Disaster Recovery Plan

INSTRUCTIONS: All responses must be prepared in Microsoft Word format and uploaded to the appropriate online assignment. Please include your name, course number, week number and assignment name at the top of your submissions.

Read chapters 1, 2 & 3. A good start to creating a disaster recovery plan is to create a list of all necessary documents and information – this is something that you typically create after a risk assessment. Answer each question below with at least 400 words.

Using the company that you work for, thoroughly document a list of all information and/or documentation that you would need as the basis of a disaster recovery plan. If you cannot use the company that you work for or, you are not currently working, feel free to model an existing company or create one for this assignment.

C H A P T E R 3

EVALUATING RISK
Understanding What Can Go Wrong

Luck: 1a, a force that brings good fortune or adversity;
1b, the events or circumstances that operate for

or against an individual; 2, favoring chance.

INTRODUCTION

The heart of building a business continuity plan is a thorough analysis of events
from which you may need to recover. This is variously known as a threat analysis
or risk assessment. The result is a list of events that could slow your company
down or even shut it down. We will use this list to identify those risks your
business continuity plan must address.

First, let’s define the terminology we’ll use when discussing risk:

➤ The potential of a disaster occurring is called its risk. Risk is measured by how
likely this is to happen and how badly it will hurt.

➤ A disaster is any event that disrupts a critical business function. This can be
just about anything.

➤ A business interruption is something that disrupts the normal flow of
business operations.

Whether an event is a business interruption or a disaster sometimes depends
on your point of view. An interruption could seem like a disaster to the people to
whom it happens, but the company keeps rolling along. An example might be a
purchasing department that has lost all telephone communication with its suppliers.
It is a disaster to the employees because they use telephones and fax machines to
issue purchase orders. The facility keeps running because their mitigation plan is
to generate POs on paper and use cell phones to issue verbal material orders
to suppliers.

EVALUATING RISK 35

Co
py
ri
gh
t
@
20
11
.
AM
AC
OM
.

Al
l
ri
gh
ts
r
es
er
ve
d.
M
ay
n
ot
b
e
re
pr
od
uc
ed
i
n
an
y
fo
rm
w
it
ho
ut
p
er
mi
ss
io
n
fr
om
t
he
p
ub
li
sh
er
,
ex
ce
pt
f
ai
r
us
es
p
er
mi
tt
ed
u
nd
er
U
.S
.
or
a
pp
li
ca
bl
e
co
py
ri
gh
t

la
w.

EBSCO : eBook Collection (EBSCOhost) – printed on 1/4/2018 10:52 AM via AMERICAN PUBLIC UNIV SYSTEM
AN: 349248 ; Wallace, Michael, Webber, Larry.; The Disaster Recovery Handbook : A Step-by-Step Plan to
Ensure Business Continuity and Protect Vital Operations, Facilities, and Assets
Account: s7348467.main.ehost

Risk is defined as the potential for something to occur. It could involve the
possibility of personal injury or death. For example, insurance actuaries work to
quantify the likelihood of an event occurring in order to set insurance rates. A risk
could be an unexpected failing in the performance of duties by someone you had
judged as reliable. It could be a machine failure or a spilled container of
toxic material.

Not all risks become realities. There is much potential in our world that does
not occur. Driving to work today, I saw clouds that indicate the potential of rain.
Dark clouds don’t indicate a certainty of precipitation, but they do indicate a
greater potential than a clear sky. I perceive an increased risk that I will get wet on
the long walk across the company parking lot, so I carry an umbrella with me. The
odds are that it will not rain. The weatherman says the clouds will pass. I can even
see patches of blue sky between the massive dark clouds. Still, to reduce my risk
of being drenched, I carry an umbrella.

Some risks can be reduced almost to the point of elimination. A hospital can
install a backup generator system with the goal of ensuring 100% electrical
availability. This will protect patients and staff against the risk of electrical blackout
and brownouts. However, it also introduces new risks, such as the generator failing
to start automatically when the electricity fails. It also does not protect the hospital
against a massive electrical failure internal to the building.

Some risks are unavoidable and steps can only be taken to reduce their
impact. If your facility is located on the ocean with a lovely view of the sea,
defenses can be built up against a tidal surge or hurricane, but you cannot prevent
them. You can only minimize their damage.

Some risks are localized, such as a failure of a key office PC. This event directly
affects at most a few people. This is a more common risk that should not be
directly addressed in the facility-wide business continuity plan. Rather, localized
plans should be developed and maintained at the department level, with a copy
in the company-wide master plan. These will be used mainly within a department,
whose members address these challenges as they arise. If a problem is more
widespread, such as a fire that burns out just those offices, all the combined small
reaction plans for that office can be used to more quickly return that department
to normal.

Other risks can affect your entire company. An example is a blizzard that
blocks the roads and keeps employees and material from your door. We all
appreciate how this can slow things down, but if you are a just-in-time supplier to
a company in a sunnier climate, you still must meet your daily production
schedule or close your customer down!

In building the list, we try to be methodical. We will examine elements in your
business environment that you take for granted. Roads on which you drive.
Hallways through which you walk. Even the air you breathe. In building the plan,
a touch of paranoia is useful. As we go along, we will assign a score to each threat
and eventually build a plan that deals with the most likely or most damaging
events (see Figure 3-1).

36 THE DISASTER RECOVERY HANDBOOK

Co
py
ri
gh
t
@
20
11
.
AM
AC
OM
.

Al
l
ri
gh
ts
r
es
er
ve
d.
M
ay
n
ot
b
e
re
pr
od
uc
ed
i
n
an
y
fo
rm
w
it
ho
ut
p
er
mi
ss
io
n
fr
om
t
he
p
ub
li
sh
er
,
ex
ce
pt
f
ai
r
us
es
p
er
mi
tt
ed
u
nd
er
U
.S
.
or
a
pp
li
ca
bl
e
co
py
ri
gh
t
la
w.

BUILDING A RISK ANALYSIS

At this point we can differentiate among several common terms. We will begin
with a risk analysis. A risk analysis is a process that identifies the probable threats
to your business. As we progress, this will be used as the basis for a risk assessment.
A risk assessment compares the risk analysis to the controls you have in place
today to identify areas of vulnerability.

The recommended approach is to assemble your business continuity planning
team and perform the layers 1, 2, and 3 risk analyses (see the section below on The
Five Layers of Risk) together. Your collective knowledge will make these reviews
move quickly. Such things as the frequency of power or telephone outages in the
past, how quickly these were resolved, and types of severe weather and its impact
are all locked in the memories of the team members.

EVALUATING RISK 37

Risk

Scope

Predictability

Time of Day

Location

Day of Week

Impact

Likelihood

Advance
Warning

FIGURE 3-1: Attributes of risk.

Co
py
ri
gh
t
@
20
11
.
AM
AC
OM
.
Al
l
ri
gh
ts
r
es
er
ve
d.
M
ay
n
ot
b
e
re
pr
od
uc
ed
i
n
an
y
fo
rm
w
it
ho
ut
p
er
mi
ss
io
n
fr
om
t
he
p
ub
li
sh
er
,
ex
ce
pt
f
ai
r
us
es
p
er
mi
tt
ed
u
nd
er
U
.S
.
or
a
pp
li
ca
bl
e
co
py
ri
gh
t
la
w.
EBSCO : eBook Collection (EBSCOhost) – printed on 1/4/2018 10:52 AM via AMERICAN PUBLIC UNIV SYSTEM
AN: 349248 ; Wallace, Michael, Webber, Larry.; The Disaster Recovery Handbook : A Step-by-Step Plan to
Ensure Business Continuity and Protect Vital Operations, Facilities, and Assets
Account: s7348467.main.ehost

What Is Important to You?

A risk analysis begins with a written statement of the essential functions of your
business that will be used to set priorities for addressing these risks. Essential
functions could be business activities, such as the availability of telephone service.
It could be the flow of information, such as up-to-the-second currency exchange
rates. It is anything whose absence would significantly damage the operation of
your business.

Most functions of a business are nonessential. You may think of your company
as being tightly staffed and the work tuned to drive out waste. But think about the
functions whose short-term loss would not stop your essential business from
running. One example is payroll. Losing your payroll function for a few days
would be inconvenient, but should not shut your business down. Most people
can’t delay paying their bills for long, so over a longer period of time, this rises to
the level of critical. This illustrates how a short-term noncritical function can rise
to be a critical function if it is not resolved in a timely manner.

Another example is a manufacturing site that states its essential functions as
building, shipping, and invoicing its products. Anything that disturbs those
functions is a critical problem that must be promptly addressed. All other functions
that support this are noncritical to the company, although the people involved
may consider them critical. On a more local scale, there may be critical functions
for a department or a particular person’s job. These are also important to resolve
quickly. The difference is one of magnitude. Company-wide problems have
company-wide impact and must be resolved immediately.

Another aspect to consider is the loss of irreplaceable assets. Imagine the loss
or severe damage to vital records that must be retained for legal, regulatory, or
operational reasons. Safeguarding these records must be added to your list of
critical functions. Included in this category are all records whose loss would
materially damage your company’s ability to conduct business. All other records
are those that can be reproduced (although possibly with great effort) or whose
loss does not materially affect your business.

With all of this in mind, it is time to identify those few critical functions of your
facility. These functions will be broad statements and are the primary purposes
toward which this site works. The easiest way to start is for the top management
team to identify them. Often the company’s Operations Manager has some idea of
what these should be. They would have been identified so that business continuity
insurance could be purchased.

Another way to identify critical functions is for your team to select them.
Based on your collective knowledge of the company, just what are they expecting you
to provide? Another way to think of this is what is the essence of your site’s function?

Some examples to get you thinking:

➤ A factory. To build, ship, and invoice products. This implies that the continuous
flow of products down the assembly line is critical, along with prompt shipment
and invoicing (to maintain cash flow).

38 THE DISASTER RECOVERY HANDBOOK

➤ A national motel chain call center. To promptly respond to customer calls,
make accurate reservations, and address customer concerns in a timely
manner. This implies that telephone system availability and speed of switching
are critical, along with accurate databases to reserve rooms.

➤ A public utility. To provide electrical service to all the customers, all of the
time. This implies that no matter what other crises within the company are
under way, the delivery of this product is critical.

SCOPE OF RISK

The scope of risk is determined by the potential damage, cost of downtime, or cost
of lost opportunity. In general, the wider the disaster, the more costly it is. A
stoppage to a manufacturing assembly line can idle hundreds of workers, so of
course this is a company-wide critical event. Even a 15-minute stoppage can cost
many thousands of dollars in idled labor. Consequently, a problem of this nature
takes priority on the company’s resources in all departments to resolve the issue.

On a smaller scale, there may be a spreadsheet in the accounting department
that is used to generate reports for top management. If this PC stops working,
work has ceased on this one function, but the plant keeps building products for
sale. The Accounting Manager can request immediate PC repair support. The
problem and support are local issues peripheral to the company’s main function
of building, shipping, and invoicing material.

When evaluating the likelihood of risks, keep your planning horizon to 5 years.
The longer the planning horizon is, the greater the chance that “something” will
happen. Since the purpose of the analysis is to identify areas of concentration for
your business continuity plan, 5 years is about as far out as you can plan for
building mitigation steps. If the risk analysis is updated annually, then 5 years is a
sufficient planning horizon.

Cost of Downtime

Calculating the cost of downtime is critical to determining the appropriate
investments to be made for disaster recovery. But calculating the costs due to the
loss of a critical function is not a simple process. The cost of downtime includes
tangible costs, such as lost productivity, lost revenue, legal costs, late fees and
penalties, and many others. Intangible costs include things such as a possibly
damaged reputation, lost opportunities, and possible employee turnover.

TANGIBLE COSTS The most obvious costs incurred due to a business interruption
are lost revenue and lost productivity. If customers cannot purchase and receive
your product, they may purchase from a competitor. Electronic commerce is
especially vulnerable, because if your system is down, customers can in many
cases simply click on a competitor’s Web site. The easiest method to calculate lost
sales is to determine your average hourly sales and multiple that value by the

EVALUATING RISK 39

number of hours you are down. While this can be a significant value, it is simply
the starting point for calculating the total cost of downtime.

Lost productivity is also a major portion of the total cost of downtime. It is
usually not possible to stop paying wages to employees simply because a critical
process is unavailable, so their salaries and benefits continue to be paid. Many
employees may be idle while the process is unavailable, while others may continue
to work at a much-diminished level of productivity. The most common method to
calculate employee downtime costs is to multiply the number of employees by
their hourly loaded cost by the number of hours of downtime. You may need to do
this separately for each department, as their loaded cost and their level of
productivity during the outage may vary. You will also need to include the
employee cost for those who are assisting with any recovery or remediation
processes once the process is back up. These employees may be doing double
duty once the system is back up, doing their regular jobs and also entering data
that were missed or lost during the downtime.

Other employee-related costs may include the cost of hiring temporary labor,
overtime costs, and travel expenses. You may also incur expenses for equipment
rental for cleanup or for temporary replacement of critical machinery and extra
costs to expedite late shipments to customers.

If the business interruption was due to damages, such as fire or flood, the
direct loss of equipment and inventory must of course be added in. Other
tangible costs may include late fees and penalties if the downtime causes you
to miss critical shipments to customers. You may also incur penalties if the
downtime causes you to miss deadlines for government-mandated filings.
Stockholders may sue the company if a business interruption causes a
significant drop in share price and they believe that management was
negligent in protecting their assets.

INTANGIBLE COSTS Intangible costs include lost opportunities as some customers
purchase from your competition while you’re down and may not return as
customers. You don’t just lose the immediate sale, but possibly any future business
from that customer. You need to calculate the net present value of that customer’s
business over the life of the business relationship. If you have repeated problems
with systems or processes being unavailable, some employees may become
frustrated and leave the company. The cost to replace them and to train new
employees should be considered. Employee exit interviews can help determine if
this is at least a factor in employee turnover.

Other intangible costs can include a damaged reputation with customers,
business partners, suppliers, banks, and others who may be less inclined to do
business with you. Your marketing costs may increase if customers defect to the
competition during an outage and you need to work harder to win back their
business. Calculating the true total cost of an outage is not easy, but it is important
to know when determining the investment necessary to prevent and/or recover
from a disaster.

40 THE DISASTER RECOVERY HANDBOOK

THE FIVE LAYERS OF RISK

The impact of risks varies widely according to what happens to whom and when.
Your reaction to a disaster that shuts down the entire company will be quite different
from that which inconveniences a single office or person. When considering risks,
it is very helpful to separate them into broad categories (or layers) to properly
prioritize their solutions. When evaluating risk, we look at five distinct layers. The
layers range from what affects everyone (including your customers) in Layer 1
down to the processes performed by each individual in Layer 5.

The first layer concerns external risks that can close your business both
directly and indirectly. These are risks from nature, such as flooding, hurricanes,
severe snowstorms, etc. It can also include risks from manufactured objects, such
as railroads or airplanes. Risks of this type usually disrupt our customers and
suppliers as well as our own employees.

The second layer examines risks to your local facility. This might involve one
or more buildings—everything at this site. Some of these risks are due to the way
your offices were constructed; some risks are a result of severe weather, etc.
Second-layer risks include those to basic services, such as electrical power and
telephone access to your building. We will also look into issues such as bomb
threats, hazardous material spills, and medical emergencies.

The third layer is your data systems organization. Everywhere throughout
your organization computers are talking through a data network, sharing
information, and performing other functions. In addition to operational issues,
loss of data can lead to severe legal problems. Most data can be re-created, but the
expense of doing so can be quite high. Data systems deserves its own layer, as its
disasters can reach across your company. In most companies, if the computers
stop working, so do the people.

The fourth layer is the individual department. This will drive the main part of
your plan. Level four risks are the periodic crises we all confront on a weekly basis.
Each department has critical functions to perform to meet its production goals
and weekly assignments. These processes depend on specific tools. Each
department needs to identify the risk that might prevent its members from
performing their assigned work. These risks may not threaten the company’s
primary functions, but over time can degrade the facilities’ overall performance.

The fifth and final layer is your own desk or work area. If you can’t do your job
in a timely manner, it may not stop the company from shipping its products, but
it sure adds a lot of unnecessary stress to your life. Typically the risk assessment
you perform on your own job will be more detailed (because you know more
about it), making it easier for you to take time off (as you will be more organized),
and making bouncing back from the crisis of the week look so very easy.

