« Disaster Recovery | Main | How much ‘power’ do you really need? »
22 July 2005
Disaster Recovery and Business Continuity
Posted by at July 22, 2005 03:57 PM
Last week Ateeq blogged about his involvement in a recent business continuity exercise in which he posed several questions "I wonder how many of your institutes have a full disaster recovery plan in place? How many are working on one? Does it include your Library servers, PCs and terminals, etc?" Recognising that business continuity and in particular security is key to most IT strategies this made me wonder if the people who are looking at this area of IT strategy have had the same experience as ourselves.
When we moved to this building 324 days ago one of the first things we started was a complete review of our Business Continuity and Emergency Preparedness Procedures. This soon expanded to be a full review of all our business risks and procedures.
We followed the classical business continuity model of analyse your business, assess the risks, develop your strategy, develop your plan, rehearse your plan.
So armed with this model we started the process of scenario based risk assessments the “what happens ifs”. At each phase we found that there were many things that could be improved to eliminate risks from being realised and applying the “fix as we find” approach seamed like a good start. Little did I know about how much work both physical and mental this would involve and once you find a problem how much it plays on your mind until it is solved.
We started from the outside of the building and worked our way back to the core IT infrastructure. Whether this approach was right I am not sure, maybe starting at each end and meeting in the middle would have been better. But we are where we are and after introducing a whole new Health and Safety policy, the associated emergency procedures, safe systems of work, a planned preventative maintenance programme, a whole new IT policy framework, increasing the resilience of our servers, introducing service monitoring with preventative alerting, full physical perimeter security and surveillance, secure offsite storage of key paper based information (I could go on) we find ourselves far better equipped now than when we started. But we are not there yet and our next course of action will be to start collocating some of our core services in partnership with some market leading hosting companies (but that experience is for another blog entry).
However to get back to the point my experience has been that this process doesn’t and shouldn’t finish, Business Continuity might be the label but it probes in to all areas of the business and every physical nook and cranny contained within it. There are always things that can be done better and we can truly learn from every incident and investigation. But one of my strongest observations has been that unless you actually take the time to look, you never actually see the problems and can walk past, under or over them without even realising and the most common, harmless object can become an incident waiting to happen.
And finally be warned, as you start to look in detail at the risks, as if by magic those risks are woken from their slumber to be realised just before the work begins to remove then. In some cases I’m talking hours, they know you know!!! So plan for the expected and the un-expected.
Trackback Pings
TrackBack URL for this entry:
http://blogs.talis.com/mt/mt-tb.r280.cgi/88
