Disaster recovery is the process of rapidly recovering business operations in the event of a business interruption. The disaster recovery team of an organization is responsible for ensuring the safety, health, morale and welfare of all personnel involved and for limiting the loss potential associated with financial operations, its reputation and service provisions.
The recovery procedures of a business process recovery team are as follows:
- Restore operations according to outlined objectives.
- Maintain the integrity, accuracy and availability of vital data through the utilization of the procedures contained within the disaster recovery policy.
- Interface directly with the recovery operations management team and relay all necessary information to enhance the recovery effort.
- Provide updates to the recovery operations management team to prevent operations from being compromised or terminated for any reason.
- Restore impacted business functions to a permanent location when directed by the recovery operations management team.
The Disaster Recovery Audit Assessment
The disaster recovery audit, also referred to as an IT audit, is the act of collecting and then evaluating information regarding an organization’s information systems, practices, procedures, operations and governance. Typically, the internal auditor evaluates the collected information to assess whether the information systems are sufficiently protecting assets, maintaining data security and functioning as intended to ensure that the business can meet its objectives.
As an example, a review of a healthcare clinic may find that while clinical care would continue after a significant disruption (provided the facilities remain intact), organizational impacts from an absence of data, systems and business resumption planning should include:
- Potential degradation in the quality of care due to the inability to access medical records in a timely manner and communicate between departments and other healthcare resources
- Temporary losses and/or significant delays in executing patient billing and collections processes
- Significant delays in the ability to execute employee payroll
With this information, the clinic is better prepared to meet the challenges of a disaster; mitigate the degradation of its quality of care; prevent delays in billing, collections and payroll; and, in essence, have faith in its business continuity.
Business Continuity Management Defined
Business continuity management (BCM) is the development of strategies, plans and actions that provide protection or alternative modes of operation for activities or business processes which, if they were to be interrupted, might otherwise bring a seriously damaging or potentially fatal loss to the enterprise. It is a companywide process that consists of three key components as follows:
- Crisis management (including crisis communications)
- Business process recovery planning
- IT disaster recovery planning
BCM focuses only on critical business processes that have material impacts on the organization and not on all business processes and functions. These critical processes should be planned for and recovered within a realistic recovery window. BCM is not a one-time event but rather a scheduled process. It should occur at a minimum or more frequently if significant business processes or structures change.
Becoming an Optimized Organization
In an optimized organization, management processes, such as BCM, are performed at an optimal level with best practices in full use. This accomplishment is surely something to be proud of and, thus, should be advertised both internally and externally as a competitive advantage. At a high level, BCM drives strategic goals and internal efficiencies. It is comprehensive and organizationwide, while its processes are strategically aligned with objectives and customer expectations.
It helps to ask the following four questions when evaluating the strength of the BCM process:
- Does the business consider business continuity planning (BCP) in the overall business strategy?
- Does the organization have a defined business impact analysis (BIA), which identifies all business processes critical to the organization and the resources that support those processes? Critical processes are those that management considers significant to the mission of the business that the business can’t afford to operate without them after a given period.
- Has the organization defined strategies for recovering the IT resources that support critical business procedures? Are proper IT policies and procedures in place?
- What is management’s assessment of the company’s ability to resume business operations in the event of a disaster?
BCM provides both long- and short-term benefits throughout the organization. It improves the availability of infrastructure, facilities, equipment, critical IT applications, data and communications. It benefits the security of facilities and IT assets and processes to ensure that all and only authorized personnel have access to facilities and information assets consistent with their legitimate business needs, and it helps to ensure the continuity of critical business processes and IT systems.
A disaster recovery policy should never be considered finalized. Why? Because the policy should be a living and flexible work in progress. You will always be faced with changes in the capital markets, economies, legislation, regulatory issues, competitive forces and mother nature. Thus, the number and levels of intensity of both systemic and idiosyncratic risks faced by an organization are continuously in flux.