LAYER 1: EXTERNAL RISKS

Many natural disasters are wide-area risks. That means they not only affect your
facilities, but also the surrounding area. Consider, for example, a hurricane. The

EVALUATING RISK 41

damaging winds can affect hundreds of square miles before slowly moving up the
seacoast. These winds can bring on tidal surges and torrential downpours, spawn
tornadoes, and result in downed power lines and other calamities all at the
same time.

Now consider your business in the midst of this. All companies are affected by
this disaster, including your customers, your suppliers, and your emergency
services support. Damage can be widespread. Technicians and machinery you
had counted on for prompt support are tied up elsewhere. Bridges may be out,
your workers may be unable to leave the facilities, and fresh workers may be
unable to come to work. Employees critical to your recovery may not be available
due to damage to their homes or injuries to their families. The list of problems
could go on and on.

Don’t forget to consider how the disaster may affect your employees’ ability to
respond to the disaster. After the terrorist attacks on the World Trade Center,
many disaster recovery plans called for surviving employees to be at the recovery
site the next day. After watching their friends and coworkers dying around them,
getting to the recovery site was not at the top of their priority list!

Don’t live in a hurricane zone? How different is this from a major snow storm?
Power lines snap, which cuts off the electrical heat to your building, which causes
sprinkler pipes to freeze and burst, etc. Impassable roads mean that help is slow
to move around the area. Extreme temperatures reduce the productivity of power
line technicians.

The risk to your site from natural disasters is determined by its topographic,
hydrologic, and geologic conditions. This can be determined from maps provided
by the United States Geologic Survey. The maps show elevations and
drainage patterns.

The same goes for critical highways or railroads. Depending on where you
live, a blocked highway may be easily bypassed. In some places, it may be the only
practical route for tourists to reach your hotel. A damaged bridge on a key road
could shut you down for days. A railroad derailment that spills toxic material may
force an evacuation of your offices, even if it is quite a distance away.

With all of this “doom and gloom” in mind, let’s break external risks into four
categories: natural disasters, manufactured risks, civil risks, and supplier risks.

WHAT TO DO?

Use Form 3-1, the “Risk Assessment Tool for Layer 1.” It is on the CD-ROM
included with this book.

Evaluate the risk to your site in each of the categories over the next 5 years.

42 THE DISASTER RECOVERY HANDBOOK

The columns of the tool are:

LIKELIHOOD is how likely this risk is to happen.

IMPACT is how bad you believe the damage would be.

RESTORATION is the length of time to get your critical functions back into service,
not the amount of time for a complete recovery.

See section “Making the Assessment” at the end of this chapter for details on how
to score each risk.

The risks listed in Form 3-1 are just a starting point. Add any other risks that
you see for your site.

Natural Disasters

Natural disasters are the first events that come to mind when writing a disaster
plan and are risks that we all live with. They vary greatly according to the part of
the country in which you live. The damage from natural disasters usually covers a
wide area. This not only affects your building, but also your employees, suppliers,
customers, and the time required for a full recovery.

A major problem with wide-area disasters is that the help you are depending
on for recovery may not be available or able to reach you. If major electrical lines
are down, then your power company may take a long time to rerun the wire from
the downed power pole to your building.

How much warning will you typically receive of an impending disaster? For a
hurricane, you should know days before it arrives. In the case of an earthquake,
you may not know until it is upon you.

TORNADOES Tornadoes are the most violent type of storm and can occur at any
time of the year. They can appear with little or no warning anywhere at any time.
Where you live has a great deal to do with the likelihood of a tornado occurring,
with the greatest risk per square mile in Florida and Oklahoma. Tornadoes can do
significant damage to facilities as well as to the homes of your employees.

You can obtain information about the likelihood of tornadoes in your area
from the Severe Thunderstorm Climatology Web page of the National Severe
Storms Laboratory of the National Oceanic and Atmospheric Administration at
http://www.nssl.noaa.gov/hazard/hazardmap.html. This U.S. map displays the
probability of tornadoes, wind, or hail for broad sections of the country. You can
use this map, together with your team’s collective memory, to determine the
likelihood of these events happening to you.

EVALUATING RISK 43

http://www.nssl.noaa.gov/hazard/hazardmap.html

PANDEMICS A pandemic is an outbreak of disease that affects a large area.
Pandemics in modern times are most often associated with outbreaks of an
influenza virus for which there is little or no immunity in the affected
population. In recent times severe acute respiratory syndrome (SARS) and
H1N1 (the so-called swine flu) have impacted the ability of organizations to do
business. A pandemic can have a major impact on the availability of your
employees, as they or members of their family are sick from the disease. Many
governments are requiring important industries, such as finance, energy,
government, banking and transportation, to prepare plans for continuing
operations during a pandemic.

EARTHQUAKES Earthquakes occur in all 50 states. They can affect both your
facilities and the homes of your employees (see Figure 3-2). Forty-one of these
states are in the moderate- or high-risk category. To see if your area has an
earthquake risk, check out http://earthquake.usgs.gov/research/hazmaps/.

THUNDERSTORMS Information about the typical annual threat of severe
thunderstorms in the United States can be found at http://www.nssl.noaa.gov/

44 THE DISASTER RECOVERY HANDBOOK

FIGURE 3-2: Seattle, WA, March 2001. Businesses in and around Seattle were damaged by
a February 2001 earthquake in Washington State. (FEMA News Photo.)

http://www.nssl.noaa.gov/hazard/totalthreat.html

http://earthquake.usgs.gov/research/hazmaps/

hazard/totalthreat.html. Severe thunderstorms include winds in excess of 58 mph
and hailstones greater than .75 inches in diameter. These storms can include:

➤ High winds that may rip off parts of your roof, exposing your equipment to
damaging rain. High winds may also pick up objects and smash them into
your windows, or even tip over semitrailers and close mountain passes.

➤ Hail that can be smaller than a pea or larger than a softball. It can destroy field
crops, put a massive number of dents in a car, damage unprotected material
you have stored outside, and can be extremely annoying if you own a car lot.

➤ Deluge and flash flooding that can cause roads to close, which slows the flow
of customers, employees, and material in and out of your facility. Your building
may change from a hilltop with a view to an island in a sea of muddy water.

➤ Lightning that can damage electronic equipment without striking it. The
charge can run up telecommunication wires to a PC and toast it easily. It can
also damage electronics in your office without leaving a mark. Lightning is a
danger to your employees, and steps should be taken to protect them from the
danger of being struck and from lightning igniting flammable gases.

SNOW Heavy snow or blizzards can close access roads leading into and out of
your building, keeping employees in and the next shift at home. Even if your local
weather is manageable, you may still close if trucks full of materials cannot drive
over snow-blocked roads. Snow storms should be monitored for wind speed and
the distribution of snow. Snow piled high against buildings or on roofs can lead to
structural problems or failure (see Figure 3-3).

EXTREME TEMPERATURES Extreme temperatures, whether hot or cold, can wreak
havoc on your facility, your materials, and your employees. These are also peak
energy demand times, which will further throw off your operating budget. Like
snow and other risks, your team can decide what an extreme temperature is and
the risk it will occur within the next 5 years.

HURRICANES Hurricanes are severe storms that form in tropical waters anywhere
in the world. Their occurrences can be predicted by the weather service, but they
cannot accurately predict where they will strike landfall and at what strength.
Organizations located in or near coastal areas must have an evacuation plan in
place for when hurricanes threaten. Hurricanes can spawn tornadoes, create tidal
surges, and cause flooding. Evaluate the risk of just a hurricane occurring. Then
evaluate the risk to each of the other categories separately.

FLOODS Floods or tidal surges are usually detected by the weather service. Thus,
you have some warning that trouble is coming. The Federal Emergency
Management Agency (FEMA) reports that more than 90% of natural disasters
involve flooding. The tidal surge may be the result of a hurricane or severe storm

EVALUATING RISK 45

http://www.nssl.noaa.gov/hazard/totalthreat.html

at sea. Floods can result from melting snow, severe downpours in the areas
upriver from your location, and other natural causes. Usually, there will be some
warning, but there may not be enough time to evacuate all your vital records
and machinery.

Floods damage your property in many ways (see Figure 3-4):

➤ A flood will damage just about everything by soaking it in water. Office
materials, computers, and manufacturing materials all can be seriously
damaged by water. When the water finally moves out, mold can move in.

➤ The flood waters themselves may contain raw sewage or chemicals that will
end up inside your building.

➤ Debris of all sizes is carried in the flood waters and can batter your walls,
smash in windows, and be left strewn about when the waters subside.

➤ Flood waters typically contain mud and sand that will coat the floors and
walls as the waters recede. This material will also be contaminated with
whatever was in the flood waters.

46 THE DISASTER RECOVERY HANDBOOK

FIGURE 3-3: Little Rock, AR, December 29, 2000. Downed power cables were among the
damage after an ice storm. (Photo by John Shea/FEMA News Photo.)

OTHER NATURAL DISASTERS Forest fires or large brush fires may threaten your
facility or the access roads to it. Landslides can close roads and damage facilities,
depending on your topography. This is more common if your facility is located on
or near a hill or your main roads pass along hillsides. Mudslides can result from
heavy rainfall. Sinkholes (subsidence) are the result of surface collapse from a lack
of support underneath, as might be caused by groundwater dissolving a soft
material such as limestone, or from abandoned mine tunnels. Sandstorms
resulting from high winds can damage vehicles, seep dust and grit into machine
shops, and close access roads.

Manufactured Risks

All around you are potential human-created risks. If you are in a city, this is an
even greater problem. These risks are the result of someone else’s disaster or
actions that affect your daily operations. Stand outside for a moment and look
around. Drive around the nearby roads and make notes of what you see. Look
for large outside storage tanks, semitrailers with gas, or hazardous
warning signs.

EVALUATING RISK 47

FIGURE 3-4: Mullens, WV, July 17, 2001. An office supply store was in shambles after
flood waters up to 9 feet hit earlier in the month. (Photo by Leif Skoogfors/FEMA
News Photo.)

HOW TO IDENTIFY MANUFACTURED RISKS:

Get a map of your area from FEMA. It will show the routes taken by hazardous
material carriers. It will have similar information on railroad usage and pipelines.
Determine if a problem with these would block your only decent road access or
if a toxic gas leak were blown your way, how close must it be to cause your
facility to be evacuated.

Get a good local road map. Mark any obstacles that would hinder or prevent
access to your facility if routes were inaccessible, such as major bridges and
primary highways. Now mark those things whose operation would stop or hinder
access, such as drawbridges or surface-level railroad tracks. This map will be
further used when studying Layer 2 risks.

INDUSTRIAL SITES Note any industrial sites with large outdoor storage tanks.
What is in them? Do they contain distilled water or industrial chemicals? A
major chemical release could cause a wide area to be evacuated. Your facility or
access to your facility could be affected while the chemical spill is
being contained.

TRANSPORTATION Major highways may be used to transport toxic materials
through your area. If a truck flipped over and there was a major toxic spill, do you
have another access road into your facility? (If this occurs close by, your building
may need to be evacuated.) Bridges across large bodies of water or intercoastal
waterways can be damaged by collisions with barges or boats. If you are on an
island, do you have another suitable way in? If the bridge arches high into the air
to allow seagoing vessels to pass underneath, is it often closed during high winds
or ice storms? Railroads also transport toxic material. Does your building have a
railroad siding next to it where someone else’s railcars with potentially hazardous
cargo could be temporarily stored? Is your facility located on or near a flight path?
This includes small dirt strips as well.

PIPELINES Are there any underground pipelines in your area? These often carry
fuels. A pipe rupture can force an evacuation lasting several days.

CHEMICAL USERS These are all around, often unknown to their neighbors. For
example, many water treatment plants use chlorine to treat water. A chlorine gas
leak can force an evacuation of a wide area.

DAMS Dams require regular maintenance. In extreme weather, they may overflow
or become damaged; ask about soft spots.

48 THE DISASTER RECOVERY HANDBOOK

Civil Risks

The risk from civil problems is a tough area that covers a lot of ground.
Organizations are susceptible to civil disturbances because of some political
agenda or they might simply be located in an affected area.

RIOTS What is the risk of a riot occurring in your area? Is it higher in an urban
area (where the people are) than in a rural area? In general, it would be less
likely in an affluent area than in an area with a concentration of less affluent
people. It might be less likely in the middle of an industrial park than on a busy
street corner.

LABOR DISPUTES Another risk is the potential of a labor dispute turning into a
strike. The picket lines that usually accompany a strike might cause material and
employee flow problems if truck drivers and employees refuse to or cannot cross
the picket lines. Similar to a labor stoppage is the risk of secondary picketing. If
your labor relations are sound, but one of your suppliers is in the midst of a labor
dispute, their employees may choose to publicize their dispute by picketing
companies that continue to use products made by their company. Even though
these picket lines tend to be much smaller, you may have union truck drivers who
will not drive across them.

TERRORISM The threat from terrorism is unfortunately a growing problem
worldwide. It is typically defined as the calculated use or threat of violence against
civilians for reasons that are political, religious, or ideological in nature. Acts of
terrorism can include bombings, kidnappings, hijackings, hacking, or other forms
of violence or intimidation. As the attacks on 9/11 demonstrated, terrorism can
have an impact over a wide area both on physical facilities and the ability of
employees to do their jobs.

BIOLOGICAL ATTACKS This is the intentional release of germs or other biological
agents in an attempt to cause serious illness or death over a wide area. Some
agents are contagious and can spread from person to person (e.g., smallpox) or
are limited to individuals who come into direct contact with the agent (e.g.,
anthrax). As we have seen in the many anthrax scares recently the material does
not have to be real to cause a disruption to your business.

Supplier Risks

Another category of risk is how well your suppliers can maintain their flow of
goods into your facility. Make a list of your key suppliers and ask yourself, in every
case, what is the risk that they cannot manufacture and deliver your required
material to your dock on time in the event of any of the aforementioned disasters.
This is critical for manufacturers who depend on just-in-time deliveries.

EVALUATING RISK 49

You need to consider the condition of the access roads or rail service between
your facility and your key suppliers. This could be interrupted by area-wide disasters,
such as blizzards or flooding.

SUPPLIER RISKS

What to Do?

1. Make up a list of key suppliers or service providers whose absence for more
than 48 hours would shut you down. (You can change the 48 hours to
whatever value you think is appropriate.)

2. Plot their location on a map (down to the road intersection if local, or to the
town if distant). Pushpins work well for this.

3. Identify potential problems along their routes. For example, are they in St.
Louis and need to cross the Mississippi River to reach your facility? If so, what
is the risk they can’t get across in the event of a major flood?

4. For local suppliers, check to see if they have multiple routes to reach you or
have their own traffic flow bottlenecks.

Sources of Information for Layer 1 Risks:

Earthquakes: http://earthquake.usgs.gov/research/hazmaps/

Tornadoes: http://www.nssl.noaa.gov/hazard/hazardmap.html

Severe storms: http://www.nssl.noaa.gov/hazard/totalthreat.html

Manufactured hazards: Your local Federal Emergency Management Agency
(FEMA) office can be found in the county or state sections of your local telephone
book or at the FEMA Web site at http://www.fema.gov/about/contact/
statedr.shtm. They will be an invaluable source of the risks and mitigation actions
for Layer 1 risks in your locale.

Access hazards: A road map and a topographical map.

LAYER 2: FACILITY-WIDE RISK

A facility-wide risk is something that only impacts your local facility. Some
companies span many locations and will need to make a separate risk assessment
for each location. Each assessment can be for one building or a cluster of buildings.
In either event, a facility-wide risk involves multiple departments and would slow
or stop the flow of business.

50 THE DISASTER RECOVERY HANDBOOK

http://www.nssl.noaa.gov/hazard/hazardmap.html

http://www.nssl.noaa.gov/hazard/totalthreat.html

http://earthquake.usgs.gov/research/hazmaps/

http://www.fema.gov/about/contact/statedr.shtm

An example might be a facility that takes toll-free calls from around the country
for hotel reservations. The loss of their internal telephone switch could idle hundreds
of workers. Customers who could not complete their calls would phone a different
hotel chain. This costs the company in direct revenue and is compounded by the
loss of valuable customer goodwill through the uncompleted calls.

Another example is the loss of electrical power. Unless you sit next to a window
on a sunny day, the loss of electrical power will mean all work stops when the lights
go out. In addition, all your desktop PCs will “crash” and lose any data in their
memories. Just the labor time alone to reboot this equipment can be substantial.

