How should you approach disaster response and recovery in your organization?
1. Assume failures, disasters, and crises will occur.
- We are human. Therefore, we all have limitations. We can never be perfect.
- When you think you’ve removed humans from a process by introducing automation, you haven’t. Humans are ultimately responsible.
- There is no fail-safe location, method of construction, network, etc.
- If you never connected your IT system to the Internet, for example, your data would not be 100% safe
- Only a fool or a liar will guarantee 100% security and safety
2. Determine where failure is most likely to occur — where your points of failure lie.
- Where is your company most vulnerable? (Thieves, hackers, natural disasters, untrained employees, etc.)
- What are the greatest risks your organization potentially faces?
- Where are you most likely at risk?
- As your company and its environment change, what new vulnerabilities may arise?
3. Determine how likely it is that failure will occur at each point of failure.
4. Consider your points of failure as possibly being interrelated, even interdependent.
- Look for cascading (or domino) effects.
5. Determine the potential impact to the company when a given disaster or failure occurs.
6. Identify where that failure lies on your risk-reward continuum.
- What do you hope to gain by taking certain risks? Is the reward really worth the additional risk?
7. Prioritize failure scenarios. Then, decide where your efforts and resources would be spent most effectively.
8. Determine your disaster response and recovery policies (DR&R policy) and spell them out.
- Get the entire staff’s input. Everyone’s opinion is valuable.
- Ask subject matter experts for their opinions; don’t assume what they say is gospel. No one has an unlimited field of viewor is 100% unbiased.
- Keep your staff informed during the policy development phase.
9. Develop a disaster response and recovery plan as part of your larger business continuity plan.
- Understand the similarities and differences between the terms”disaster response” and “business continuity”.
10. Implement your Disaster Response and Recovery plan.
- Make sure everyone in your organization is aware of and understands the plan.
- Train your employees when they need training — when they start with the company or when significant changes have been made — not when it’s convenient for you.
11. Test your DR&R plan. (“Drill, baby, drill!”)
- Run through “What if?” scenarios — like “What if your mobile phone doesn’t work?” or “What if the exit doors at the bottom of the west stairs won’t open?” — frequently. Don’t assume disaster response and recovery will stick to your carefully crafted script. (They won’t. That’s the one thing you can guarantee.)
- Some points of failure require more frequent testing and drilling. Don’t treat every point of failure or every risk the same.
- Conduct unannounced drills.
- Consider varying the type and nature of testing. Doing the same old thing all the time breeds complacency and carelessness.
12. Continue to improve your DR&R policies and plans. There is always — always! — room for improvement.
The above recommendations are top-heavy on planning for a reason: planning is infinitely preferable to flying by the seat of your pants. Disaster planning and drilling reduce the likelihood of panic and confusion.
Thanks for your time. Let me know what you think.