Organizations are faced with a variety of threats and vulnerabilities, and these continue to evolve. Business disruptions can include natural disasters such as floods, fires, hurricanes, and power outages. Since 9/11, the threat of man-made disasters such as terrorist attacks has taken on a sense of urgency as well. The increase in metropolitan population density further exacerbates the threats posed by both natural and man-made disasters. Although business-continuity planning and disaster-recovery planning are now generally recognized as vital, creating and maintaining a sound plan is quite complex.
Disaster recovery planning addresses the prospect that a disaster might interrupt an organization's business operations. Whether an organization is for-profit, nonprofit, or governmental, the need to mitigate disaster risks has become especially salient.
Disasters can come in many forms and sometimes last indefinitely. The 2002 Disaster Recovery guide lists many types of disasters and the categories they fall under, such as:
- Labor disputes
- Power failure
- Air conditioning failure
- Production line failure
- Cooling plant failure
Information Security Incidents.
- Cyber crime
- Loss of records or data
- Disclosure of sensitive material
- IT system failure
Certain conditions define a disaster in relation to business interruptions. Charlotte Hiatt's A Primer for Disaster Recovery Planning in an IT Environment lists some of these conditions, observed in organizations going through a time of crisis. Surprise and insufficient information are, of course, natural characteristics of a disaster. There is also an uncontrollable, escalating chain of chaotic events and a loss of control in key areas of the organization. A sense of keen scrutiny from outside the organization is also common, leading to several behaviors found in disaster environments, such as siege mentality, panic, and short-term focus.
Hiatt divides disasters into three different categories for businesses. The first category is composed of low-risk incidents. These events do not seriously injure anyone and cause only minimal disruption of the organization's systems. The second category is the moderate risk incident. In these incidents there are serious injuries, many minor injuries, and damage of assets and facilities. The ability to conduct business is severely hampered for a time.
Employee distress is moderate. The last category is the high risk incident. These incidents cause widespread death, injury, and severe damage to facilities, and are the most likely to impact the media and the company's investors.
DISASTER RECOVERY AND BUSINESS
A business impact analysis helps management to understand the criticality of different business functions, recovery time required, and the need for various resources. The question of which corporate functions receive top priority should be addressed. In selecting a strategy to protect the organization, cost-benefit comparisons are made with regard to the effects of doing without various services and functions (e.g., call centers, production locations, proprietary data) at specific points in time, and developing plans for optimum recovery periods for each service and function.
A central office failure brought about by a fire or power outage can also affect trading operations. Redundancy (including back-up sites and additional staff and technologies) is recommended, albeit expensive. An additional risk is that an entire network (such as a cell-phone network) might go down. Jay Pultz, research vice-president at disaster and business continuity consultancy firm Gartner, Inc., is concerned that failures will increase because the companies that provide the networks are collapsing their infrastructure to a single backbone, as opposed to separate backbones for the Internet, phone, data, etc.
Companies should be aware that back-up systems can create expenses of their own. At times, the price for backing up necessary information can put a significant drain on the company's resources. Julie Bort, with Network World, reports that contracts for data storage and recovery services can easily reach more than $30,000 a month. Companies are usually willing to spend somewhere between 2 percent and 4 percent of their IT budget on disaster recovery, and this is not always enough to ensure full coverage. Some companies make disaster recovery a much larger priority and budget accordingly.
Organizations that depend on electronic-based information suffer greater losses at the time of disasters, and usually make use of more security options. According to the Joint Commission Resource's 2008 Standards for Long Term Care, a disaster recovery plan for electronic information can include several components. A plan can be based around some or all of the following:
- Procedures for scheduled and unscheduled downtime
- Contingency plans for operation interruptions
- An emergency service plan
- A back-up system (electronic or manual)
- Data retrieval procedures
Oddly enough, smaller businesses have been found to lead many midsize businesses in implementing true disaster-recovery solutions. Small businesses often rely on value added resellers (VARs) for their solutions, and larger firms use internal IT departments. Midsize firms, however, are too complex to be relocated quickly, yet lack the internal staff to restore business processes rapidly, increasing opportunities for VARs to offer business continuity services to this market.
Small businesses have yet another ally in the SBA, or Small Business Administration. The SBA, created in 1953, focuses on aiding small business through such trials as system-crashing disasters. In their 2007 Recovery Plan, the SBA focuses on its intent to help small businesses recover from natural disasters, especially those with widespread effects (such as hurricane Katrina in 2005). With the aid from the SBA, small businesses are often able to recoup their losses from disasters.
APPLICATIONS TO SUPPLY CHAIN MANAGEMENT
Companies involved in extensive outsourcing or exclusive partnerships with suppliers may have more to lose than others. A disaster affecting their supply chain would leave such companies without immediate recourse to resume production.
This “dark side” of supply chain management is discussed in a white paper appearing in a March 2005 issue of Supply Chain Management Review. The authors explore the notion of supply continuity planning, which is a comprehensive approach to managing supply risk. They state that by employing their supply continuity planning model, organizations can guard against a major supply disruption that could potentially delay orders and result in loss of customers.
Whereas companies previously relied on inventory buffers (safety stock, lead times, excess capacity) to protect them, today's competitive environment makes these buffers less attractive. A consequence is that today's lean supply chains are increasingly fragile, or more sensitive to shocks and disruptions.