We will begin with the essential utilities we all take for granted, and then move
into the important areas of people risks. There are five basic office utilities that we
all take for granted, but without them, the doors might close quickly. They are:

➤

Electricity

➤

Telephones

➤

Water

➤

Climate Control

➤

Data Network

WHAT TO DO?
Use the local map that was marked up in Layer 1 and indicate the location of the
local fire department, ambulance service, hospital, and police station. Look for
access problems.

Electricity

Electricity gives us lights. It powers our office and manufacturing machines. It is
magically there every time we need it—just plug in! Stop and think of the
complexity involved in generating electricity and then moving it hundreds of
miles to where it is needed. This is truly an engineering marvel. And it is very
reliable. So reliable that when it is stopped, people become very annoyed as if
something they had a right to expect was taken from them.

To properly determine the risk of an electrical outage, begin with the team’s
own experiences with the frequency, timing, and length of outages in this area.
Frequency is how many times it might occur within your 5-year planning window.
Timing is what time of day or day of the week it usually happens. In some places,
it seems most likely to occur during severe thunderstorms. In other locales, it
might be most likely to stop during ice storms.

The second step is to consult your facilities maintenance department. Find
out how many power feeds run into the building and if they enter from opposite
ends of the building. It is not uncommon to only have one. If so, then you have
just uncovered a potential single point of failure. It is better to have more than one
power feed to your building.

EVALUATING RISK 51

One thing to understand is that even if electricity is unavailable across a wide
area, the landline telephone system may still work. You might consider maintaining
at least one landline connection if your organization moves to other technologies
such as voice-over-IP (VoIP) or all cell phones, as a blackout could last longer than
your UPS or cell phone batteries. You can use this to notify the power company of
the outage, to see how widespread it is, and to ask when they expect to have it
operational again.

Telephones

Telephones are your window to the world. In the blink of an eye, you communicate
with customers and suppliers in any corner of the world. Telephones also provide
a crucial lifeline to emergency services during a disaster. Loss of telephone service
hurts some companies more than others, but few companies can function without
it for an extended period of time.

A critical aspect of telephone communications is that your external company
data network often runs over the same cables. So if a backhoe operator cuts the
cable to your building, you could lose both the telephones and the external data
lines at the same time.

When evaluating your telephone risk, check out your local telephone service
architecture. If the local central office was inoperable, would your telephones still
work? If you can reach multiple central offices, then the answer is yes. If you are
only connected to one central office, then its loss is your loss.

Most companies have their own Private Branch Exchange (PBX) system.
Damage to this room could very effectively shut down your internal telephone
system. How do you rate the risk or likelihood of this happening?

Water

One thing we can look forward to every winter is the breaking of water mains. As
the ground is saturated with fall or winter moisture and then freezes, it expands
and contracts, stressing older water main lines. Eventually, one will give way and
a section of the town will be without fresh water until it is fixed.

If you are operating a restaurant, you use a lot of water for sanitation and for
customers. So, of course, if a water main broke you could be closed for several
hours. If this occurred during a particularly profitable time of day or day of the
week, you could lose a lot of money. If it happened very often, you could lose
customer goodwill.

Office buildings are also major water users. Many computer and PBX rooms
are cooled by “chilled water” systems. If these units lose water pressure, they can
no longer cool the air and the central computer equipment could overheat. If this
occurred on a weekend, you might find out when everyone streams in on Monday.
By then, the heat has damaged expensive electronic components and your systems
are useless.

52 THE DISASTER RECOVERY HANDBOOK

Office buildings also use water for sanitation. If you have 500 people in a
building, you have a lot of flushes in one day. If your neighborhood water main
was broken, how long would your building be habitable?

Climate Control

Loss of heating or air conditioning might be an inconvenience depending on the
time of the year. In the depth of winter or the height of summer, this could make
for very uncomfortable working conditions and be very damaging to your
manufacturing materials and electronic systems.

Loss of heat in the depths of winter:

➤ Can cause your building to cool to the point of freezing. This could lead to
frozen sprinkler pipes that could rupture and leak upon melting.

➤ Can affect integrated circuits in electronic equipment that are not designed
for extreme cold and may malfunction.

➤ Can, in a manufacturing environment, stop production as the viscosity of
paint, lubricants, and fluids used in normal production is increased. Water-
based products may be ruined if frozen.

Loss of air conditioning in the heat of summer:

➤ Can result in office closures because the high heat could lead to heat stroke or
heat exhaustion. Remember to consult the heat index for your area, as
humidity can make the air temperature feel much warmer and can impact
people sooner.

➤ Can, in a factory, lead to the overheating of moving machinery much faster and
potentially beyond its rated operating temperature.

➤ Requires that you monitor the temperatures of your computer and PBX rooms
and shut down if it is in excess of the manufacturer’s rated temperatures or
risk losing warranty claims.

➤ Can result in a loss of humidity control that may add moisture to your vital
records storage room, leading to the potential for mildew growth.

Data Network

Most companies depend heavily on their data communication network to conduct
daily business. It is the tool that allows desktop workstations to share data, send
e-mail confirmations, and receive faxed orders into e-mail, as well as providing a
wealth of other benefits. In many companies, losing the data network is as severe
a problem as losing electricity. We’ll discuss data communications issues more
thoroughly below in Level 3, Data Systems Risks.

Other facility-wide risks to review are those that endanger the people in the
facility. These people risks include:

EVALUATING RISK 53

➤ Fire

➤ Structural Problems

➤ Security Issues

➤ Medical Concerns

FIRE What do you think the risk is of a fire occurring in your facility? This can be a
fire of any size depending on what you see in place today to deal with it. There
may be fire extinguishers in every corner, but that does not mean there is a low
risk of fire. This risk should take into account the local conditions (does it get very
dry in summer), the amount of combustibles stacked around the facility, and the
construction of the building itself (wood, cement, etc.).

Another risk factor to add is the reaction time for fire crews to reach your site.
If it is rural, it may take additional time to collect volunteer firefighters at the
stationhouse before they can respond (see Figure 3-5).

STRUCTURAL PROBLEMS Structural problems may be caused by design flaws, poor
materials, or even human mistakes. In any event, consider the risks of damage
from the very building you are sitting in.

➤ Weather-related structural failure might arise from a heavy snowfall weighing
on the roof or even from high winds.

54 THE DISASTER RECOVERY HANDBOOK

FIGURE 3-5: NOAA news photo. (From Frankel et al., U.S. Geological Survey, 1997.)

➤ A fire on one floor of a building may be quickly contained, but the water used
to extinguish it will seep through the floor and damage equipment and vital
records stored below. Any large fire, no matter how quickly it is contained, has
the capability to weaken an entire structure.

➤ Water pipe breakage can occur from a part of the building freezing from heat
shut off over a holiday, or from a worker snapping off a sprinkler head with
their ladder as they walk down a hall.

➤ Lightning does not have to hit your building to damage sensitive electronic
components. However, if it does, you could lose valuable data and equipment
in a very, very short time. Buildings must have proper grounding and
lightning protection.

SECURITY ISSUES The quality of security surrounding a workplace has gained
widespread attention in recent years. Historically, the facility’s security force was
used to prevent theft of company property and to keep the curious away from
company secrets. In more recent years, the threat of workplace violence, often
from outsiders, has led to a resurgence of interest in having someone screen
anyone entering your facility. Issues that your security people must be trained to
deal with include:

➤ Workplace Violence. What is the risk of someone in your facility losing his or
her temper to the point of a violent confrontation with another person?

➤ Bomb Threats. Every occurrence of a bomb threat must be taken seriously. A
bomb threat can disrupt critical processes while police investigators determine
if there is a valid threat to public safety or if it is just a crank call. This risk can
vary according to the public profile of your company, the type of products you
produce, or even the level of labor tension in your offices.

➤ Trespassing. Employee and visitor entrance screening is critical. What is the
likelihood of someone bypassing or walking through security screening at
your entrance? You might wish to break this down further into the risk of a
deranged nonemployee out to revenge some imagined wrong by an employee
to a thief looking to rummage through unattended purses. These things can
tragically occur anywhere, but you can set this risk according to the team’s
experience at this facility.

➤ Physical Security of Property. This involves theft, either by employees or
outsiders. The thief can steal from employees or from the company. It is
expensive for a company to have a laptop PC stolen. It is even more expensive
if that PC has company confidential data in it. Physical security involves
employee identification badges, a key control program, and electronic security
access to sensitive areas.

➤ Sabotage. Sabotage is the intentional destruction of company property. This
can be done by an employee or by an outsider. There are some parts of your
facility that are only open to authorized people. Examples are the PBX room,

EVALUATING RISK 55

the computer room, and the vital records storage. What is the risk that someone
will bypass the security measures and tamper with or destroy something in a
sensitive area? Another thing to think about is to determine if all your sensitive
areas are secured from sabotage.

➤ Intellectual Property or Theft of Confidential Company Information. What
is the risk that valuable company information will miss a shredder and end up
in a dumpster outside? This could be customer lists, orders with credit card
numbers, or even old employee records.

WHAT TO DO?

Obtain copies of your company policies for security and safety. The security
team often has emergency procedures for fire and police support. Add them to
your plan.

Examine your security policy for a date that it was last reviewed or published.

Compare the written policy to how security is actually implemented at your facility.

MEDICAL CONCERNS The standard answer you hear to evaluating medical risks
usually involves calling for an ambulance. This is a good answer. But when
evaluating the likelihood of these risks, you might add to your disaster plan
equipment and personnel who could provide aid while waiting for the ambulance
to arrive. Examples are hanging emergency medical kits or defibrillators around
the facility. Some companies register all employees who are certified Emergency
Medical Technicians (EMTs) and pay them extra to carry a pager. In the event of a
medical emergency, they are dispatched to the location to assist until proper
medical support arrives. It may even make sense to staff an industrial nurse
during production hours. Medical issues might include these:

➤ Sickness. What is the risk of someone coming down with a serious sickness
while at work? Some serious illnesses can come on suddenly.

➤ Sudden Death. What is the risk of someone falling over dead? This risk
should factor in the age of the workforce and the types of materials used in
your facility.

➤ Serious Accident. Do you use heavy machinery or high voltages in your
processes? Are serious accidents a real risk in your line of business?

➤ Fatal Accident. Along the lines of the serious accident, is there a risk of a fatal
accident at your site?

What other Layer 2 Risks can you or your team identify? Add them to Form 3-2
on the CD-ROM.

56 THE DISASTER RECOVERY HANDBOOK

WHAT TO DO?

Find out about local fire/ambulance service. What hours is it staffed? Is it full
time or run by volunteers?

What is the distance from the stationhouse to your door?

Are there obstacles that might delay an ambulance, such as a drawbridge or
surface-level railroad tracks?

What is the distance to a hospital?

LAYER 3: DATA SYSTEMS RISKS

Data systems risks are important because one problem can adversely affect
multiple departments. Data systems typically share expensive hardware, such as
networks, central computer systems, file servers, and even Internet access. A
complete study of data system risk would fill its own book, so this chapter examines
these risks from an end-user perspective.

Your data systems architecture will to a great degree determine your
overall risks. Its design will reflect the technology costs and benefits of
centralized/decentralized software and data. A more common company-wide risk
is a loss of the internal computer network. With a heavy dependence on shared
applications and data files, many companies are at a standstill without this
essential resource. Even a short interruption will lose valuable employee time as
they reconnect to the central service.

A major goal in examining data systems risks is to locate your single points of
failure. These are the bottlenecks where a problem would have wide-reaching
impact. In later chapters, we will review our single points of failure for opportunities
to install redundant devices.

Some of the hidden risks in data systems are processes that have always been
there and have worked fine for a long period of time. It is possible that they are
running on obsolete machines that could not be repaired if damaged in a disaster,
and their software program likely could not be readily transferred quickly to
another processor. Your only choice is to try to make your old program function
on the new hardware. As anyone who has tried to use an old program while leaping
generations of hardware technology can tell you, this can be a time-consuming
process. Due to the sudden change to new equipment and operating software,
your programs may require substantial fine-tuning to run. This “forced upgrade”
will delay your full recovery.

Computer programs exist in two forms. The “English-like” source code is what
the programmer writes. The computer executes a processed version of the program
called “machine code.” A typical data processing problem is finding the original
source code. Without this, programs cannot be easily moved to a different

EVALUATING RISK 57

computer. This leads to processes relying on obsolete languages or programs
to work.

The risk analysis at this level is from the end-user perspective, as the data
department should already have a current plan. If so, these items may be lifted
from their plan.

WHAT TO DO?
Use the Critical Process Impact Matrix (Form 3-3) found on your CD. We will also
use this matrix for Layers 4 and 5.

The Critical Process Impact Matrix will become a very valuable part of your
disaster recovery plan. Whenever the IS department wants to restart the AS/400
over lunchtime to address an important error, you can sort the matrix by the
platform column and see which systems will stop working during this time and
thereby quickly see the impact of this action. You would also know which customer
contacts to notify.

The matrix has the following columns:

➤ System. Enter the name commonly used to refer to this overall computer
system, such as Accounts Payable, Materials Management System, Traffic
Control System, etc. However, this does not have to be a computer-based
system as it can apply to any important process.

➤ Platform. Enter the computer system this runs on, such as AS/400 #3, a VAX
named Alvin, etc.

➤ Normal Operating Days/Times. What times and days do you normally need
this? Use the first one or two letters for the days of the week and enter 24 hours
if it must always be up.

➤ Critical Operating Days/Times. Use the same notation as for normal times
and days. Some systems have critical times when it must be up for 24 hours,
such as when Accounting closes the books at the end of the month, end of
quarter, etc. Use as many critical days/time entries as you need.

➤ Support Primary/Backup. Who in the IS department writes changes or
answers questions about this system? These must be someone’s name and not
a faceless entity like “Help Desk.”

➤ Customer Contacts Primary/Backup. Who should the IS department call to
inform them of current or upcoming system problems? Often this is a
department manager.

Fill in the matrix. This will take quite a while. Every system on this list must
have at least a basic disaster recovery plan written for it—but more on that later.

Now that we have identified the critical processes, we need to break each
process down into its main components. Remember, this is only necessary for your

58 THE DISASTER RECOVERY HANDBOOK

critical processes. Use the Critical Process Breakdown matrix (Form 3-4 found on
your CD). This matrix helps to identify the critical components for each system.
By focusing on the critical components, we can keep this sheet manageable. If
your facility is ISO compliant, then much of this is already in your process
work instructions.

➤ System. This name ties the Breakdown matrix to the Critical Process Impact
Matrix. Be sure to use the same system names on both matrixes.

➤ Platform. Enter the computer system this runs on, such as AS/400 #3, a VAX
named Alvin, etc.

➤ Key Components. There may be more than one of each item per category for
each critical process.

◆ Hardware. List specialized things here such as barcode printers, check
printers, RF scanners, etc.

◆ Software. What major software components does this use? This is usually
multiple items.

◆ Materials. List unique materials needed, such as preprinted forms or
special labels.

◆ Users. If this is widely used, list the departments that use it. If its use is
confined to a few key people, then list them by name or title.

◆ Suppliers. Who supplies the key material? If the materials required are highly
specialized, then list supplier information. Ensure this is included on the
key supplier list. If the material is commonly available, then we can skip this.

Data Communications Network

The data communications network is the glue that ties all the PCs to the shared
servers and to shared printers. Without the data network, the Accounting
department cannot exchange spreadsheets, the call center cannot check its
databases, and the Shipping department cannot issue bills of lading.

A data network is a complex collection of components, so the loss of network
functionality may be localized within a department due to the failure of a single
hub card.

Based on the collective knowledge of your team, what do you believe is the
likelihood of a failure of your data network? Ask the same question of your network
manager. Based on these two answers, plug a value into the risk assessment for
this category.

Telecommunications System

Modern Private Branch Exchanges (PBXs) are special-purpose computers, optimized
for switching telephone calls. They may also include voice mail and long-distance
call tracking.

EVALUATING RISK 59

Your facility’s telephone system is your connection to the outside world. If
your company deals directly with its customers, special care must be taken
because a dead telephone system can make them very uneasy. Telephones are
used constantly internally to coordinate between departments and, in an
emergency, to call outside for help.

Based on the collective knowledge of your team, what do you believe the
likelihood is of a failure of your company’s telephone system? Ask the same
question of your Telecommunications manager. Based on these two answers,
plug a value into the risk assessment for this category.

