Disaster recovery plan - confidence in the future for the entire company and a restful sleep in the IT department

Common situation?



There is such a thing - the continuity of business. This area is already quite developed and implies that your business can continue to work without incident even after a meteorite hits a data center or office.



Interestingly, now in Russia, the successful implementation of disaster recovery plans for a business has a side effect in the form of rapid career growth offered and implemented.



')

It will be difficult to convince top managers to invest big money in defense against what is unlikely to happen. To do this, you need to collect an evidence base and with figures in your hands to demonstrate that business losses will be many times more investment in reserves. This will help the long-established business impact analysis methodology - Business Impact Analysis.



In addition to IT, other resources that are necessary for the company's work in a crisis situation — personnel, office space, production facilities, and others — are often considered now. In the standard “525999-1: 2006. Business Continuity Management ”crystallized the following definition: “ Business continuity is the organization’s strategic and tactical ability to plan its actions and respond to incidents and disruptions in the normal course of business in order to continue business operations at a certain acceptable level ”

Why do you need DRP or even BCP?

Continuing operations should be carried out by any company that owns its own business. Yes, we were lucky to live in a seismically stable area, away from tornadoes, mudflows and volcanic eruptions. But for the business reputation of the company can be no less devastating loss of customer information due to fire, flooding the server, terrorist attacks - continue on your own. Even a banal shutdown of electricity and communication channels can lead to serious losses of money. For example, for a bank, this may turn into panic among depositors who will rush to collect their deposits, fearing that their money is about to be wasted. This, by the way, is a bad dream for any banker.



Movement in this direction will help improve the resiliency of IT systems in general. Many technological and organizational solutions work not only for catastrophic failures, but also for the often occurring failures of individual systems. Consequently, your night sleep will be more sound.



If, moreover, you work in a bank, then in accordance with the instructions of the Central Bank No. 2194-U, your employer must have a plan for ensuring continuity and restoration of activities (AT & T). It is very possible that this document is formally there, but about IT there are only common words. To concretize and enrich it will be a very correct step.



In addition to its main goal, the work of writing plans for DRP (IT infrastructure restoration) and BCP (everything that is required for a particular business process) allows you to understand your IT systems and business processes. Very often, knowledge is not formalized and is in the heads of individual experts, while no one has a general understanding, especially in the form of a document.



Today, for many, this area is an opportunity for rapid career growth, since the implementation of such projects is not the strongest part of the established IT departments. Often in companies, the topic of business continuity began to grow precisely with the filing of IT professionals, and not consultants working with risks.

Project implementation

In projects to ensure continuity, there are several stages. For best results, it is better to go through them sequentially, although variations are possible.



1. Business impact analysis and risk analysis. At this stage, the damage from business process downtime is assessed (at least at the level of expert opinions), the dependencies of the business process on IT, key employees, equipment, communications, etc. are determined. If your project is purely IT-friendly, or if you do not have the described business processes, you can start not from BP, but from IT systems. It also determines what risks we will consider. It analyzes how the implementation of these risks will affect our business processes.



Example: a simple favorite social network (or online games) causes a sharp panic and outflow of users, plus the growing popularity of competitors. Analysts determine the possible amount of damage and the likelihood - and form a budget for protection. It may turn out that maintaining a backup site with full duplication is several times more economical than even regular failures of small systems causing 2-3 minute downtime.



2. Audit of current security . Very rarely, companies have comprehensive information about the infrastructure, including information, required for daily work. The goal of the stage is to roll up our sleeves to examine everything and understand how protected we are now, where there are weak points, and what to do to minimize the risks. Some kind of "bottlenecks" can be eliminated immediately and without great expense.



3. The third stage involves the development of a continuity strategy — technical and organizational measures that increase the company's preparedness for emergency situations. Upon its completion, the reserve office may be rented, equipment may be purchased, channels may be rented, contracts may be entered into with contractors, and so on.



4. At the fourth stage, business continuity plans ( BCP ) or IT systems ( DRP ) are written. They include a clear sequence of steps - what to whom and when to do when an emergency situation occurs. This means that each specialist should understand what and how to specifically do instead of panic running around the office and making calls to everyone in a row.



5. Following should be carried out exercises on the plans, their adjustment and the launch of the mechanism of constant updating. Maintaining company preparedness for an emergency is an ongoing process. Each quarter, plans should be updated, and every six months, it is desirable to conduct exercises. Only if these two conditions are met, all your efforts will pay off when the problem happens.





Happens

How to start and what to strive for?

1. Learn materiel . In this area, the mass of its terms and approaches, and the exact meaning may not be so obvious "in terms of banal erudition." In order to go to the second step, you yourself must understand exactly what you want and speak the same language with industry specialists.
2. Bring the idea to high leadership . Without support, the idea is doomed to failure. Spend a few hours, days, weeks to very clearly and figuratively convey to the leadership, what consequences can catastrophic failures, it is desirable to digitize them. It is very simple to make a rough estimate - take an annual turnover or profit in some direction or the company as a whole. Divide by 365 and get a rough estimate of the loss of profit for the day of downtime (unless, of course, this direction is tied to IT). It must add direct losses and damage to reputation, but this can be done later.
3. At this point, or even a little earlier, it makes sense to involve an external consultant . His experience can be a decisive success factor at the initial stage, when his eyes diverge from the number of tasks, people, whose systems must be taken into account in the project. But even if the most experienced consultants are involved in it, you and your team should have a great desire to complete the project - this will be a long and difficult path.
4. Limit the scope of the project . It is better to do it for several of the most critical at the time of idle business processes / IT systems than to take up everything at once and not achieve a result.
5. Form a steering committee made up of top managers and appoint a professional and authoritative project manager. Great if you are.
6. Prepare a realistic project plan . Depending on the size of the organization, work can last from several months to a year. If your project is supposed to be longer, it is better to break it into several sub-projects, or limit the scope.
7. Attract the best possible experts . In many ways, this requires leadership support. Usually, experts are already loaded and need to adjust their priorities.
8. Go through all the stages , and in no case do not refuse to test and run emergency situations in the spirit of "training alarms".
9. Regularly update your plans , add new systems to them, always ask the question “what will I do if it refuses”?

If it is further interesting, I can tell you what specific measures lead to the achievement of 80% of the result with 20% of work and costs. Simply put, with a number of simple actions you can prepare a company for an emergency , then if this situation happens (even if not very serious), you can prevent consequences and collect data that will help convince management of the need to implement the full process.



And one more thing: if you had examples when thoughtful planning of a “black day” really helped, please tell us in the comments.