Over the years, I've talked to hundreds of companies about disaster recovery (DR) and business continuity planning. A common thread has emerged from all these companies: When executive staff is involved in business continuity planning makes sure the plan is regularly tested and updated, IT staff can have confidence that it can weather almost any event.
I find It can be beneficial to review good and bad examples of DR planning. Hopefully your organization doesn't fall into the bad-example category.
A good example of disaster recovery and business continuity planning
A good example illustrates a few key points about executive involvement in disaster recovery and business continuity planning. These include
- A CEO and board of directors that oversee the plan and are involved in its health.
- An executive staff that is concerned about business continuity across all aspects of the company, not just the IT department
- A company that tests and updates its plans more often than once a year.
Let's take a look at these points. I talked to the CIO of a medical supply distributor that had five warehouses across the U.S. The CIO understood the need for DR and business continuity, but it was not something at the top of his mind. The CIO had a different set of priorities, and if left to his own devices, would have regularly postponed the DR testing exercises in order to meet other project deadlines his team was working on. However, the CEO was our model example here. She would check up on each aspect of the company's business continuity testing and review like clockwork. They were schedule to test twice a year, and when it was time, the CIO quickly learned that he needed to do the testing because the CEO was going to ask for the report.
The CEO did much more than just skim over the CIO's DR testing report, she would ask questions about various aspects to dig deeper. Most importantly, she was teaching the CIO the priority that business continuity planning played in their company. But business continuity is not just about the CIO ensuring that the IT equipment can weather a disaster, but that all other business operations and process are also prepared.
This same CEO equally grilled the non-IT aspects of the business about their continuity plans and testing. She would ensure that each business unit and corporate support organization had harmonized their plans and testing. The rigor of her review of the semi-annual testing was not just for the CIO, but also for the head of each business unit and operational organization. After the company experienced an event, and the DR plan worked, its priority changed in the mind of that CIO.
A bad example of disaster recovery and business continuity planning
A bad example illustrates what can happen if the executive staff is not as involved as they should be. I'm not talking about those companies that are doing nothing at all for business continuity planning (there are a number out there), rather, I'm focused on those that think they are planning, but are not really doing it right or completely. Some of the big mistakes include
- The CEO delegates all business continuity responsibilities to the CIO
- The executive staff doesn't understand the difference between business continuity and disaster recovery
- The company places business continuity testing at a low priority. It often gets postponed for more immediate "critical" projects.
A CIO of a large manufacturing conglomerate with factories spread throughout the U.S. told me of their experience during hurricane Katrina. The CEO of this company had assigned the CIO the business continuity responsibilities. The CIO worked with his IT staff to create a DR plan, contract a recovery site and test the plan. All was working fine, or so they thought. When the hurricane hit the Gulf Coast in 2005, one of their large manufacturing plants was flooded and rendered inaccessible and inoperable. They could not contact their employees, they could not pay their employees, nor could they even gain access to assess the damage caused by the hurricane.
The corporate back-office IT systems were all running flawlessly, but the affected manufacturing plant was no longer producing any product and the employees were not accounted for nor getting paid. They looked to the other manufacturing plants around the nation, but none had the capacity or the proper equipment to take on the load of the lost plant. They lost revenue and production contracts due to the outage before they were able to make repairs and get their workforce back on-line.
The CEO and executive staff did not understand the difference between disaster recovery (IT related resiliency) and business continuity (business unit and overall corporation resiliency).
The lessons learned from this disaster were that for the first time, they brought together the business unit leaders to conduct a business impact analysis and complete a full business continuity plan. They built out the infrastructure at their other manufacturing plants to take on limited capacity from any other plant. They outfitted the shift managers with satellite phones, and would give the shift managers updated employee contact lists on a weekly basis to accommodate hourly laborer turnover. They had discovered that business continuity is much more than a disaster recovery plan for IT systems and personnel.
The bottom line is that the business continuity planning responsibility is all about ensuring the financial health of a company. This fiduciary responsibility lies squarely on the CEO's shoulders with board of directors' oversight. DR planning applies to IT systems and is only a part of the overall health insurance of the company, albeit a critical part.
Let us know what you think about this tip. Was it useful? Email Site Editor, Matt Stansberry.
This was first published in August 2008