Shared Computers and LANs

There are many types of shared computers used by companies. They usually are
grouped under the old name of “mainframe” but refer to shared computers of all
sizes. It also includes the common term of LAN (Local Area Network). These
computers typically support a wide range of programs and data. When evaluating
the risks here, you have two questions:

➤ What is the risk of losing a specific shared application (such as inventory
control, payroll, etc.)? You should list each critical application separately.

➤ What is the risk of losing use of the machine itself? This could be due to
damage to the machine or more likely through a hardware failure.

These risks should be based on the collective knowledge of your team. Ask the
same question of your computer operations manager. Based on these two
answers, plug a value into the risk assessment for this category. If desired, list each
of the network servers individually.

Viruses

What do you think the likelihood is of a computer in your facility contracting a
software “virus”? How severely would this interrupt business? What would your
customers think of your company if, before it was detected, you passed the virus
on to them? What if it struck a key machine at a critical time? What if its mischievous
function was to e-mail out, to anyone in your address book, anything that had the
words “budget,” “payroll,” or “plan” in the file name?

Most companies have an Internet firewall and virus scanning software
installed. When evaluating this risk, ask your data manager’s opinion of the quality
of his software. Ask how often the catalog of known viruses is updated.

Viruses can also enter your company through many other sources. Often they
come in through steps people take to bypass the firewall or virus scanning, both
of which take place only on files coming into your facility from the outside over
your external data network.

➤ Does your company allow employees to take their laptop computers out of
the office, for example, to their homes? Are their children loading virus-laden

60 THE DISASTER RECOVERY HANDBOOK

programs? Are the employees downloading files from their home Internet
connection that would be filtered out by their desk-side connection?

➤ Does your antivirus software automatically update its catalog of known
viruses, or must each person request this periodically?

➤ Do consultants, vendors, or customers bring laptop PCs into your facility and
plug into your network to retrieve e-mail or to communicate orders?

➤ Is there virus-checking software to validate the attachments to your e-mail?

Data Systems

Theft of hardware (with critical data) can be a double financial whammy. You
must pay to replace the hardware and then try to recreate valuable data. This risk
spans your local site (do PCs disappear over the weekend?) all the way through
laptop PCs taken on business trips.

Theft of software can be a major issue if someone steals a PC program and
then distributes illegal copies of it. You may find yourself assumed guilty and facing
a large civil suit. This can also happen if well-meaning employees load illegal
copies of software around the company.

Theft of data can occur, and you will never realize it. This could be engineering
data, customer lists, payroll information, security access codes, and any number
of things. What do you believe your risk is of this?

Data backups are the key to rapid systems recovery. But what if you reach for
the backup tapes and they are not readable? What is the risk that these tapes are
not written, handled, transported, and stored correctly?

Hacker Security Break-In

One aspect of connecting your internal network to the Internet is that it is a
potential portal for uninvited guests to access your network. Even well-built
defenses can be circumvented with careless setup or news of gaps in your security
firewall software. In some cases, they invade your system only to mask their
identity when they attack a different company. This way, all indications are that
you originated the attack!

Hackers generally fall into several categories, none of them good for you:

➤ Curious hackers just want to see if they can do it. You never know when this
person will advance to the malicious level, and they should not be in
your system.

➤ Malicious or criminal hacking involves invading your site to steal or to
damage something.

➤ In extreme cases, a hacker may conduct a denial of service attack and shut you
down by bombarding you with network traffic, which overwhelms your
network’s ability to answer all the messages.

EVALUATING RISK 61

What other Layer 3 risks can you and your team identify? Add them to the list
in Form 3-5, Risk Assessment Form Layer 3, on the CD-ROM.

LAYER 4: DEPARTMENTAL RISKS

Departmental risks are the disasters you deal with in your own department on a
daily basis. They range from the absence of a key employee to the loss of an
important computer file. Most of these obstacles are overcome through the
collective knowledge of the people in the department who either have experienced
this problem before or know of ways to work around it.

At this stage of the risk analysis, we are looking at disastrous local problems.
Consider for a moment what would happen if a worker changing light bulbs were
to knock the head off a fire sprinkler. You know the ones I mean. A fire sprinkler
nozzle typically protrudes from the ceiling into your office.

Losing a sprinkler head will put a lot of water all over that office very quickly.
Papers will be destroyed, PCs possibly sizzled, and all work stopped for hours. The
carpets will be soaked, water seeps through the floor to the offices on the floor
below—what a mess!

A small fire is another localized disaster. It may spread smoke over a large area,
making an office difficult to work in. Depending on how it was started and the
extent of the damage, that area might be inaccessible for several days, especially
if the Fire Marshall declares an arson investigation and no one is allowed near the
“crime scene”!

Departmental risks also include the situation referred to in the data systems
section where a unique device is used that is not easily or economically repairable.
If this device is also a single point of failure, then you had better treat it like gold.

To build a departmental risk assessment, assemble a department-wide team
to identify your critical functions, risks unique to your department, and risks to
other departments that will cause problems in your group. Draft a fresh list of the
critical functions that apply to your department. You can omit those functions
already listed in the first three layers unless you are particularly vulnerable
to something.

If a risk from an earlier layer will cause you to take particular action in your
department, then include it here also. For example, if the loss of telephone service
for your facility can be charged back against your telephone bill (based on your
service agreement), then the Accounting department would need to time the
outage and make the proper adjustment to their monthly bill. Another example is
if you run the company cafeteria and an electrical outage threatens the food in
your refrigerators.

Some examples of critical functions might include:

➤ Payroll

◆ To provide correct pay to all employees on time.

◆ To maintain accurate payroll records for every employee.

62 THE DISASTER RECOVERY HANDBOOK

◆ To deduct and report to the appropriate government agency all payroll
taxes that apply to every employee.

➤ Materials

◆ To maintain an accurate accounting of all material and its location in all
storage locations.

◆ To maintain an accurate accounting of all materials issued.

◆ To ensure that material constantly flows to the manufacturing floor with
minimal stock-outs, and with minimal inventory on hand.

➤ Building Security

◆ To provide immediate first aid to stricken employees until proper medical
assistance arrives.

◆ To maintain the integrity of the building security cordon at all times, even
in the face of disaster.

◆ To detect and notify appropriate authorities of any emergencies observed
by security personnel.

◆ To monitor all personnel on the premises after normal business hours and
during weekends and holidays.

WHAT TO DO?

Make a list of critical processes for your department.

Take a copy of the Critical Process Impact list and pull off those processes unique
to each department. Now expand it to include the critical processes in your
department. Not all critical processes involve computers.

Break down the newly added critical processes into their components.

Key Operating Equipment

After identifying your department’s critical functions, make a list of your processes
and equipment. This list will drive your department’s recovery plan. A process
would be something like “Materials Management.” That process requires (within
the department) access to the materials database, materials receiving docks,
order processing, etc.

Is there a piece of equipment in your department whose absence would hinder
your ability to perform your critical tasks? Is there an important printer directly
tied to a far-off office or company? Is your only fax machine busy all the time?
Does your payroll department have a dedicated time clock data collection and
reporting system whose absence might prevent accurate recording?

EVALUATING RISK 63

Make a list of all your critical equipment. Be sure to include unique items not
readily borrowed from a nearby department.

Lack of Data Systems

Begin with a list of all the data systems you use in your department. Add a column
of who uses each system and for what function (some people may perform
updates, some people may only write reports from it). You will find this list very
useful later.

Most data systems have a manual process to record data or work around when
it is not available. But set that aside and examine the risk that each system on your
list might not be available. Here is a good place where the team’s collective
experience can state how often a system seems to be unavailable.

Vital Records

What are the vital records originated, used, or stored by your department? List
each category of records and where they are stored. Identify the risk (or damage)
to the company if these records were lost or destroyed. Vital records are paper or
electronic documents retained to meet business, regulatory, legal, or government
requirements.

What other Layer 4 risks can you and your team identify? Add them to Form 3-6,
Risk Assessment Form Layer 4, on the CD-ROM.

LAYER 5: YOUR DESK’S RISKS

This means more than avoiding paper cuts. You must examine every process
(manual and automated), tool, piece of incoming information, and required
output that makes up your job. Since you are so familiar with your daily work, this
will be faster than you think. You are also familiar with your office priorities and
can focus on the most critical functions.

Performing a Layer 5 risk analysis may seem to be a bit of overkill, but it
closely resembles what was done at the department level. It is useful for ensuring
that everything you need to do your job is accounted for in some manner, and
may be in your department’s disaster recovery plan as nice to have but not
essential. Still, if you want to go on vacation sometime, this documentation will
make slipping out of the office a bit easier.

Layer 5 risks are a bit different because it really includes all of the risks from
Layers 1 through 4. You should be able to start figuring out your critical functions
from your job description. Next, you add in what you actually do and then you will
have your critical functions list.

Make a list of the tools and data systems that you use every day. All of these
should be in the departmental risk assessment. What is the likelihood that one of
these tools will be missing when you need them? This means that the tools are

64 THE DISASTER RECOVERY HANDBOOK

only missing from your desk. Everyone else in the department can do their job.
Therefore, if your job is the same as the person’s next to you, the risk at this layer
is quite low that you could not complete your work since you could borrow the
necessary equipment.

If you had confidential files on your PC and it crashed, that would be a risk. If
you had a unique device that you used for your job, such as a specialized PC for
credit card authorizations, then that is also a unique risk (but is probably in your
departmental plan if it impacts one of their critical functions).

Another area to consider is vital records. Do you build or store vital records on
or around your desk? Could there be a localized fire, water pipe breakage, etc., in
your area that would soak these papers? This could be backed-up personal
computer files, engineering specifications of old parts, employee evaluations, etc.

What other Layer 5 risks can you or your team identify? Add them to Form 3-7,
Risk Assessment Form Layer 5, on the CD-ROM.

WHAT TO DO?
Make a list of critical processes for your department.

Take a copy of your department’s Critical Process Impact list and pull off those
processes unique to your job. Now expand it to include all the critical processes
for your position. Not all critical processes involve computers.

Break down the newly added critical processes into their components.

SEVERITY OF A RISK

As you consider such things as fire, you quickly notice that except in the total loss
of the structure, it all depends on where and when the fire occurs. In addition, it
depends on the day of the week and the time of day.

Time of Day

Imagine a large factory. It’s 7:00 AM and the assembly line has begun moving. Off
to one side of the assembly line is a 300-gallon “tote” of paint, waiting for a forklift
to carry it to another part of the facility. When the forklift approaches, the operator
is distracted and hits the tote at a high rate of speed, puncturing it near the bottom
with both of his forks. The punctured tote begins spewing hundreds of gallons of
potentially toxic paint across the floor, into the assembly line area, etc. Of course,
the assembly operation is shut down while a long and thorough cleanup
process begins.

If this same forklift and the same operator were to hit the same tote after normal
working hours, we would have the same mess and the same cleanup expense, but
we could possibly have avoided shutting down the assembly line. With hard work,

EVALUATING RISK 65

the assembly line could be ready for use by the next day. Therefore, the time of day
that a disaster event occurs can have a major impact on its severity.

Day of Week

Along the same lines as the time of day, the day of the week (or for that matter, the
day of the year) also determines the severity of a problem. If this same factory
were working at its peak level with many temporary workers in an effort to deliver
toys to stores in time for the Christmas season, this situation would be much
worse than if it occurred during their low-demand season. If it happened on a
Saturday instead of on a Monday, the severity would also be less as you have the
remainder of the weekend to address it.

Location of the Risk

In terms of where this theoretical toxic material spill occurred, you can also
quickly see that its location, near the assembly line, had an impact on how
damaging it was. Some risks, like paint containers, float around a manufacturing
facility. In an office, a similar situation exists. A small fire in an outside trash
dumpster might singe the building and be promptly extinguished. The damage
would be annoying, but your office productivity would not miss a beat.

The same small fire in your vital records storage room would be a disaster.
Water damage to the cartons of paper would cause papers to stick together, cartons
to weaken and collapse, and a general smoky smell that will linger for a long time.
There is also a potential long-term problem with mold damaging the records.

SOURCES OF RISK ASSESSMENT INFORMATION

The Federal Emergency Management Agency (formerly known as Civil Defense)
can provide you with a wealth of local information about your Layer 1 risks. It has
already mapped the approved hazardous materials routes and know what the
local natural disaster likelihood is. FEMA is listed in your telephone directory and
can also be found at http://www.fema.gov. Figure 3-6 shows a sample of the type
of maps available from the government that show the likelihood of various hazards;
this map shows the probability of an earthquake occurring.

Local fire and police departments are also likely sources for information on
anticipated arrival times for help. If you have a volunteer fire department, you
would like to know their average response time for your area and what you might
expect for timely ambulance support. The longer the delay in responding, the
more mitigation steps that your company should plan for. Some volunteer
departments staff a few full-time members to provide an immediate response and
the rest of the volunteers join them at the accident site.

The local law enforcement authorities can also provide insight into crime
activity patterns for determining your risk of theft or civil disorder.

66 THE DISASTER RECOVERY HANDBOOK

http://www.fema.gov

FIGURE 3-6: U.S. Geological Survey National Seismic Hazard Mapping Project.

Co
py
ri
gh
t
@
20
11
.
AM
AC
OM
.

la
w.

EBSCO : eBook Collection (EBSCOhost) – printed on 1/4/2018 10:52 AM via AMERICAN PUBLIC UNIV SYSTEM
AN: 349248 ; Wallace, Michael, Webber, Larry.; The Disaster Recovery Handbook : A Step-by-Step Plan to Ensure Business Continuity and Protect Vital Operations, Facilities, and Assets
Account: s7348467.main.ehost

MAKING THE ASSESSMENT

Wow! Now that we see that risks are all around us, that they vary in time, magnitude,
and business impact, let’s make some sense of all of this. This is a good time to
bring your Disaster Planning Project team together. The more “institutional
knowledge” you can tap for this list, the better tool it becomes.

Scoring

OK, now the risk analysis sheets have been filled and the scores calculated. Now it
is time to identify the more likely risks and build plans for them.

Scoring the list involves your judgment of several factors. First, how likely is it
that this will occur? If you think about, given an infinite amount of time, you could
predict that about everything will occur at least once. So for this scoring exercise,
let’s use a 5-year horizon. Of course, you can use any timeframe you wish. Just
be consistent.

We will use the electrical power outage as an example as we examine the
column headings:

➤ Grouping. These are the overall categories provided to keep similar
issues together.

➤ Risk. This is where you list the various risks to your business.

➤ Likelihood. 0 through 10, with 0 being no likelihood at all, 1 to 3 if there is
little chance of this type of disaster occurring, 4 to 6 if there is a nominal
chance of occurrence, 7 to 9 if the disaster is very likely to occur, and 10 if it is
a sure thing that the disaster will occur. Remember your planning horizon. If
it is 5 years, be sure to keep that in the forefront of everyone’s mind. So over
the next 5 years, what is the likelihood that the facility will lose electrical
power at any time of the day, or any day of the week?

➤ Impact. 0 through 10, with 0 being no impact at all, 1 to 3 if there is an
inconvenience to some people or departments, 4 to 6 if there is a significant
loss of service to some people or departments, 7 to 9 if there is a loss of a
mission critical service, and 10 as a death sentence for the company. How
badly would this disaster hurt us? To judge this, consider the problem occurring
at the busiest time of the day, on the busiest day of the year.

➤ Cost of Mitigation. 1 through 10, with 10 being there is little to no cost to
mitigate the risk, 7 to 9 if the cost to mitigate can be approved by a supervisor,
4 to 6 if the cost to mitigate requires a department head to approve, and 1 to 3
if senior management approval is required to cover the cost of mitigation. This
scale runs the opposite of the other two columns, as we assign high values to
risks that are easier to mitigate. Carrying forward the electrical service example,
what would it cost to mitigate the risk of losing power (which would probably
require the installation of a standby generator)?

68 THE DISASTER RECOVERY HANDBOOK

Sorting

The spreadsheet multiplies the Likelihood times the Impact times the Cost of
Mitigation to get a rough risk analysis score. As you can see, a zero value in the
Likelihood or Impact columns makes the risk score a zero.

You should sort the spreadsheet on the “score” column in descending order.
This will bring your biggest risks to the top. These will be the risks that are the
most likely, have the biggest impact on your operations, and are the easiest to
mitigate. As you start your disaster recovery and mitigation plans, these risks
deserve the most attention.