The authors make a strong case for how devastating disruptions can be by citing several events, including a fire at a factory supplying valves to Toyota, resulting in estimated costs of $195 million; an earthquake in Taiwan, hampering the supply of computer chips and computer demand during the holiday season; a lightning strike at a radio-frequency chip plant in Albuquerque, NM, resulting in a fire, production delays, and the eventual withdrawal of Ericsson from mobile phone manufacturing (because the plant was its sole supplier); and the 9/11 terrorist attacks, resulting in loss of life and loss of information databases.
Based on case studies of four organizations that pro-actively manage inbound supply risk, the authors present a framework describing detailed efforts focused on four major activities: creating system awareness of supply risk, preventing the occurrence of supply disruptions, remediating supply interruptions, and managing knowledge.
In a 2005 Canadian Business article titled “Always Be Prepared,” an expert in enterprise risk presents a series of questions that managers should ask about the firm's state of readiness to continue business after a disruption. For example, does the business even have a plan? Is the plan tailor-made or “off the rack”? Are critical functions the basis of the plan? The maintenance of knowledge management, regular testing of the plan, and supplier preparedness are other important issues.
What should businesses look for when considering a disaster recovery plan? Clearly, a carefully defined procedure should be created, to be followed exactly during a crisis. Employee training and periodic reviews go hand in hand with this preparation. But there are also a number of outside companies and devices that specialize in information storage and recovery. Which sort of protection should a company consider? Laura Buckley, in her article “2008 Trends: Data Protection, Archiving, and Disaster Recovery Challenges,” gives a short, helpful list to consider when looking at data protection. According to her, the appliance should:
- Be easy to purchase, install, manage, and support
- Optimize all back-up systems to meet corporate RTO and RPO requirements
- Comply with regulated retention policies
- Efficiently use media
- Automate daily functions to reduce administrative hours needed
- Provide an adaptable foundation so that newer data protection systems can be built on top of existing appliances
When a protection and recovery system is in place, there are several routines organizations can follow which ensure high quality results. Disaster Recovery Information (DRI) gives three practices that every organization can apply to their disaster recovery program.
First, DRI advises that organizations search carefully for flaws in their contingency plans. Weaknesses and faults should be carefully noted and dealt with. Brainstorming sessions and planned tests are both excellent ways to expose flaws.
Second, organizations should establish a cycle of scheduled tests for the contingency plan. Not only will this make step one easier, but it will provide the company with an opportunity to see itself under pressure. These planned tests should strive to be difficult, so that serious weaknesses can be exposed.
Last, organizations should never expect real disasters to act like their simulated tests. They should prepare for the unexpected, and always act as if the real disaster includes all the possibilities they did not test.
Being prepared for disaster is increasingly essential. The good news for those new to business continuity planning and disaster recovery planning is that information on how to prepare is proliferating. Business continuity and disaster recovery planning software explore the potential impacts of disaster, and underlying risks; constructing a plan; maintenance, testing, and auditing to ensure that the plan remains appropriate to the needs of the organization; and support infrastructure and services.
SEE ALSO Contingency Approach to Management; Lean Manufacturing and Just-in-Time Production; Strategic Planning Tools; Strategy Formulation; Supply Chain Management
Barnes, James C. A Guide to Business Continuity Planning. New York: Wiley, 2001.
Bort, Julie. “Do-It-Yourself Disaster Recovery.” Network World, 2004. Available from: http://www.networkworld.com/supp/2004/ndc5/082304disaster.html.
Buckley, Laura. “2008 Trends: Data Protection, Archiving, and Disaster Recovery Challenges for SMB.” Computer Technology Review, 2008. Available from: http://www.wwpi.com.
“The Business Continuity Planning & Disaster Recovery Planning Directory.” Disaster Recovery World. Available from: http://www.disasterrecoveryworld.com.
Garvey, Martin J. “From Good to Great (Maybe).”InformationWeek, 3 January 2005, 45.
Gerson, Vicki. “Better Safe Than Sorry.” Bank Systems & Technology 42, no. 1 (2005): 41.
Hanna, Greg. “How to Take a Computer Disaster in Stride.”Strategic Finance 86, no. 7 (2005): 48–52.
Hiatt, Charlotte J. A Primer for Disaster Recovery Planning in an IT Environment. Idea Group, Inc, 2000.
Hofmann, Mark A. “Y2K Spurred Continuity Plan That Was Put to Test by 9/11.” Business Insurance 39, no. 16 (2005): 71.
Hoge, John. “Business Continuity Planning Must Extend to Vendors.” Bank Technology News 18, no. 2 (2005): 47.
Hood, Sarah B. “Always Be Prepared.” Canadian Business 78, no. 6 (2005): 61–63.
Huber, Nick. “Business Continuity Plans Eat 35% of Clearing House's Core IT Spend.” ComputerWeekly, 8February 2005, 5.
“Impact and Risk Assessment.” The Disaster Recovery Guide, 2002. Available from: http://www.disaster-recovery-guide.com/risk.htm.
Joint Commission Resources. 2008 Standards for Long Term Care Joint Commission Resources, 2007.
“The Possibility for Disaster.” Disaster Recovery Information, 2007. Available from: http://recovery-disaster.net/it-disaster-recovery/disaster-recovery-threat.htm.
Roberts, John, and Frank J. Ohlhorst. “Disaster Planning Promises Big Channel Profits.” CRN 1130 (2005): 22.
SBA. Disaster Recovery Plan United States Small Business Administration, 2007
Sisk, Michael. “Business Continuity: Still Not Entirely Ready For Disaster.” Bank Technology News 17, no. 12 (2004): 41.
Zsidisin, George, A., Gary L. Ragatz, and Steven A. Melnyk. “The Dark Side of Supply Chain Management.” Supply Chain Management Review 9, no. 2 (2005): 46–52.