Once you have formed a disaster recovery team and have written and implemented your disaster recovery policies, you should implement regularly scheduled reviews and updates, at least annually, as well as ad hoc, should anything materially change that may affect your risk profile – be it an acquisition, change in management, new regulations or physical threats to your assets (e.g., weather).
Your Disaster Recovery Journey: Where to Start
Whether you have fully implemented a disaster recovery policy or are just beginning the process, you would benefit from having a central hub for information about disaster recovery. It can be a daunting task to keep up to date with the many tools, tasks and guidelines for implementing a set of disaster recovery policies and procedures.
Here are some examples of KnowledgeLeader’s tools, training and best practices specifically focused on disaster recovery.
Policies and Procedures/General
Perhaps the most important feature of implementing any company strategy is the use of policies and procedures. For example, the Disaster Recovery Team Policy provides guidelines and standards an organization can follow when creating and improving its disaster recovery plans. Sample procedures include restoring operations according to outlined objectives; maintaining the integrity, accuracy and availability of vital data through the utilization of the procedures listed; interfacing directly with the recovery operations management team and relaying all necessary information to enhance the recovery effort; and providing updates to the recovery operations management team to prevent operations from being compromised or terminated for any reason.
Policies and Procedures/Specific
Within the topic of disaster recovery, we provide a Firearms, Weapons and Explosives Policy, important for both domestic and internationally-based businesses in light of global terrorism and war-strained regions. This sample policy outlines a set of procedures in order to maintain a safe working environment for all employees and affiliates. It suggests that the possession of firearms, weapons and/or explosives is prohibited at the company. Employees are forbidden to bring firearms, weapons and/or explosives into the company, onto the company property, or into any other company facility (including employees who have a permit to carry a concealed firearm/weapon). It can be used as a general guide to understand and review the firearms, weapons and explosives policy.
The Business Continuity/Disaster Recovery Program Assessment Report is a sample audit report that focuses on whether an appropriate enterprisewide governance structure is in place to manage the ongoing development, enhancement and maintenance of business continuity and disaster recovery programs. The assessment includes an organization’s in-scope tier-one systems to determine if they have appropriate IT recovery strategies and plans in place and whether the strategies are aligned with business requirements.
Checklists and Questionnaires
We offer several tools, including checklists and questionnaires, to guide and assist the users when implementing and refining their disaster recovery efforts. An example of a questionnaire is the Business Continuity Management Self-Assessment Questionnaire, a high-level self-assessment checklist for use by an auditee prior to a review of the business continuity management process. It allows the auditee to inform internal audit about controls and processes they employ, and it also gives the auditee ideas about other controls and processes that may be appropriate.
One of many checklists is the IT Disaster Recovery Plan Assessment Checklist. It asks the following questions: Has the plan or decision to develop a plan been discussed and approved by executive management? Has the objective of the DRP been formally defined and documented? Has management reviewed all legal, regulatory, statutory and contractual requirements for disaster recovery planning? Has an owner(s) been given responsibility for the development and maintenance of the plan?
An example of a newsletter addressing disaster recovery is Intersecting Risk Management and Crisis Management. A key point we raise is that we often think, “What happened to them can’t happen to us.” Well, it can. Because most organizations are unprepared for a crisis, it is a management imperative to build a rapid-response crisis management capability for sudden and unexpected high-impact, high-velocity and high-persistence events. This issue stresses the importance of being prepared early for a potential crisis, which can improve an organization’s ability to respond to a crisis; reduce damage to a company’s brand image and reputation; and minimize regulatory sanctions, penalties or fines.
Our blog contains ongoing contributions to the study and process of disaster recovery. One example is How to Successfully Optimize Your BCM Program. This blog post delves into the key features of business continuity management, real-life examples and pertinent questions to strengthen the BCM process.
Another blog entry is Natural Disasters: How to efficiently Leverage Lessons Learned, particularly important today in light of extreme weather events and climate change. Disasters are occurring globally that can cost lives; destroy buildings; and shut down electrical power, communications, transportation and other services. Considering the extreme weather events that have happened in recent years, the probability of a business being affected by a natural disaster seems high, and potential impacts also are increasing.