Setting Aside the Low Scores

It is true that there is a risk that the sun may quit shining within the next 5 years,
but it is very low. So along with the risk of being run over by an iceberg, we will
discard any of the extremely low likelihood risks. We will be fully occupied
addressing the more likely ones.

Pick a point on each list and draw a line across it. All critical systems above the
line will have plans written for them and plans for all below the line will come at
some later time.

CONCLUSION

Your assessment of the risks faced by your operation is a critical piece of the
business continuity puzzle. The steps in identifying the major risks to your
operation as discussed in this chapter are:

1. First, determine the cost of downtime. This is critical when evaluating the
potential avoidance and mitigation options.

2. Identify the potential risks at each of the five levels. Use a 5-year time horizon
to keep things manageable.

3. For each risk, determine the impact based on the time of day, the day of the
week, and the location where the disaster occurred. Each of these factors has
an impact on the severity of the risk.

4. Identify and use outside sources of risk information, such as emergency
response operations at the local and state level.

5. Prioritize the risks based on the severity of the possible damage, the probability
of the risk occurring, and the difficulty of available avoidance and mitigation
options. You’ll want to start with the risks that do the most damage, are the
most likely, and are the easiest to avoid or mitigate.

Now that you’ve identified the risks that can affect your business, you are
much better prepared to recover from any disaster. The steps required to identify
risks are time consuming but are critical in building a foundation for your business
continuity plans.

EVALUATING RISK 69

This page intentionally left blank

C H A P T E R 2

BUILDING THE BUSINESS CASE
Measuring the Impact

on the Business

If you don’t know where you are going, any road will get you there.
—Lewis Carroll

INTRODUCTION

Once your team is in place and the scope of your disaster recovery planning is
determined, the next step is to determine exactly what vital functions need to be
included in the plan. Can you easily identify the most vital functions? What
happens to the business if one or more functions are suddenly unavailable due to
a system failure or other disaster? What is the cost if a function is unavailable?
Intuitively, some functions must be more valuable than others, but what is that
value? How can this value be measured? In a time of scarce resources, which
functions need to be heavily protected and which if any can be safely ignored? In
a major disaster affecting many functions, which functions are essential for the
company’s survival?

All of these questions are pertinent. Often, decisions are based on the perceived
value of a particular function when comparing two functions and the resources
for only one of them is available. Capital spending, major improvement projects,
and, of course, support staff training often are decided by the perceived value that
a function provides the company. But what is this value based on? Where are the
data that support this value? How old are the data? Has the value provided by a
function changed over time?

The problem with the business-as-usual approach is that it is based on a
limited understanding or personal whim—not on the facts. A long-time manager
might be acting on “rules-of-thumb” or assumptions that were valid at one time,
but may not be any longer. A new manager lacks the “institutional knowledge”

BUILDING THE BUSINESS CASE 23

Co
py
ri
gh
t
@
20
11
.
AM
AC
OM
.

about which previous failures have caused the greatest damage. Another caveat is
that the business impact of a function changes over time. Companies compete in
an ever-shifting business environment. Yesterday’s cash cow may be today’s cash
drain. Yesterday’s cash drain may be today’s regulatory compliance requirement
and must be working smoothly to keep the government at arm’s length!

Unfortunately, few executives fully appreciate which of their functions are
truly critical. They draw on personal experience, but that is limited to the areas
with which they are familiar. They can ask their peers, but each person sees the
world through the narrow view of his or her own situation. The accounting
department will identify all of its functions as critical since it handles the money.
The materials management team will identify its functions as critical since the
company’s assets are reflected in a fragile collection of materials. The engineering
department will think it is the most critical since its technology holds the company’s
valuable intellectual property. To some extent, all of these are right!

To determine where the true benefits lie, conduct a detailed Business Impact
Analysis that breaks the business down by its major functions, and assigns value
to each function in terms of cash flow and regulatory obligations. Then the systems
that support these functions are identified and the functions rolled up. Based on
this data—based on these facts—an executive can more efficiently assign
resources for the greater benefit of the organization.

BUSINESS IMPACT ANALYSIS

A Business Impact Analysis (BIA) is an exploratory review of the important
functions that are essential for the operation of the business. This review is used
to quantify the value of each function to the business and to identify any risks to
the most valuable functions. It also suggests mitigation actions to reduce the
likelihood or impact of these risks. In the event of a disaster, the BIA indicates how
much is lost per hour or per day for the length of the outage. Many of these
functions are linked to an IT system that supports them (lose the IT system, and
that function can no longer continue).

A BIA is a snapshot of vital business functions at a given point in time. Any major
changes in the operation of the business will require an update to the BIA.

An organization’s critical functions depend on its primary mission. For a call
center, a BIA would focus on the key telecommunication services required to
service the callers. For a manufacturing firm, this might be the functions required
to make the end product. A bank might identify the various financial services
offered to its customers. An online store would value availability of its Web page,
speed of processing, and security of customer data. And of course each department
within the organization will have its own list of critical functions.

24 THE DISASTER RECOVERY HANDBOOK

A BIA provides many benefits to an organization, many of which are valuable
beyond the scope of a business continuity project. These include:

➤ Quantifying the tangible and qualifying the intangible costs of the loss of a
critical function.

➤ Identifying the most critical functions to protect.

➤ Pinpointing the critical resources necessary for each function to operate, such
as people, equipment, software, etc.

➤ Determining the recovery time objective (RTO) of critical functions. The RTO
is the length of time that the organization can operate with a function disabled
before the effect of the loss of the function affects other functions.

➤ Identifying vital records and the impact of their loss.

➤ Prioritizing the use of scarce resources if multiple functions are affected at the
same time.

There are numerous ways that the loss of a function can have a negative
financial impact on the organization. The tangible financial costs of a disaster
can include:

➤ Direct loss of revenue because products cannot be shipped or services
not delivered.

➤ Increased waste from the spoilage of materials or finished goods.

➤ Penalties levied by customers for late shipments or lost services.

➤ Legal penalties for not conforming to government regulations or
reporting requirements.

Intangible costs due to the loss of a vital business function can be harder to
quantify, but are no less damaging. Intangible losses can include:

➤ Loss of customer goodwill.

➤ Reduced confidence in the marketplace that your organization is a
reliable supplier.

➤ Employee turnover caused by concern for the viability of the organization.

➤ Damaged image in the community if your disaster harms the local community.

➤ Loss of confidence in the organization’s executive management by
key stakeholders.

A well-executed BIA can provide much valuable information to executive
management about the organization’s vulnerabilities. This includes:

➤ The maximum acceptable outage (MAO) that the organization can suffer
before the organization will have difficulty meeting its objectives.

➤ The recovery time objective (RTO)—the amount of time that a function can
be unavailable before the organization is negatively impacted—for each

BUILDING THE BUSINESS CASE 25

vital function. The cost of the recovery or mitigation solution selected will
typically rise as the RTO decreases. This is a major driver of your disaster
recovery plan.

➤ The recovery point objective (RPO) for each function that relies on data. The
RPO is the amount of data that can be lost without causing serious damage to
a function. The cost of the recovery or mitigation solution selected will typically
rise as the RPO decreases.

Managing a BIA Project

To be successful, a BIA must be run as its own project within your overall disaster
recovery project. The project must be supported financially and politically from
the highest levels of the organization. Every part of the organization will be
touched by a BIA; it is therefore important to appoint a senior executive as the
sponsor of the project. Many department heads may be reluctant to share sensitive
information about their department due to legitimate concerns about the use of
the information or because they are concerned that the information could be
used for political purposes. The sponsor’s role is to:

➤ Work with the Business Continuity Manager to select the project manager
(who could be the Business Continuity Manager).

➤ Approve the project budget.

➤ Communicate to every department the importance of its participation in
the BIA.

➤ Address any objections or questions raised about the BIA.

➤ Approve the BIA report for submission to the executive team.

A well-run BIA will build credibility for the overall disaster recovery planning
project; a poorly run BIA will make a disaster of your disaster recovery project. The
key to a successful BIA (as with any other project) is the selection of the right
project manager. For a BIA it is especially important, as the BIA will expose every
part of the organization to the light of day. The BIA project manager must be able
to moderate discussions among department heads about the true value of internal
functions. In many cases, there has been no formal examination of the functions
performed within each department, which may cause heated discussions about
the value of each department. In choosing a project manager, the executive
sponsor has two options:

1. Internal—An employee of the organization is appointed as the project manager.
The advantages of this approach are that this person already understands the
corporate structure, is familiar with the personalities involved, knows where
to find people, etc. This approach also builds internal expertise. A possible
disadvantage is that the project manager could be caught in the middle of any
political battles over the BIA, which could negatively impact the manager’s
career at the organization.

26 THE DISASTER RECOVERY HANDBOOK

2. External—A person from outside the organization is brought in to lead the
project. The possible advantages are that this person does not have any
internal ties and loyalty is to the executive paying the bill. A potential problem
is that the organization’s business functions, finances, and problems will be
exposed to this third party.

The BIA project manager is responsible for developing a formal project plan,
which is critical for the success of the project. In a large organization, many people
have to be interviewed, many meetings need to be held, interim reports must be
prepared, and deliverables have to be created. A formal project plan is vital for
managing this process. The project plan will be used to manage the activities of
the BIA team, which typically consists of several business analysts.

BIA Data Collection

Once the BIA team is created, the next step is to begin the data collection process.
The goal of the BIA is to identify the most vital functions in the organization; just
what is vital will vary depending on whom you ask. An effective data collection
process will help quantify the value of each function in terms of its financial and
legal impacts. The level of success of the BIA is directly related to the quality of the
information collected. You cannot have a high-quality disaster recovery plan
without a foundation of accurate data about your vital business functions.

Your data collection plan must address what data to collect and from whom it
is to be collected. It may also be important to consider when to collect the data.
As this process takes people away from the important business of their departments,
it is critical that the data be collected only once. Time spent in careful development
of the questionnaire will save time later by only having to collect the data one
time. A data collection plan consists of the following steps:

1. Identify who will receive the questionnaire using an up-to-date organization
chart.

2. Develop the questionnaire to be used to collect the data from each department.
Many organizations will begin with a standard form which is then modified
for use.

3. Provide training to small groups (usually a department at a time) on how to
respond to the questionnaire.

4. Follow up with each department to ensure timely completion of the
questionnaire.

5. Review responses with respondents if the responses are not clear or
are incomplete.

6. Conduct review meetings with each department to discuss responses.

7. Compile and summarize the BIA data for review by the various levels of
the organization.

BUILDING THE BUSINESS CASE 27

IDENTIFY RESPONDENTS

The first step in identifying who should receive the BIA questionnaire is to obtain
a current organizational chart. The organizational chart should identify the different
departments or business units within the organization and who their leaders are.
These leaders are made responsible for the completion of the questionnaire(s) for
their areas. Your executive sponsor must provide you with support in ensuring
their cooperation.

Each department first needs to identify the vital functions performed in its
area. A form such as Form 2-1, Department Function Identification Form (see the
CD-ROM), can be used to develop this list. A separate function is typically identified
if it has different resource requirements (e.g., IT systems or machines), staffing
roles, or service providers who perform other functions in the department. Each
department can have many business functions to report. Therefore, each
department numbers its forms according to how many functions it is reporting.
This reduces the chance of missing a questionnaire.

Consider including suppliers where their activities are critical to your business.

DEVELOP THE QUESTIONNAIRE

At this time, you should select a single department or business unit as a test case
for your questionnaire. This might be a department under the sponsor’s direct
control or one where the department head has voiced support for the project. This
test department can provide valuable feedback on the questionnaire, including its
instructions, the clarity of the questions, or if something is missing. Often what is
clear to the BIA team is obscure or has a different meaning to someone who is not
familiar with the subject.

Next, develop the questionnaire. Because the end result of the data
collection process is the creation of an aggregated report, it is important that
everyone responding to the questionnaire use important terms consistently. To
ensure consistency, create a glossary of terms as part of the questionnaire. A
glossary not only improves reporting consistency, but also speeds up
responses and makes it obvious when something new or unexpected is
encountered. The use of consistent terminology can also be enforced by using
an electronic form for the questionnaire (such as an Excel spreadsheet) with
checklists or dropdown lists that confine the answers to a predefined set of
answers or range of numbers. If you choose this approach, have an “Other”
option available for unexpected situations. Otherwise, the respondent may
stop filling out the questionnaire if such a question is encountered. By allowing
the choice of “Other,” you can go back later for clarification rather than have
the respondent hold the questionnaire until informed about how to respond to
a particular question.

28 THE DISASTER RECOVERY HANDBOOK

A question can be answered in two ways: qualitatively and quantitatively.
Qualitative data represent attributes for which you cannot assign a numerical
value, such as color or gender. Quantitative data are represented by a numerical
value, such as length of time or dollars. Quantitative data can be aggregated,
averaged, etc., which makes it easier to analyze a series of responses. As much as
possible, make the answers to the BIA questions quantitative; some questions are
naturally quantitative, but others may need to be framed in such a way as to
require a quantitative response.

The BIA questionnaire begins with an identification block that indicates the
department and function to which the questionnaire applies (see Form 2-2,
Business Impact Analysis Questionnaire, as an example). The business function
name must be the one that it is most commonly known by within the organization.
When the final report is reviewed, executives will question high values for functions
that no one can recognize, so be sure to use the function’s common name. The
name in the function manager field will be used by the BIA team as the contact
person if there are any questions. The form should also include the name of the
person who completed the form and the date the form was completed.

The next series of questions on the example questionnaire are designed to get
a sense of the time sensitive nature of the function: Does the function have to be
performed at a certain time? Can it operate at a reduced level for some period of
time? How long can it be unavailable before other functions are affected? It is also
important to know if this function depends on things outside the control of this
department, including a dependency on any particular technology. If yes, this
helps the IT department in developing its specific plans and for financial justification
to purchase redundant equipment to reduce the likelihood or duration of an
outage. To ensure consistency among the answers, the IT department provides a
list of all applications on all platforms (desktop, server, mainframe, online). The
list is included in the instructions accompanying the form. Be sure to include both
the official name and the commonly used name (if one is better known).
Respondents can select from this list to minimize variation of system names. This
section also documents whether the function depends on outside suppliers.

The next section in the example questionnaire is a matrix that is used to
quantify important categories of impact (across the top) with a time scale (along
the vertical axis). It is the heart of the analysis and must be tuned to the local
requirements. Categories used in the example questionnaire are:

1. Cumulative Financial Loss (revenue lost plus costs incurred)—measured in
dollars. This might include:

a. lost revenues.

b. lost sales.

c. financial penalties.

d. wages paid for no work.

e. overtime wages paid to catch up.

BUILDING THE BUSINESS CASE 29

f. spoiled materials and finished goods.

2. Legal Compliance Impact—Yes or No. For this and the following items, space
is provided later for an explanation.

3. Impact on Customer Confidence—Answers can be Low, Medium, or High.

4. Loss of Supplier Confidence—Answers can be Low, Medium, or High.

5. Damaged Public Image—Answers can be Low, Medium, or High.

Rate each of the impact categories according to its impact over time. For
example, what is the Cumulative Financial Loss for one hour of outage? Some
examples include:

Example #1

If the function is a busy online catalog, then a one-hour outage might have
a significant financial impact because buyers may look elsewhere for
goods. Loss of customer confidence and a damaged public image would
also come into play.

Example #2

If the function is the shipping department for a factory, then a one-hour
outage would mean that shipments would leave the dock late that day. A
four-hour outage might involve shipments arriving late to the customer.
Beyond four hours, late shipments would be widespread and, depending
on the purchasing stipulations, may be refused by the customer. There
may even be penalties for late deliveries. Also, at some point, the rest of
the factory is shut down since finished goods are piled up with nowhere
to go.

Example #3

If the payroll department was down for an hour, then the clerks can tidy
up around the office or even leave early for lunch, and the cost is minimal.
However, if the same payroll department was inoperable for a week, the
company may not have lost revenue but the employees definitely would
be angry. If the employees belonged to a union, they might walk off the job.

Other categories to consider adding to the questionnaire include:

➤ Shareholder Confidence.

➤ Loss of Financial Control.

30 THE DISASTER RECOVERY HANDBOOK

➤ Employee Morale.

➤ Customer Service.

➤ Employee Resignations.

➤ Vendor Relations.

➤ Potential Liability.

➤ Competitive Advantage.

➤ Health Hazard.

