In part 1 I looked at the basics you need in place before any DR plan can be put together, tested and approved. So we have our IT provision in place. It is well documented. Backups are regular, tested and stored securely, ideally off-site. Original media and license documents are stored securely off-site.
Now we can look at starting the DR planning process. Things can get a bit more challenging here but don’t worry. Remember, calmness and clear thinking are your friends here.
The first things you should do are
- Look at your IT provision and find out how DR friendly it is.
- Talking to the business and finding out what the different areas of the business need to be able to get back to doing a basic level of business.
Look at your IT provision first to get a good view on how DR friendly it is. You won’t look very good if you have to go to the MD/CEO and say “We’ve got the information from the rest of the business but our IT kit can’t be covered adequately.”
This isn’t as huge a task as some might think. If you’ve got the documentation all done then you should be able to see what servers, hardware and software you have. For SME organisations most of the IT provision I’ve seen is pretty standard stuff. What you do need to look out for is hardware and software specific to your sector, or equipment kept solely for retention purposes. Sometimes transferring data from older systems to something new can be seen as prohibitively expensive. If you have something like this, an IBM System 36 being a good example, you need to start looking at that sooner rather than later.
Look at what you’ve got and list it. What on that list is something old, proprietary, sector specific? Highlight it and start researching suppliers for it. If you need to, prepare senior management for the possibility that there may be some additional work and/or expenditure on the IT side of things.
Talking to the business is essential because the needs of the business should drive the IT provision. Remember our simple bottom line from part 1: If an incident happens what do we need to be able to get back to doing a basic level of business?
A basic level of buisiness can be defined as “A situation where the organisation is able to carry on its function at a diminished level while the rest of the IT provision is restored.” Keep this point in mind during the whole project; it is something you may find yourself repeating a lot.
A DR project needs to have the complete public backing of the MD, CEO, owner or similar executive sponsor. Too many managers and directors still view IT as a pain in the rear rather than the oil that keeps the organisation’s gears flowing. It is people with this attitude who will not treat the project with the seriousness it deserves. This first phase is often the project’s most challenging as it often throws up office politics, wrong expectations and some colleagues playing what is sometimes known as “silly buggers”.
To start to put a DR plan together you need to get an answer to the question above from each department within the company. If you’re at a small company then you may well already know all or most of the answers to that question. The larger the company, the more departments and the more answers you will get. At the smallest level you could end up with less than one side of paper and in a larger concern you could end up with half a ream or even more.
With this in mind I recommend a DR commencement meeting where the executive sponsor and department heads are present. All that is needed is words from the executive sponsor saying “This project has my full support; everyone is expected to contribute appropriately and professionally. Those who do not will answer to top level management.” Displays of top level management support for the project is good project management discipline. I think it’s essential in this case.
Then could come a brief explanation of what the DR project is looking to achieve and how it will get there. The meetings with department heads are critical; the final plan will reflect on those whose input was sought. You can do the IT and techie stuff but the needs of the business are made clear by the department heads. Give them a handout asking our simple question:
What do you need to be able to get back to doing a basic level of business?
With “basic level of business” defined.
At one company I worked for one department’s basic requirements were nothing more than a phone line and some works order forms. The department manager was practical when he said “We have mobile phones, we just need an incoming phone line to take customers’ calls and works orders to be able to get work started. That has to be our priority, a few days’ basic operations won’t impact on us that massively.”
Not every department will have such practical, Clued up management. I’ve seen managers insist that minimum requirements are 30 staff all with incoming calls, internet access. laptops and Blackberrys. The concept of “basic level of business” didn’t get much of a look in.
Ask the question of each department; you may well get a different answer from each department. Don’t be afraid to challenge what is said in response and seek reasons for those responses. The emphasis is on getting a basic level of operations up for the organisation and then building on that. The responses you have should be enough for you to draw up a picture of needs and a draft ideal minimum spec. You’re not promising specifics at this stage, just investigating what you will look to get done.
A few meetings with departments to get a better picture of how and why they do things might be needed. With a better understaning you may well be able to offer better alternatives for the basic operations scenario. It’s a great opportunity to engage with other departments and help improve mutual understanding.
Some departments will have to come behind others in the pecking order. That’s for you to discuss and decide with the executive sponsor. Your executive sponsor should know the internal politics better than you and their decisions should carry a lot more weight in internal politics. Where additional meetings are necessary, don’t be afraid to ask your executive for a little guidance. Keep your executive on your side with good, relevant information and if you find areas where you need guidance they should be more than willing to advise.
Now you have the beginnings of a DR plan – the perceived basic requirements of the business in the event of an incident. This could be a couple of sheets of paper or several pages. I say perceived because the eventual basic DR provision might differ from the perceived requirements.
Read through the responses as often as you need to in order to get a clear picture of what is felt to be needed for a minimum level of service. I find putting things in picture form helpful. Nothing has been promised or guaranteed at this stage.
Meet with your executive sponsor to go through the responses. They may be able to advise on reasons for some of the less than realistic responses. Say where you think someone is being excessive in their requirements. Work through the responses and be sure that you’re clear on what the initial perceived requirements are.
Your next step will be to talk with a DR professional. The more information you can provide, the less time they will need to spend on site talking to people. That will save some money.