Disaster Recovery Planning

Presented by

Micky Hogue, CRM

Sandia National Laboratories
Albuquerque, New Mexico
Mlhogue@sandia.gov

1
 If that happened to your
business...

Would your business be

able to survive???

Agenda

z Business Disaster Recovery Planning

z Analyzing your company & it’s needs
z Regulations, Recovery, & Risks
z Testing the plan
z Mutual Aid & Pre-disaster Agreements

Business Disaster
Recovery Planning

Disasters happen.....

If your company is here today,

and gone tomorrow.....

Will it matter?

2
 Focus on the Organization’s
most Critical Functions

These Need to be
Recovered First.

Definitions

z Disaster Planning--determines risks & potential

impacts
z Disaster Prevention--steps to prevent or lessen
impacts
z Contingency Planning--develop records
program, recovery strategies, and procedures,
coordinated written plans, make assignments,
list resources, do training and testing.

Definitions.....(continued)

z Disaster Response & Recovery--Implementing your

Plan, dedicate resources to priority “critical function
areas” - retrieve/restore all vital records for these
areas.

z Business Resumption--retrieve/restore all vital

records & information for the rest of the company’s
work areas -- finally return to normal business.

3
 Levels of Disasters

z Individual – loss of file, diskette, hard drive

z Loss of office – fire, water
z Local (loss of building) – fire, earthquake,
bomb, biological hazard
z Region Wide – flood, storm, earthquake, fire,
bio/chemical hazards
z Nationwide – terrorism, massive computer
failure, bio/chemical hazards,war

10

An Information Disaster is...

a sudden event that results in the loss
of records essential to an
organization’s continued operation.

z Destruction--fire, water, earthquake, etc.

z Stolen--industrial espionage, theft for profit or
sabotage
z Inaccessible--toxic contaminates, earthquake

11

Is Your Company Unique?

z Sole provider of your services/function?

z How fast must you resume services--
immediately? 24 hrs? 48 hrs? 1 wk?......
z Who is harmed if you cannot function?
z Are special skills/knowledge required?
z Will your employees be available?
z Are special records or equipment required?
z If so, will they be available in time?
12

4
 What are Your Company’s
Post-Disaster Needs?

z Your building is gone -- Where will you go?

z Transportation? Housing? Food?
z Will employees leave home & family?
z Alternate work site established & contracted?
z Equipment, supplies, telecom -- in place?
z Current Vital Records Plan & backups?
z Do you have a plan now? Does staff know of
it, and what they are supposed to do?
13

Will the Disaster Change Your

Responsibilities, Functions, or Direction in
Any Way?

z What will be new or different during the

response and recovery?
z Do business as usual? Or address
specific response & recovery services?
z Do you have procedures for these
response & recovery function?
z Have your employees been trained &
rehearsed?
14

Why Should I Develop a

Company Disaster Recovery Plan?

z How can I justify? What are the Benefits?

» Meet regulatory requirements
» Ensures continuation of services
» Increase employee confidence & morale
» Insure job security
» Identifies the vital parts of the agency & helps to
focus and streamline procedures & strategies
» Minimizes liability and lawsuits

15

5
 Regulations & Statutes for
Recovery Planning

z Contingency Planning Regulations

z Liability Laws
z Life/Safety Guidelines
z Risk Reduction Statutes
z Security Acts
z Vital Records Statutes

16

Risks
z Impact if records are lost? To company,
customers, or public?
z Which type of disasters can happen most
often?
z How quickly must you resume business?
z How tough is your competition?
z How soon will you lose market share?

17

Risks (continued)

z Will customer sue you if they suffer

losses?
z What if the disaster involves your off-
site storage or archives?
z What are legal, IRS, and other
implications?

18

6
 Where to Begin?

z Get management agreement for a plan,

and the extent of the plan
z Set up a Contingency Planning Group
z Select a disaster recovery team
z Get every department working on a
disaster plan and vital records plan

19

Four Phases of Disaster

Recovery -- S, S, R, and R
z S = Survival
» Immediate response to threats to life safety,
equipment, buildings, or area.
z S = Stabilize
» Take sensible steps to regain control of situation
z R = Recover
» Take necessary steps to recover critical &
essential functions & facilities
z R = Resume
» Transition from recovery to normal business
20

Business Disaster Recovery

Plan Strategies
z All work units develop disaster recovery plans
& test them at least twice each year
z Recovery Priority Level is based on the
impact to customer, regulatory requirements,
and financial stability:
» 1. CRITICAL -- recovery within 48 hours
» 2. ESSENTIAL -- recovery within 1 week
» 3. SUPPORT -- assist recovery of other units
» 4. DEFERRED RECOVERY -- recovery can be delayed

21

7
 Business Disaster Recovery
Plan Strategies (continued)

z Standard Disaster Plan Format:

» corporate policy, response & recovery strategies,
plan assumptions
» explains changes during a recovery period
» ensures all essential information & decisions are
included in the plan
» information is in a logical sequence
» information is easily referenced during a disaster

22

Business Disaster Recovery

Plan Strategies (continued)

z Standard Disaster Plan Format:

» planning process efficient for managers
» allows DRP to easily read & critique every plan
» allows DRP to compare strategies of business
units
» allows another manager to implement a plan
other than their own

23

Basic Steps in Developing a

Disaster Recovery Plan (cont...)

z Inform all function areas of the priority status and

your recovery plans for them
z Develop a Standard Disaster Recovery Plan to be
completed, & updated annually by all business units.
z Copies of the plan to be kept in the managers’
offices and homes
z Plan to include standard emergency response
instructions--who to call, etc.

24

8
 Basic Steps in Developing a
Disaster Recovery Plan

z Do a Risk Analysis (building/regional)

z Do Business Impact Analysis (types of
disasters on business functions)
z Do Human Impact Analysis
z Ensure Adequate Business Interruption
Insurance
z Ensure frequent off-site backups of all vital
records, data, software, etc.

25

Basic Steps in Developing a

Disaster Recovery Plan (cont...)

z Develop Hotsite/Warmsite/Coldsite Plan--

implement and do tests
z Plan Communication after a Disaster
» Where will key managers meet?
» What should staff do when they hear of disaster?
» How to keep everyone up-to-date & informed?
z Determine what your critical functions are,
and if any are independent of location
26

Basic Steps in Developing a

Disaster Recovery Plan (cont...)
z Critical functions that must resume operations in
less than 1 week must develop, equip, install
telecommunications and mainframe connectivity,
supply, and test an alternative worksite

z Determine what order “Critical” functions should be

recovered

z Determine how to best use staff & resources of your

“non-critical” functions

27

9
 Basic Steps in Developing a
Disaster Recovery Plan (cont...)

z Do a 1-page summary of key information for every

“Critical” function’s dept’s. plan--these summaries
must be immediately available to the corporation’s
“Recovery Management Team”

z Prepare a Work Unit Location Analysis for every

multi-store building--which units, # of people,
criticality status, square footage, equipment needed,
etc.

28

Basic Steps in Developing a

Disaster Recovery Plan (cont...)

z Develop a multi-room Emergency Operations

Center (EOC)
» Develop rolls/responsibilities and basic
procedures
» Have key managers/staff practice activating and
using it
z Interview major restoration companies
» Consider pre-signed service agreements for
emergency evaluation and priority service
29

Basic Steps in Developing a

Disaster Recovery Plan (cont...)

z Beyond your fire warden program, develop an

Emergency Response and Life Safety Program
based on a severe regional emergency or disaster.

z Focus on your ability to survive up to 1 week without

any outside assistance--fire, injuries, deaths, search
& rescue, water, food, sanitation, communications,
& evacuations

30

10
 The Only Certain Thing
About an Untested Plan...

Is That the Plan Won’t Work.

31

Types of Tests
z Notification
Tests
z Table Top Tests
z Walk Through Tests
z Operational Tests of Emergency
Voice Communications
z Operational Tests of Hotsite

32

Types of Tests (continued)

z Triage Tests
z Mini - Simulations
z Major - Simulations
z Coordinated Partnership Response
Test of a Major Disaster Simulation

33

11
Pre-
Pre-Disaster Agreements, Service
Contracts, & Mutual Aid

z What should you do?

z What can you do?

34

Pre-
Pre-Disaster Agreements, Service
Contracts, and Mutual Aid

Can You Recover All By Yourself?

Generally speaking, if your business or

agency is going to have a realistic
chance of recovering in time, you are
going to need the help of others. And in
order for them to recover, they may need
your help.

35

Mutual Aid & Pre-

Pre-Disaster Agreements
“Helping Each Other” Philosophy -- Volunteering to Assist

z Mutual Aid and Pre-Disaster Agreements:

» Are voluntary
» Do not bind or obligate the signers; they will only
assist if possible
» Define the general types of assistance that may
be required
» Identify the chain of command for activating the
agreement
» Define 24-hour communications procedures

36

12
 Service Contracts--
Contracts--How
How to Ensure
Essential Services Will Continue
z Service Contracts:
» Are legal and binding contracts
» Stipulate how, when, and where specific services
are to resume
» Are negotiated and signed by the vendors
owners or high-level managers
» Identify the chain of command for activating the
agreement
» Define 24-hour communications procedures
37

Public & Private

Partnerships
z Mutual Aid and Pre-Disaster Agreements:
» Are voluntary
» Do not bind or obligate the signers; they will only
assist if possible
» Define the general types of assistance that may
be required
» Identify the chain of command for activating the
agreement
» Define 24-hour communications procedures

38

There are no Permanent

Answers....
Only Evolving Solutions

39

13
Any Questions??

40

14