➤ Additional Cost of Credit.

➤ Additional Cost of Advertising to Rebuild Company Image and Reliability.

➤ Cost to Acquire New Software and to Re-Create Databases.

➤ Damage to Brand Image.

➤ Potential Reduction in Value of Company Stock Shares.

The next section on the sample questionnaire is used to document any
documents or other vital records that are critical for the success of the function.
Departments that originate, use, or store vital business records must be identified.
This information can be used to develop protection plans for this data. It can also
identify documents that should be properly destroyed instead of stored on-site.

Next on the sample questionnaire is a section in which to document critical
non-IT devices that may be difficult or impossible to replace. This can spawn a
project to modify the function to eliminate these unique devices (and thereby
reduce the chance of a business function outage due to the failure of a
special machine).

The last question on the sample questionnaire offers the department an
opportunity to give a subjective rating of the importance of a specific function to
the overall functioning of the department. This information will be used in
conjunction with the financial impact data to help prioritize the functions to be
restored in the event of a disaster.

Once the questions have all been determined, develop a set of written
instructions to be distributed with the questionnaire. The instructions should
explain how every field on the form will be used and what the respondent should
fill in for each field. Ideally, include a telephone number for someone on the BIA
project team to quickly answer questions; the quicker you can resolve questions
the more likely the questionnaire will be completed.

COLLECT THE DATA

Once the questionnaire has been developed, you need to distribute it to the various
departments. An important first step is to meet with each of the department
leaders and help them to draft the list of vital business functions within their
domains. Use this list to provide a numbered stack of questionnaires. Assign a

BUILDING THE BUSINESS CASE 31

number to each person the department leaders indicate should receive one. An
important management tool is a log of which form number went to which person.
This is used to verify that all of the forms are returned.

Next, coordinate a series of meetings with the various departments to review
the questionnaire and give people a chance to ask questions. While this will be
time consuming, it will speed up the process by helping to prevent the completion
of the questionnaire from getting sidetracked. Try to keep the groups smaller than
20 people. This provides opportunities to ask questions. During these meetings:

➤ Explain the purpose of the BIA and how it will help the company and their
department—sell the concept to them!

➤ Provide copies of the letter from the executive sponsor that supports this
project; this serves to reinforce the importance of this project.

➤ If possible, ask the executive sponsor to drop by the meetings for a brief word
of “encouragement.”

➤ Provide copies of the questionnaires, along with a printed explanation of what
each item means.

➤ Walk through every item in the questionnaire and provide examples of how
they might be filled in.

➤ Set a deadline (typically one week) for the questionnaire to be completed
and returned.

Check vacation and travel schedules to ensure that all respondents will be
available to complete the questionnaire. If not, make sure that an appropriate
substitute is identified.

For collecting data from departments with a limited number of functions and
highly paid employees (such as the legal department), it may be more time and
cost effective to have the BIA team interview critical members of the department
and fill out the questionnaires for them.

As questionnaires are returned to the BIA team, carefully track which teams
have returned their questionnaires. Visit any department you think might be less
than diligent in filling out the questionnaires. Make the visit a friendly reminder
of the deadline and use it as an opportunity to answer any questions or respond
to any problems with the questionnaire. As the deadline for each department
passes, visit each department that has not returned the questionnaires to see if
help is needed and to encourage them to complete the form. As the forms are
returned, be sure to check them for:

➤ Clarity. Ensure that you understand the answers.

32 THE DISASTER RECOVERY HANDBOOK

➤ Completeness. Return any incomplete forms and ask if department members
need help in completing the questionnaire. If only a few items are missing, it
is likely that they simply did not understand them.

➤ Other. Review any items answered “Other” to see if one of the existing categories
may have been a fit or if a new category is needed.

Reporting the Results

Once all of the questionnaires have been returned, it is time to compile the
reports. The reports are organized into a hierarchy of reports, starting with each
business function. Depending on the size of the organization, you might have
several layers between each function and the overall organization. A typical
organization will use the following levels for the BIA report:

1. Function

2. Workgroup

3. Department

4. Business Unit

5. Overall Organization

The example below shows a workgroup report for the A/R function within the
Accounting department. Each business function is listed along the left side, with
the time ranges used in the questionnaire across the top. Each column then shows
the impact if that function is unavailable for that amount of time.

Once the workgroup report is completed, you should meet with everyone who
responded to the questionnaire and their next level manager. A copy of the report
is provided to all participants, which is then reviewed with the group one line at a
time. The entire group then must reach a consensus about each line item. The BIA
analyst’s job is to remain nonjudgmental and to only guide the discussion. During
this process, the collective knowledge of the group is used to correct any errors,
point out any missing functions, and discuss options that may be available to
reduce potential losses.

Workgroup Report

Workgroup: Accounts Receivable

Cumulative Impact

Business Function 1 hour 4 hours 1 day 2 days 1 week 2 weeks

Generate invoices $0 $5,000 $10,000 $20,000 $100,000 $250,000

Daily cash balance $0 $0 $5,000 $15,000 $75,000 $200,000

Process checks $0 $0 $0 $0 $10,000 $30,000

BUILDING THE BUSINESS CASE 33

The amount of time a vital business function can tolerate downtime and at
what cost determines the disaster recovery strategy. The less tolerant a business
function is to an outage, the more expensive the disaster recovery strategy must
be and the more urgent it becomes that business continuity mitigation
is implemented.

Every line in the report should either be validated or updated. In this way, the
BIA report is the product of both the team and that workgroup’s management. The
entire discussion is important, because the workgroup’s management must
defend the workgroup’s consensus at the next level of data validation.

This process is then repeated at the next level. If the next level is a department,
then the impact of the loss of each workgroup that makes up the department is
reviewed by each workgroup manager along with the manager of the department.
As each team reviews its report, expect vigorous discussion about what is important
and the impact on the organization. For many managers this process is very
educational. Many are often surprised at the impact some functions really have
and how vulnerable they are to a loss of that function.

An important consequence of performing a BIA is to get the different departments
at least thinking about how their functions fit within the mission of the organization,
which makes improvements easier to identify.

CONCLUSION

After reading this chapter, you should now be able to determine which functions
are vital to the success of your organization, as well as the priority in which these
functions should be restored. Performing a BIA can be a tricky process politically,
as each department within an organization will naturally believe that its functions
are the most critical and may be hesitant to share details with someone outside of
the department. A successful BIA requires the following:

➤ Strong and vocal support from senior management.

➤ A capable project leader.

➤ A well-crafted questionnaire.

➤ Complete and honest answers from each department.

With a complete and accurate BIA in hand, you are now ready to begin
evaluating the actual risks to your organization’s vital functions and develop a
strategy for dealing with them.

34 THE DISASTER RECOVERY HANDBOOK

C H A P T E R 1

GETTING STARTED
Overview of the Project

Nothing is impossible for the man
who doesn’t have to do it himself.

—A.H. Weiler

INTRODUCTION

The job of a business executive requires coordination of the many activities
necessary to create a successful business. Markets must be analyzed, potential
customers identified, strategies for creating and delivering products and services
must be developed, financial goals established and reported, legislative mandates
followed, and many different stakeholders satisfied. To ensure that all of these
objectives are met, businesses eventually develop a series of processes designed
to produce the desired result. But the world is a dangerous place. Earthquakes,
floods, tornadoes, pandemics, snow storms, fire, and other natural disasters can
strike at any time and interrupt these important processes. Terrorism, riots, arson,
sabotage, and other human-created disasters can also damage your business.
Accidents and equipment failures are guaranteed to happen. As an executive
responsible for the well-being of your organization, it is critical that you have a
plan in place to ensure that your business can continue its operations after such
a disaster and to protect vital operations, facilities, and assets.

You do this just like you do any other important task; you analyze the situation
and create a plan. A disaster recovery plan keeps you in business after a disaster
by helping to minimize the damage and allowing your organization to recover as
quickly as possible. While you can’t prevent every disaster, you can with proper
planning mitigate the damage and get back to work quickly and efficiently. The
key is having a well thought out and up-to-date disaster recovery plan. This
chapter will lead you through the creation and implementation of a project plan
for creating an effective disaster recovery plan.

GETTING STARTED 1

Co
py
ri
gh
t
@
20
11
.
AM
AC
OM
.

THE DISASTER RECOVERY PLAN PROJECT

Building a disaster recovery or business continuity plan is much like any other
business project. A formal project management process is necessary to coordinate
the various players and company disciplines required to successfully deliver the
desired results of the project. This chapter will give you a high-level roadmap of
what you should expect as you prepare to lead or manage a disaster recovery
project. A sample project plan is included on the CD-ROM accompanying this
book. Adapt this chapter and the project plan to fit your business goals, company
timeline, and scope of project.

Most projects tend to run in a well-defined sequence. For example, to build a
new house, first you clear the land, then build the foundation, then build a floor,
and so on. Many things cannot begin until the previous step is completed. A
business continuity plan (BCP) project is a bit different. In its early stages, most
actions logically follow each other. However, once the basic elements are in place,
the project bursts out on to parallel tracks, as each department documents its own
area. How you proceed in your company is, of course, determined by your corporate
culture, the resources you have to work with to complete the process, and the level
of visible support from the project’s sponsor. Most business continuity projects
follow these steps:

1. An executive within the organization decides that a business continuity plan
is needed. This might be due to an auditor’s report or the result of a business
disruption that was more painful than it would have been if a plan had been
in place. Or it could be that an alert employee realized that a good plan did not
exist and brought this to the executive’s attention. This executive normally
becomes the sponsor for the project.

2. The first (and most important) step that the sponsor takes is to select someone
to lead the project. This person is most often called the Business Continuity
Manager and is responsible for the successful completion of the project.

3. The project sponsor and the Business Continuity Manager meet to clearly
define the scope of the project, the project timeline, and expectations. The
Business Continuity Manager must be comfortable that the resources available
are adequate to meet all the objectives of the project.

4. The Business Continuity Manager selects the team that will work together to
complete the project. Both technical and political considerations are important
in selecting a team that can successfully develop a workable business
continuity plan.

5. The Business Continuity Manager together with the team now develops the
project plan to be used in managing the project. Tasks are identified and
assigned, task durations calculated, and activities are sequenced as the project
plans are developed.

6. The project plans are executed. The Business Continuity Manager oversees
the project as the plan unfolds, keeping everyone focused on completing their

2 THE DISASTER RECOVERY HANDBOOK

tasks, and ensuring that milestones are met and that important stakeholders
are kept informed as to the project’s progress. It is here where the actual
continuity plans for the organization are created.

7. Once the business continuity plans have been developed and tested, the
Business Continuity Manager closes the project by making sure that everything
was documented properly and handing the project results over to the
individual(s) responsible for keeping the plan up to date. Each affected
department will normally have someone responsible for keeping their portion
of the plan current. A report is also generated for the sponsor recapping the
project and documenting lessons learned.

In many organizations, the job of Business Continuity Manager is not taken as
seriously as it should be. Management in these organizations only wants you to
write something, anything to make the auditors go away. That’s OK because as
you build the plan, and as they begin to see the benefits, their interest and support
will grow.

A project plan organizes the team so members focus their skills on specific
actions to get the job done. This respects their time and brings the project to a
prompt, but successful, solution.

INITIATING THE PROJECT

Every project starts with a sponsor. A sponsor should be a person with enough
organizational influence to give the project credibility, financing, and strategic
direction. The sponsor should also be in a position to ensure the willing cooperation
of other departments and to ensure that the project is adequately funded.
Building a business continuity plan in many cases involves changing people’s
attitudes and some of their tried-and-true business processes. Business continuity
planning is a logical step toward mistake-proofing a business. So, to suppress the
reluctance to change or even participate in the project, it is important for the
sponsor to be of sufficient stature as to overcome objections before they are raised.

Ideally, the sponsor is the company’s CEO, or the Vice President in charge of
the local facility. However, sometimes it is a department manager who realizes
that something must be done. Whoever assumes this role must remain involved
with the project throughout its lifetime. As the sponsor’s interest fades, so will the
interest of your team. Find out why they want to sponsor the project. It will tell you
how much support to expect.

In some cases, the sponsor honestly believes the project is a good idea and is
personally interested in seeing it is completed. In other cases, the sponsor may
have been required to start this project due to an auditor’s citation of a poor
business practice. In this situation, the sponsor may only want the minimum

GETTING STARTED 3

recovery plan to satisfy the audit citation. Spend some time early in the project
digging out what is motivating support for this project. By understanding what
motivates the sponsor, you can gauge how much time and money will be available
to you. It is also possible for you to educate the sponsor on the many advantages
in having a well-written company-wide plan.

The sponsor’s first task is the selection of the Business Continuity Manager,
who will act as the project manager. In most companies, the cynics say that if you
raised the issue, then the job is yours! This isn’t a bad way to assign projects
because only the people who believe in something would raise the issues. Still, the
selection of the right Business Continuity Manager will help make this project a
success and the wrong one will make success much more difficult to attain.

The sponsor has the additional duties of approving the plan’s objectives,
scope, and assumptions. The sponsor must also obtain approval for funding.

THE BUSINESS CONTINUITY MANAGER

The selection of the person to spearhead this project is the single most important
part of building a plan. The Business Continuity Manager should be someone who
can gain the willing cooperation of team members and their supervisors. To help
ensure the support of everyone in the organization, the Business Continuity
Manager should be publicly assigned to this task with the sponsor’s unqualified
support. This is essential to overcome internal politics and to let everyone know
that their assistance is important and required. As the project moves forward,
regular public displays of support are required if the project is to result in a complete
and usable plan. Form 1-1 on the CD-ROM is an example of a letter appointing the
Business Continuity Manager.

Some sponsors begin a business continuity project by hiring an outside
consultant to build the plan. This can be a good way to get the project started and
to mentor someone in the organization to assume the Business Continuity
Manager position. Generally speaking, it takes more effort and expertise to
organize and develop the plan than it does to administer it. As the plan is built, the
consultant can teach the Business Continuity Manager the ropes.

Understand that even though the consultant is guiding the project, the
consultant should not assume the role of Business Continuity Manager. Every
company, every facility, every computer site is unique. The actions necessary to
promptly restore service are the result of the key people at each site writing down
what to do and how to do it. Outside consultants can provide considerable insight
into the basic services (electrical, telephone, water, data processing), but lack in-
depth experience at your company. They don’t know your business processes.
They don’t understand the pulse of your business and what its key elements are.

Building a solid plan will take a lot of time. An experienced consultant working
with an internal Business Continuity Manager can help move the project along
quicker. The Business Continuity Manager is also the logical candidate to become
the plan’s ongoing administrator once the initial project is completed. This person

4 THE DISASTER RECOVERY HANDBOOK

will be responsible for keeping the plan relevant and current. Writing a plan and
then filing it away is a waste of money. Whoever builds the plan will be intimately
familiar with it. That person can easily continue responsibility for maintaining it
and teaching others how to keep their portion of it current. Using an outside
consultant as a Business Continuity Manager raises the possibility that no one has
internal ownership to ensure it is updated and tested periodically. The plan must
be kept up to date if it is to be useful when it is needed most.

As the plan administrator, the Business Continuity Manager will ensure that
as new equipment enters the building, as new products are rolled out, and as new
business processes are implemented, they are reflected in the business continuity
plan. The Business Continuity Manager also schedules and evaluates the ongoing
testing of the plan by department, or by a specific threat, such as the loss of
electrical power, to ensure it works. Once the plan is written, the Business
Continuity Manager’s role will evolve into ensuring the plan is an integral part of
the company’s ongoing operations. No new company process or piece of equipment
should begin operation until the mitigation and recovery plans have been tested
and approved.

SCOPE OF THE PROJECT

One of the first tasks the Business Continuity Manager must perform is to come
to an agreement with the project sponsor as to the scope of the project. The scope
of the project defines its boundaries. It identifies what is included in the project
and what is not. If the project is too vast, it will probably fail. If it is too small, then
it would be best assigned to a single person like any other office detail. The scope
of the project must be given a lot of thought. If in doubt, start with a narrow focus
on a specific department or function to demonstrate the plan’s value and build up
from there. One guideline commonly used is any event that would cost (in lost
wages, sales, etc.) more than 5% of your quarterly revenues merits its own plan. So
if a temporary outage of a critical machine stops the entire factory, then it needs
a plan. If the same machine stoppage means that three extra workers must drill
holes with hand tools until the machine is repaired, then it probably does not
need a plan.

