Broaden your company’s disaster recovery plan for optimum success
You only have to watch television, listen to the radio or read the newspaper to realize that virus attacks on individual computers and computer networks are becoming commonplace. And that catastrophic disruption to business, such as the blackouts that hit the U.S. and Canada in August 2003 and the terrorist attacks of 9/11, are a continuing threat. Disasters can result in large monetary losses, legal issues, loss of customer confidence and, in some extreme cases, a company’s failure. Simply put, in today’s environment, the effect of a long-term operational outage may be fatal to a business.
Don’t Make Recovery Too Difficult
I have watched many organizations make the recovery process difficult—even impossible— because they failed to accept responsibility and plan ahead. While certain organizations take steps to prevent disasters, others ignore the reality that prevention is not always possible. For example, it is difficult to second-guess nature and plan for a hurricane, major storm, or other potential disaster.
Historically, in many organizations, the information technology (IT) department has been given responsibility for providing continuance planning. Consequently, most IT departments have a disaster recovery plan (DRP). Typically, DRPs focus primarily on the restoration of computer resources, with less emphasis on the overall needs of the business supported by those resources. However, a DRP should include more than the backup and recovery of tapes and hot sites. I have also witnessed situations where payroll or human resources incorrectly assumed that someone else (such as IT) handles their entire disaster recovery effort. Only when a disaster or major problem occurs do they realize that the DRP may not cover all the necessary elements.
Making Disaster Recovery More Comprehensive
To prevent problems, organizations need to have a business continuity plan (BCP). This type of plan describes an organization’s procedures to ensure that essential functions can continue during and after a disaster. A BCP helps prevent the interruption of mission-critical services and re-establishes fully functioning plans as quickly and smoothly as possible. A BCP also helps businesses recover assets above and beyond the technology itself. While technology plays an integral role in most payroll operations, the focus of any good plan must be holistic and encompass people, facilities, operations, business applications, processes, and IT systems. Regardless of the disaster, the plan must ensure that the company can return to normal operations as quickly as possible.
Although more organizations are realizing the importance of disaster prevention and disaster recovery planning, many of them are not prepared to develop the full BCP. For many organizations, the time, effort, and cost associated with setting up appropriate plans has often been regarded as an obstacle. A BCP is difficult to justify, given the logistics and cost of conducting a cost-benefit analysis. Complying with the requirements is hard work, while the testing and training components take up a considerable amount of time and resources—the same resources that are needed to maintain day-to-day operations.
Many companies mistakenly view a BCP as an expensive insurance policy they will never need. However, given what we have witnessed over the past few years, disasters of all sizes can happen anytime. Consequently, thousands of organizations had to implement their business continuity plans in order to survive.
Steps for Developing Your BCP
Organizations that have a partial plan in place (i.e. a disaster recovery plan that focuses primarily on technology backups) may be able to produce payroll again within a reasonable period of time following certain types of disasters—but many disasters go beyond the loss of systems. The development of a viable recovery strategy must, therefore, not only be a product of the IT provider’s communications and operations centre services, but it also must extend to the users of those services and staff who have responsibility for both the information and processes. Consequently, a BCP is not concerned solely with information services. Because a DRP focuses exclusively on information technology and services, it remains a major component of any business continuity planning. Keep in mind, though, that disaster recovery is a business problem as much as it is a technology problem. Because a BCP encompasses the entire business organization, it requires senior management approval and support for the planning effort to be successful.
This commitment is necessary to ensure that support resources and funding are available to develop an executable plan. The commitment grants the plan developers the authority to investigate and document areas of the business that might otherwise be denied to them. Business decision-makers need to be involved
in establishing priorities. They should address several key questions, including: Which systems are the critical business systems and who supports these systems? Which data are critical, and how are they being protected? What systems are dependent on human intervention? What are the steps to recover the systems?
For some corporations, integrating their technology plan with their business plan is a necessity. For others, computer systems may or may not be critical to their business. The extent to which the business relies on technology will determine the appropriate investment in recovery systems.
Consider a BCP Within the ‘Big Picture’
When developing goals for your BCP, you should focus on:
- Identifying risks and weaknesses
- Minimizing the duration of a serious disruption in business operations
- Facilitating effective coordination and execution of recovery tasks
- Trying to keep things relatively simple (reducing the complexity of the recovery effort is important)
When you look at disasters from a holistic business perspective, focusing on critical business areas such as payroll, you can quickly ascertain the three common elements in any disaster:
- Loss of information
- Loss of access to information and facilities
- Loss of people
An exercise I recommend is to systematically analyze and determine how you would respond to these losses. For example, in the payroll department, you might evaluate your response to:
- The loss of payroll files destroyed by fire that were not backed up on any medium
- The complete shutdown of the computer system, preventing you from accessing files and processing payroll
- A fire that prevents staff from using the office for an extended period of time
- The sudden resignation of two or three key staff members critical to the company’s daily operation
Brainstorm to Build Awareness
To answer these and other related questions, hold a brainstorming session with your employees during department or group meetings. Brainstorming builds employees’ awareness of business continuity planning and identifies potential risk areas which are unknown or unappreciated by management.
For example, I recently came across a situation in which an organization discovered that its service provider did not have an adequate backup system in place. Another case involved a company that had one employee handling all of its mission-critical production jobs without anyone else in the organization being aware of the situation.
Let’s revisit the example of the office fire that prevents staff from returning to work immediately. Needless to say, it is not unusual to temporarily suspend business following a disaster. Furthermore, you and your company should understand and accept the fact that two time periods must be planned for after a disaster.
First will be the initial, disorganized, “limited operation” time span. That will be followed by a period of “makeshift operations,” which can be quite lengthy until normal operations resume. Following a physical disaster, the limited-operation time span can extend for up to a week or more, while the makeshift operation time span can last for several months until normal operations are restored. The time span depends on the severity of the disaster and the organization’s state of readiness to respond. In most organizations, payroll is the highest priority. Even when an outside provider handles payroll, there is usually a computer for remote input of the payroll data. So, in the event of a disruption (such as the fire previously de-scribed), at a minimum, a backup facility must be in place to access and enter data.
Get Involved and Get Results
When developing a BCP, it is becoming popular to have specific plans that are fully owned by each business unit and developed in conjunction with a core crisis team. Payroll professionals who lead their business units need to be involved with their organization’s BCP. No one can predict when, or if, a disaster will strike. But consider the consequences of not having a BCP in place if one does occur. Clearly, a BCP is critical to a company’s continued success.
Ian Mise is the President and CEO of the LeadingEdge Payroll Group.Categories: Articles