stakeholder can manage without the product. Then map your processes, as this will provide a view of what is needed to get these high-priority services and products to your stakeholders as soon as possible.
What are the risks that could disrupt the key processes of your business? The obvious will include fire, staff illness and loss of access to premises and computer equipment, but there will be others specific to your business. Like any risk assessment, decisions need to be proportionate to the level of action required; this can range from planning a specific response to accepting the risk with no significant action required.
The preparations and actions above are an essential start to the DRP process. Only when these are clearly qualified can the business start to develop the plan. It will show the resource needed and prioritise the areas of the business that are going to require specific and comprehensive back-up. No business can mitigate all of the potential risks that it may face but, by creating actions and implementation plans, you can be confident that you are covering the most important areas.
Drafting the DRP is only the start; you need to continually improve it through review, testing and training. This will ensure that the plan is frequently updated and remains relevant to the business; otherwise there’s little point in having it.
Philip Thompson, head of BPIF Business