A good way to approach the plan is to address areas that everyone uses, such
as security, data processing, electrical, etc. Don’t try to tackle too much, too fast.
Start with building services, then security and safety, then data processing, etc.
In this way, if the project is killed, you still have some useful documents.

If your recovery plans will encompass many sites, or a large complex, then
start with a pilot project for a single building, a business function, or even for your
Data Processing department. This will build your team’s expertise and confidence,

GETTING STARTED 5

resulting in a very useful document, and demonstrate real value to top management.
The scope of the project will drive the resource requirements for the project in
terms of how many people it will involve, how long it will take, and the budget
required to complete it.

The project scope must be a written statement. Here are three examples with
gradually narrowing requirements. As you read these scope statements, imagine
what sort of implied tasks these statements carry (or as they say, “The devil is in
the details!”). Follow up on the scope statement by clarifying the timelines, criteria
for success, and overall expectations for this project. Otherwise, you would be
digging up information and writing forever.

Example #1

If you were in a factory’s Data Processing department, your scope statement
might be:

“Develop, implement, and provide ongoing testing for a business continuity

plan for the factory’s automated systems to include the computer rooms, the

internal and external telephone system, the shop floor control systems, and

data connections to both internal and external sites. This plan will provide

specific action steps to be taken up to and including emergency replacement

of the entire computer and telecommunications rooms.”

Note that this statement does not include the factory machines (drill presses,
mills, conveyors, etc.) or the front offices. It is focused on the telephone system
and the internal data processing processes.

Example #2

If you were the Director for Building Security, your scope might be:

“Write an emergency contingency plan to address the possibility of fire,

personal injury, toxic material spill, and structural collapse. Include

escalation procedures, emergency telephone numbers, employee education,

and specific emergency actions. Make recommendations concerning

potential mitigation actions to take before a disaster strikes. Ensure the

plan conforms to all legal, regulatory, and insurance requirements.”

The project scope described in this statement does not include flood controls,
security actions, etc. Although some security tasks may be implied, very little is
called for.

6 THE DISASTER RECOVERY HANDBOOK

Example #3

An even narrower approach might be:

“Document all the payroll procedures and recovery processes to ensure that

paychecks are always on time and that the automated vacation balance

tracking system is available even during an electrical outage.”

Note that this scope statement does not include time clocks, exception
reporting, or interfaces with your accounting system.

Most people do not have any idea of what a disaster plan would look like. They
imagine some large book just sitting on the shelf. In this situation, you could
demonstrate the usefulness of the plan by building it a piece at a time. You might
build the part that covers the core utilities for a facility (electricity, gas,
telecommunications, water, and heating and air conditioning). As you review
with the sponsor how these essential services will be recovered after a disaster, the
sponsor will begin to see the usefulness of your work. If your company has multiple
sites, it might work better for you to build the plan one site at a time.

Timelines, Major Milestones, and Expectations

The output of a scope statement is to build a list of goals for the project. These are
specific results against which the success of the project will be judged. Detail any
expectations as to a completion date or major milestone dates. If this project is in
response to an internal audit item, then the due date might be when the auditor
is scheduled to return. If the Board of Directors required this to be done, then
progress reports might be due at every directors meeting. Ensure all key dates are
identified and explain why they were selected.

The term “expectations” can also be described as the criteria for success. Be
clear in what you are asking for. A business continuity plan should only include
critical processes. A critical process is usually defined as a process whose
interruption would cause a material financial and operational impact over some
period of time that you define (5% or greater of quarterly revenues is standard).
You can’t plan for what to do down to the front door being stuck open. That level
of detail would be too difficult to maintain. Focus on the critical business functions
and the processes that support them. Your long-run goal is that the business
continuity planning process will become an integral part of how business will be
conducted in the future.

Some example criteria for success include:

➤ Every department’s continuity plan must provide for employee and visitor
safety by detailing to them any dangers associated with this device or type of
technology.

➤ Each department’s continuity plan must be understandable to anyone familiar
with that type of equipment or technology.

GETTING STARTED 7

➤ A business continuity plan will be submitted for every critical piece of
equipment or critical process in the facility.

➤ At the end of the project, the Business Continuity Manager will submit a list of
known weaknesses in the processes or equipment along with long-term
recommendations to address them.

➤ All continuity plans will be tested by someone other than the plan’s author
and certified by the department manager as suitable for the purpose.

➤ This project shall commence on June 1 and be completed by December 31. By
that time, all plans must be complete, tested and approved by the
department managers.

In terms of a timeline, the length of your project will depend on how supportive
the team members are of this effort, how complex your operations are, and how
detailed your plan must be. Generally, these projects have an initiation phase and
then the various departments break off and work in parallel to write their respective
plans. During this phase, they also perform initial testing of the plan. At the end,
all the plans are compared and modified so as to avoid duplicate mitigation
actions and to ensure one person’s mitigation step doesn’t cause problems for
someone else. The capstone event is the system-wide disaster test.

As a general guideline, most plans can be completed in about 6 months,
depending on the project’s scope, the degree of management support, the number
of locations to be included in the plan, and the amount of resources available.
One month is spent on the start-up administration and training. About 3 months
are needed to draft and test the departmental plans. Be sure to stay on top of these
people so they don’t forget about their plans! The final synchronization and testing
should take an additional 2 months. However, as your team members are probably
assigned to this project part time, their level of participation will vary according to
their availability. The Business Continuity Manager must be flexible but, in the
end, is responsible for driving the project to its completion.

ADEQUATE FUNDING

One of the indicators of the seriousness of a project is the presence of a separate
budget item to support its activities. It is the Business Continuity Manager’s
responsibility to track the funds spent on the project and to demonstrate the
benefit they provided. If a separate budget is not available, then clear guidelines
on a spending ceiling for the project must be set.

Some of the items to include in the project budget are:

➤ The Business Continuity Manager and key team members should attend formal
business continuity planning training to obtain a thorough grounding in its
principles. This speeds the project along and removes some of the guesswork
of building a plan.

➤ You may need to pay a consultant to advise the project and mentor the
Business Continuity Manager as the plan is being developed.

8 THE DISASTER RECOVERY HANDBOOK

➤ Sometimes the folks with the most knowledge about your processes are not
available during normal working hours. For these people, you may need to
schedule meetings on weekends or offsite to gain their full attention. This may
incur overtime expense or the cost of a consultant to backfill the person while
they work on the plan.

➤ Temporary help might be needed for administrative assistance, such as
documenting the wiring of your data networks, transcribing notes for those
without the time or inclination to type, conducting an asset inventory, etc.

➤ It is amazing what a few pastries brought into a meeting can do for attendance.

➤ It is a good practice to build team spirit for the project to carry you over the
rough times. This might be shirts, hats, special dinners, performance bonuses,
and many other things to build team cohesion. Visible recognition helps to
maintain the team’s enthusiasm.

Visible Ongoing Support

If the goal of this project was to determine which employees deserved to have
their pay doubled, you would be inundated with folks clamoring to join your
team. Unfortunately, an assignment to a business continuity planning team may
not be considered a high-profile assignment. This could discourage the enthusiastic
support of the very people you need to make this project a success. To minimize
this possibility, the visible, vocal, and ongoing support of the sponsor is
very important.

Once the sponsor and the Business Continuity Manager have agreed on the
scope, the sponsor should issue a formal memo appointing the Business
Continuity Manager in a letter to the entire organization. This letter should inform
all departments of the initiation of the project and who has been appointed to
lead it. It should also describe the project’s scope, its budget or budget guidelines,
and major milestones and timelines, as well as alert the other departments that
they may be called upon to join the project and build their own recovery plans.
This memo will detail who, what, where, when, why, and how the project will
unfold. The closing paragraph should include a call for their assistance in ensuring
the project will be a success.

The sponsor should provide periodic updates to senior management on the
progress of this project, which should include milestones met and problems that
need to be overcome. Regular visibility to senior management can go a long way
toward the continued support of each department with which you’ll be working.

SELECTING A TEAM

Once the sponsor and the coordinator have defined the scope of the project, the
next step is to create a team. As you begin the project and start selecting your
team, be ready for a chorus of resistance. Some departments will be indignant
about being forced to join this project since they already have a plan (it’s just no

GETTING STARTED 9

one can find it). Even if they have a plan, it does not mean that it is a good plan,
or it may have interdependences with other areas and needs to be linked to other
plans. Some will already have a plan being developed, but under scrutiny you see
it has been under development for the last 10 years.

So, with the naysayers in tow, prepare to select your team. In the case of
existing, workable plans, ask that a liaison be appointed. For the plans under
development, ask that you be able to enfranchise these hard-working people. As
for any parsimonious financial people trying to kill your project’s training request,
ask the sponsor to override objections and allow the team to attend training on
the latest business continuity best practices.

Identify the Stakeholders

As you form your team, take time to identify the project’s stakeholders. A
stakeholder is anyone who has a direct or indirect interest in the project. Most
stakeholders just want to know what is going on with the project. Stakeholders
need to be kept regularly informed about the project’s progress or problems with
which they need to assist.

For all stakeholders, identify their goals and motivation for this project. Based
on this list, you will determine what to communicate to them, how often, and by
which medium. Some stakeholders’ interests are satisfied by a monthly recap
report. Some will want to hear about every minor detail. Form 1-2 (see CD) is a
Stakeholder Assessment Map. Use it to keep track of what the key stakeholders are
after in this project so you do not lose sight of their goals. The strategy is an
acknowledgment that you may need to apply some sort of specific attention to a
particular person to keep them supporting this important project.

Form the Team

The size and makeup of your team depends on how you will roll out the project.
In the very beginning, it is best to start with a small team. Always respect people’s
time. Don’t bring anyone into the project before they are needed. The initial team
lays the groundwork for the project by arranging for instructors, coordinating
training on building disaster plans, helping to sharpen the focus of what each
plan should contain, etc.

The core team should consist of the sponsor, the Business Continuity
Manager, an Assistant Business Continuity Manager, and an administrative
assistant. This group will prepare standards, training, and processes to make the
project flow smoother.

Several other key people will eventually need to join the team. You may want
to bring them in early or as they are needed. This may include people such as:

➤ Building maintenance or facilities manager. They can answer what mitigation
steps are already in place for the structure, fire suppression, electrical service,
environmental controls, and other essential services.

10 THE DISASTER RECOVERY HANDBOOK

➤ Facility safety and security. They should already have parts of a disaster plan
in terms of fire, safety, limited building and room access, theft prevention, and
a host of other issues. If these plans are adequate, this may save you from
writing this part of the plan. Be sure to verify that these plans are up to date
and of an acceptable quality.

➤ Labor union representative. In union shops, the support of the union makes
everyone’s job easier. Show leadership how a carefully created plan will help
keep their members working and they will be very helpful.

➤ Human resources. The HR people have ready access to up-to-date information
about the individuals who are important to the plan.

➤ Line management. These individuals tend to know the most about what is
critical for getting the work done in their areas of responsibility.

➤ Community relations. A disaster may affect more than just your operations.
You may need help from the surrounding community while recovering from
a disaster.

➤ Public information officer. This is your voice to the outside world. The role is
critical in getting accurate information out to customers and vendors when
dealing with a disaster.

➤ Sales and marketing. These people know your customers the best and can
provide insight on what level of service is required before customers begin to
fade away.

➤ Finance and purchasing. These people know your vendors the best and can
provide insight on what kind of support you can expect from vendors while
recovering from a disaster.

➤ Legal. You need more than just common sense when taking action during an
emergency. Your legal team can provide important insight on the legal
ramifications of activities performed in response to an emergency.

The next step is to make a few tool standardization decisions. The company’s
technical support staff usually makes these for you. Announce to the group the
standard word processing program, spreadsheet, and, most importantly, the
project management software everyone will need on their workstations. Most
people have the first two, but few will have the project management software
already loaded. Be sure that as people join the team, copies of the software are
loaded onto their workstations and training is made available on how to use
this tool.

You will get the best results by investing some time training team members on
how to write their portion of the plan and providing administrative help if they
have a lot of paperwork to write up (such as network wiring plans). Every person
reacts differently to a new situation and being assigned to this team is no exception.
If you will take the time to assemble a standard format for the plan and a process
to follow to write it, then people will be a lot more comfortable being on the team.

GETTING STARTED 11

A project of this type will generate a lot of paper. If possible, the accumulation
of the various plans, wiring diagrams, manuals, etc. should be shifted from the
Business Continuity Manager to an administrative assistant. An administrative
assistant will also free the Business Continuity Manager from coordinating team
meetings, tracking the project costs, etc. Although these tasks are clerical in
nature, this person may also be the Assistant Business Continuity Manager.
Another value of appointing an Assistant Business Continuity Manager is that it
provides a contingency back-up person in case something happens to the
Business Continuity Manager, as they will quickly learn about all aspects of the plan.

Once you are ready to roll out the project plan to the world, you will need to
pull in representatives from the various departments involved. When tasking the
department managers to assign someone, ensure they understand that they are
still responsible for having a good plan so that they send the proper person to
work on the team. This person need not know every aspect of their department,
but they should understand its organization, its critical hardware and software
tools, and its major workflows.

Depending on the project’s scope, you might end up with someone from every
department in the company. This would result in too many people to motivate
and keep focused at one time. Break the project down into manageable units.
Start with an area you are most familiar with or that needs the most work.
Involving too many people in the beginning will result in chaos. Plan on inviting
in departments as you begin to review their area. An example is fire safety.
Although it touches all departments, it is primarily a Safety/Security
department function.

Given all this, just what skills make someone a good team member? An
essential skill is knowledge of the department’s processes. This allows the team
member to write from personal knowledge and experience instead of spending a
lot of time researching every point in the plan. Members should also know where
to find the details about their departments that they don’t personally know.
Another useful skill is experience with previous disasters. Even the normal problems
that arise in business are useful in pointing out problem areas or documenting
what has fixed a problem in the past. And of course, if they are to write a plan, they
need good communications skills.

Department managers should appoint a representative to the business
continuity planning project team by way of a formal announcement. However,
the Business Continuity Manager must approve all team members. If someone
with unsuitable qualifications is sent to represent a department, they should be
sent back to that manager with a request to appoint someone who is more
knowledgeable about that department’s processes. When rejecting someone from
the team, be sure to inform your sponsor and the originating manager as to why
that person is unsuitable.

The people on the initial project team are the logical ones to spread the good
word of business continuity planning back to their departments. Time spent
educating them on the continuity planning principles and benefits will pay off for

12 THE DISASTER RECOVERY HANDBOOK

the company in the long run. They can also learn more about the company by
proofreading the plans submitted by the other departments. This has an
additional benefit of broadening the company perspective of a number of
employees. Use Form 1-3 (see CD) to map out the responsibilities of each
member of the team.

Rolling Out the Project to the Team

Team meetings are an opportunity to bring everyone together so they all hear the
same thing at the same time. This is when you make announcements of general
interest to everyone. It is also a good time to hear the problems that the team has
been encountering and, if time permits, to solicit advice from the other team
members on how to approach the issue. A properly managed meeting will keep
the team members focused on the project and the project moving forward.

In the beginning, conduct a project rollout meeting with an overview of why
this project is important and an explanation of what you are looking for. This is
your most critical team-building meeting (you never get a second chance to make
a good first impression). In most meetings, you will work to bring out from the
people their thoughts and impressions on the project. But at the first meeting, be
prepared to do most of the talking. Lay out the roles of each player and set their
expectations about participation in the project. Information makes the situation
less uncertain and the people can begin to relax. This is your first big chance to
teach, cheerlead, and inspire your team! Sell your project to them!

The team members should leave the meeting with a clear idea that this
project is of manageable size—not a never-ending spiral of work. Use this
meeting and every meeting to informally teach them a bit about business
continuity planning.

As the project progresses, you will be surprised how hard it is to get business
continuity information out of people. Some people are worried that others will
use it to dabble with their systems. Some folks just don’t know what they would do
in a disaster and intend to ad lib when something happens, just like they always
have. Have patience, ask leading questions, and get them to talk. When they have
declared their plan complete (and you know it is only a partial plan), conduct a
meeting with the team member, their manager, and the sponsor to review the
plan. Step through it item by item. By the time that meeting is over, team members
will realize that they will be accountable for the quality of their plans.

PLANNING THE PROJECT

Refer to the sample plans included on the CD-ROM for ideas to include in your
plan. Any plan that you use must be tailored to your site and management climate.
Always keep your plan in a software tool like Microsoft Project. Such programs will
recalculate the project’s estimated completion date as you note which tasks are
complete. It can also be used to identify overallocated resources.

