| It
is vital that the organization takes the development and
maintenance of the disaster recovery or business continuity
plan seriously. It is not one of those tasks that can
be left until everyone has time to deal with it. A serious
incident can affect the organization at any time and this
includes the next 24 hours!
The
contingency plan needs to be developed by a team representing
all functional areas of the organization. If the organization
is large enough, a formal project needs to be established,
which must have approval and support from the very top
of the enterprise.
|
One
of the first contingency planning tasks to be undertaken
is to prepare a comprehensive list of the potentially
serious incidents that could affect the normal operations
of the business. This list should include all possible
incidents no matter how remote the likelihood of their
occurrence.
Against
each item listed the project team or manager should
note a probability rating. Each incident should also
be rated for potential impact severity level. From this
information, it will become much easier to frame the
plan in the context of the real needs of the organization.
|
Once
the assessment stage has been completed, the structure
of the plan can be established. The plan will contain
a range of milestones to move the organization from its
disrupted status towards a return to normal operations.
The first important milestone is the process which deals
with the immediate aftermath of the disaster. This may
involve the emergency services or other specialists
who are trained to deal with extreme situations.
The next stage is to determine which critical business
functions need to be resumed and in what order. The
plan will of necessity be detailed, and will identify
key individuals who should be familiar with their duties
under the plan.
|
| Once
this plan has been developed it must be subjected to rigorous
testing. The testing process itself must be properly planned
and should be carried out in a suitable environment to
reproduce authentic conditions in so far as this is feasible.
The Plan must be tested by those persons who would undertake
those activities if the situation being tested occurred
in reality. The test procedures should be documented
and the results recorded. This is important to ensure
that feedback is obtained for fine tuning the Plan.
Equally, it is important to audit both the plan itself,
and the contingency and back up arrangements supporting
it. No short cut can be made here.
|
This
stage is dependent upon the development of the plan and
the successful testing and audit of the plans activities.
It is necessary that all personnel must be made aware
of the plan and be aware of its contents and their own
related duties and responsibilities.
Again, it is important that all personnel take the disaster
recovery planning seriously, even if the events which
would trigger the Plan seem remote and unlikely. Obtain
feedback from staff in order to ensure that responsibilities
and duties are understood, particularly those which
require close dependency on actions being taken by others.
|
The plan must always be kept up to date and applicable
to current business circumstances. This means that any
changes to the business process or changes to the relative
importance of each part of the business process must be
properly reflected within the plan.
Someone
must be assigned responsibility for ensuring that the
plan is maintained and updated regularly and should
therefore ensure that information concerning changes
to the business process are properly communicated.
Any changes or amendments made to the plan must be fully
tested. Personnel should also be kept abreast of such
changes in so far as they affect their duties and responsibilities.
. |