GETTING STARTED 13

OK, now it is time to build the project plan. This is best done with input from
your team. There are four basic processes to building your plan: identifying the
activities, estimating how long each task will take, deciding who should do what
(or what skills this person should have), and then sequencing the tasks into a
logical flow of work. The general term for this is a work breakdown schedule,
which describes it quite nicely.

Identifying the Activities

What must be done? Your core project team members can be a great help here by
identifying the steps they see as necessary to complete this project. Although
some tasks will logically seem to follow others, the focus here is to identify what
needs to be done. How deeply you “slice and dice” each task is up to you. Unless
it is a critical activity, you should rarely list any task that requires less than 8 hours
of work (1 day). The times in the sample plan are calendar time, not how long the
task will actually take. This is because your team members may only work on this
project part time.

Write a brief paragraph describing each task. This will be very useful in
estimating the time required to complete it. It also keeps the task’s scope from
spiraling out of control. You may understand what you mean for a task, but
remember, someone else will probably execute the task, so an explanation will be
very useful.

Always document your planning assumptions. When discussing the plan with
others later, this explanation of what you were thinking at the time the plan was
drafted will be very useful. By listing your assumptions, you can discuss them
point by point with the team and your sponsor to avoid areas that the plan should
not address and to identify why a specific course of action was followed.

Along with the assumptions, list all the known constraints for the project. This
might be a specific due date to meet a business or legal obligation; it might be
project funding issues or even a limit on the number of people available to be on
the team. A major benefit of listing your project constraints is that upon examination
they may be less than you think or can be used to prevent the scope of the project
from expanding.

Determining Activity Durations

Once the tasks are laid out, estimate how much time should be set aside for each
task to be completed. Creating reasonable time estimates for someone else is
tough. You may think you know what needs to be done, but you could underestimate
the true work required. Also, not everyone has your strengths—or weaknesses.
Therefore, the estimates you assign at this stage are a starting point.

When a task is assigned to a team member, take the time to discuss with them
what each task involves and see how long they think it will require. Be sure that they
understand what each task entails so they can estimate accordingly. Update the plan

14 THE DISASTER RECOVERY HANDBOOK

with their estimated task durations and start dates. It is unfair to the team members
to drop a task on them and demand a date without any further explanation.

Once you negotiate the duration of a task with someone, encourage them to
stick with it. Other people further along in the project may be depending on this
task to be completed before they can start.

Who Should Do It?

Some tasks are easy to assign. If the task is to validate the key locker security, it will
go to the security manager. If that person chooses to delegate it to someone else,
then it is still his or her responsibility to ensure the task is properly completed on
time. Some tasks will be more general in nature and need to be spread around the
team fairly. If a task is not needed, don’t hesitate to delete it. If it is necessary, don’t
hesitate to assign it!

This is a good time to identify any gaps in your available labor. If you see a
large time commitment for the Data Network Manager and little likelihood that
team members will be available to do the assigned work, you might generate a
task to bring in some temporary help to assist them. Other time issues may be on
the horizon. For example, if you need to involve the Accounting Controller, and
the project will run over the calendar time for closing the fiscal year accounts,
then you would schedule their project participation to avoid this time period.

Sequencing the Activities

Now, put all the tasks in some sort of order. In this type of project, the beginning
of the project is somewhat sequential. Later, many tasks will run in parallel when
the various groups break off to write their respective plans. Select an estimated
start date, and place some dates on your plan. With the plan held up against a
calendar, check to see if any tasks need to be resequenced or if they conflict with
some other critical company activity.

If your task contingencies are in place, the project management software will
fill in the plan dates for you. If when you save the plan you select the option to
save without a baseline, you can easily change the start date later.

Next, you should level your resources so one person isn’t asked to complete
more than 8 hours of work in 1 day. This occurs when people are assigned too
many tasks that are running simultaneously.

Plan Risk Assessment

So now that you have a rough plan, with time estimates and in some sort of a
logical flow, it is time to scrutinize the plan for problems. Are there any labor
resources overobligated? Look at each task area. What is the risk that an item won’t
be completed on time? Yes, there is always a risk that a key person won’t be available.
List any other underlying issues.

GETTING STARTED 15

Most projects share the same basic risks to their success. In addition, each
project has its own risks unique to what you are trying to accomplish and to your
environment. Common project plan risks include:

➤ The amount of experience the Business Continuity Manager has in leading
this type of project. Less experience adds risk to the project. Extensive experience
makes for lower risk.

➤ The level of management support for the project. If you have low management
support, you will have high project risk, and vice versa.

➤ Adequate funding to complete the project with a top-quality result. Don’t let
needed training, support activities, or mitigation actions be cut from the budget.

➤ How many locations will this project involve at one time? The more locations
that are involved, the greater the project’s risk of failure. If possible, run a
separate project for each site and do not attempt to do them all at the same time.

➤ The number of departments involved with the project at one time. Like trying
to work across too many sites, trying to handle too many departments will
fragment the Business Continuity Manager’s time and increases the likelihood
of failure. Consider tackling fewer departments at one time.

➤ The frequency and length of business interruptions to the project. This could
be an upcoming ISO audit, it could be a quarterly wall-to-wall inventory, it
might even be the end of the fiscal year, etc. The more interruptions to the
project’s flow you can foresee, the higher the risk of failure.

➤ The time required to complete your business continuity plans will depend on
the knowledge and quality of the people assigned by the various departments.
Typically, the Data Processing department has the most to write and will take
the longest.

➤ A mandated completion date may not be realistic.

EXECUTING AND CONTROLLING

Now you have your sponsor, your budget, your plan, and a core team assigned. It
is time to get your project underway! A Business Continuity Manager must be the
inspiring force behind the project. At those times when everyone is piling work on
your team members’ desks, you must be the driving force in keeping this job as a
priority project until it is finished.

As the project progresses, you will make decisions as to what is included in
your project charter and what is not. This “scope verification” may mean that as
the project progresses, you discover that it must involve specific actions that were
not foreseen when the project was started. It may also involve the “nice-to-have”
things that pop up as a project moves on. In either case, recognize these things as
they occur and make a conscious decision to accept or reject them. Do not let
anyone else add tasks to the plan without your approval or your tightly planned
project will turn into an untamed monster!

16 THE DISASTER RECOVERY HANDBOOK

Communications Plan

Every person within your organization has different information needs and preferred
channels for receiving that information. The sponsor shouldn’t be burdened with
minute details; the department managers should be responsible for tracking what
their people are doing. To provide the right level of information to the right person
at the appropriate time, you need to build a communications plan. The more
people involved with your project, the greater your need for communication.

A communications plan details who needs to report about what, and when.
For example, who should receive project status reports? Who needs copies of the
team meeting minutes? Who needs to know about minor project delays, etc.? To
manage this, build a matrix that accounts for the information needs of all
stakeholders. Your communications plan will address a wide range of audiences.
Be sure to identify the person responsible for generating the communication and
its major focus.

Evaluate every report and every meeting in your communications plan as to
whether it will be worth the effort to prepare for it. Some reports may require
more effort than they are worth. Some meetings are just a waste of time. Effective
communication is important for focusing a team to a goal, but you must strike a
balance between enough communication and the time wasted generating too
much. Use Form 1-4 (see CD) to plan who is responsible for what communications.

The communications plan will encompass more than memos floating around
the office. It should include meetings with your team, meetings with your sponsor,
and presentations to the various departments. Another important communications
task is to raise the awareness of the employees of your project and how it impacts
them. Posters, newsletter articles, and open meetings all serve to answer their
questions and are useful for instilling a business continuity culture in your company.

The information that you need to communicate falls into three main categories:

1. Mandatory communications are things that must be done, such as status
reports to the sponsor, meeting minutes to the team members, etc. Skipping
a mandatory communication may affect your project’s support or credibility.

2. Informational communications include reports to the interested and curious.
Many people will see the plan under development and believe that it directly
or indirectly will involve them. Your informational communications will pass
on project accomplishments, testing schedules, and things that may not
directly affect them, but they would want to know about. Informational
communications can help to shape expectations, so interested people can
better understand what is next instead of being surprised or disappointed.

3. Similar to informational communications is marketing communications.
Here you are out to build a positive image of your project to the rest of the
company. Your marketing communications will help to educate the company
as a whole on the business continuity planning principles (risk analysis,
mitigation, documentation, etc.) and how they can relate to their own work
processes. One effective method is to give a presentation on business recovery

GETTING STARTED 17

planning to each of the various department staffs. The more they understand
it, the greater your support is across the company.

Form 1-5 (see CD) is a sample stakeholder reporting matrix. Modify it to
reflect your project team and business requirements. In this matrix, you will
identify which persons might only want to see monthly status reports with
summary comments, such as the sponsor. Who might need a weekly status report
with specific accomplishments, such as the department managers? Who might
want short stories on accomplishments, such as the facility’s employee newsletter?
The stakeholder reporting matrix also indicates the best way to deliver these
reports. Do some of your executives ignore their e-mail? Do some require face-to-
face reports? Indicate the method of delivery to which they would be most receptive.

Reporting Using the Communications Plan

As the project progresses, you should occasionally revisit the project’s risk
assessment. Things change; people come and go on a project; and what was once
a looming challenge may at closer glance appear to be nothing at all. In addition,
business conditions are in constant flux and that must also be figured into the
update of your risk analysis.

Controlling is the process used to identify variation from the plan in the
areas of:

➤ Change control.

➤ Scope control.

➤ Cost control.

➤ Quality control.

➤ Performance reporting.

➤ Risk response.

Your best tool for focusing the team on its goals will be a weekly team meeting.
There are many fine books dealing with the proper way to conduct a meeting, but
a few basics follow:

➤ First, always publish an agenda before the meeting. It acts as an anchor to
keep people from drifting too far off the subject.

➤ Second, keep the meeting pertinent. Focus on recent achievements over the
past 2 weeks and upcoming events of the next 2 weeks.

➤ Third, keep it under an hour. People lose focus the longer a meeting drones
on. Side conversations should be stopped and taken outside the meeting. If
you are finished in a half hour, cut it off! People will respect the meeting time
limit as much as you do, so set a good example.

➤ Have your meeting at the same place and time every week, even if not much
is happening. Try to make it a habit for them.

18 THE DISASTER RECOVERY HANDBOOK

➤ When planning your team meetings, involve a bit of showmanship to keep
people involved. If they sit there passively, ask specific people questions, but
never to embarrass them if they are late. If the discussions seem tedious, jump
in once in a while to keep them focused and interesting.

➤ Use slack time in the agendas to fill in with short training topics and visits by
the sponsor or department managers.

➤ Publish a meeting recap as soon after the meeting as possible. Detailed
meeting minutes may become too burdensome but a recap of the high points
gives you a document to talk from at the beginning of the next meeting.

➤ Always include a copy of the updated project plan.

Test “Completed” Plans

The quickest way to snap people out of lethargy is to publicly test the first plans
submitted. You don’t need to pull the plug on a computer to do this. An easy test
is to verbally walk through it. If the plan authors know that it is really going to be
read and see how you test it, they will be more thorough.

Do the first desktop walk-through with the plan’s author. You will uncover
glossed-over steps where they clearly knew what to do but where, based on the
plan, you had no clue as to what was next. After updating that version, do the
same walk-through with the author’s manager (who may very well be called on to
execute this plan) and look for gaps.

Reward those contributors who complete their plans on time. This is where
your sponsor comes in. Everyone likes to be appreciated, and some liberal
rewards for the first few completed plans will go a long way toward motivating the
rest of the team. You’d be surprised how fast this kind of word spreads throughout
a company.

Set Up and Enforce a Testing Schedule

As the departmental plans roll in, update the project plan’s testing schedule.
Testing will uncover gaps and inconsistencies in the current draft. Normally, this
is a multiple step process:

➤ The team member and the manager initially check completed plans by using
a desktop walk-through.

➤ The next level is to walk through the plan with someone familiar with the area,
but not involved with the plan development.

➤ Run a departmental test.

➤ Once enough plans are ready, it is time to schedule a simulated major disaster.
This might be over a holiday period or whenever the systems are lightly used.
Testing will teach people some of what to expect in a disaster. It will also make
them more familiar with the procedures of other functions.

GETTING STARTED 19

Always follow testing or a disaster event with an “after-action” meeting and
report detailing the lessons learned and updates made to the plan. Be sure to
praise its high points and to privately express what it is lacking. Depending on
how well your group members know one another, you can use team members for
a peer evaluation. People must feel free to speak at these meetings without fear of
retaliation or their full value will not be realized.

After-action reviews are a very powerful learning tool. They require a moderator
to keep them focused and moving through the following five questions. An
after-action discussion follows a simple format:

➤ What happened?

➤ What should have happened?

➤ What went well?

➤ What went poorly?

➤ What will we do differently in the future?

Appoint someone to take notes on these lessons learned. Send a copy to each
participant, and the Business Continuity Manager should maintain a file of these
reports. Refer to this file when updating the plan.

CLOSING THE PROJECT

Once you have your plan written and the initial tests are completed, it is time to
close the project. All good things come to an end, as when the plan is transformed
from a project to an ongoing business process. The transition involves reporting
the project results to management, closing out the project’s budget, identifying
known exposures for future action, and thanking your team members for their
efforts. Closing the project involves the following steps:

➤ Turn all files over to the Plan Administrator. What was once your project may
become someone else’s regular responsibility. If the Business Continuity
Manager is not to be the Plan Administrator, accumulate all files pertaining to
this project and hand them over to the Plan Administrator. It is now the
administrator’s job to ensure the ongoing test plan is enforced, that plan
updates are issued in a timely fashion, etc.

Make a final update to the project plan. It may be useful if sister companies
want to use it for building their own business continuity plans. You can also
refer to it when estimating task duration for future projects.

➤ Report results to management. To wrap up your project, draft a recap of the
progression of the project to management. In this, point out any major
successes that occurred during the project, such as low-cost solutions found
to important problems, materials found stashed away in closets that could be
put to good use, and so on. In the report, be sure to point out the benefit of the
cross-functional training received by the project team as they worked with
each other during plan development and testing.

20 THE DISASTER RECOVERY HANDBOOK

You should provide a final account of the funds spent on the project,
broken down as to what part of the project they supported. This will assist in
estimating the funds required for similar projects in the future.

➤ Identify known exposures. A business reality is that not every worthwhile
activity can be funded. During your risk analysis and mitigation efforts, you
very likely uncovered a number of areas where there were single points of
failure that called for redundant solutions, unmasked obsolete equipment
that must be replaced, or other mitigation actions that would make your
business processes more stable.

Roll up these exposures into a report to management. List each item
separately along with a narrative explanation of why it is important. Detail the
advantages and disadvantages of this course of action along with estimated
(or known) costs. These narratives may not be reviewed again for many
months, so the clearer the business reasons behind funding this action, the
better. When your capital budgeting cycle rolls around, use this list as input to
the budget.

➤ Thank the team. Hopefully, careful notes were kept during the course of the
project so that team members could be recognized for their contributions to
the project. In particular, those team members who overcame major obstacles
to complete their plan and thoroughly test them are due special recognition.
Acknowledgment of a job well done should be made as soon as possible after
the fact. At the end of the project, it is time to again acknowledge these well-
done jobs to remind everyone and management of the individual
accomplishments during the project.

CONCLUSION

After reading this chapter, you should now have a good idea as to the overall
strategy for developing a useful business continuity plan. Your odds for a successful
project increase dramatically when you have a well-thought-out plan. The major
steps for getting your project off to a good start are these:

1. Make sure the scope of the project is clearly defined. You need adequate time,
funding, and support to be successful.

2. Carefully select the right team members. They must have a good understanding
of the important processes within their departments and be able to clearly
communicate the importance of the project back to their coworkers.

3. Identify the activities required, their durations, and who should do the work.

4. Communicate not only within the team but with the entire organization, as
what you are doing is important for everyone’s survival.

5. Test, test, test. If a plan isn’t tested, you won’t know whether it will work until
it’s too late.

GETTING STARTED 21

This page intentionally left blank

Turn in your highest-quality paper
Get a qualified writer to help you with

“ Disaster Recovery Plan ”

Get high-quality paper

Guarantee! All work is written by expert writers!

Still stressed from student homework?

Get quality assistance from academic writers!

Order now