When Disaster Strikes, It's Too Late! Be Prepared with Business

Continuity Plans

Grant Howe

VP of R&D for Sage Nonprofit Solutions

Learning Objectives

• After participating in this session, you will be able to:

– Understand the goals of Disaster Recovery Planning

– Understand the components of a Disaster Recovery plan

– Begin your Disaster Recovery Planning project

What is a Disaster Recovery Plan?• Disaster recovery planning is a subset of a larger

process known as business continuity planning and should include planning for resumption of applications, data, hardware, communications (such as networking) and other IT infrastructure. A business continuity plan (BCP) includes planning for non-IT related aspects such as key personnel, facilities, crisis communication and reputation protection, and should refer to the disaster recovery plan (DRP) for IT related infrastructure recovery / continuity

• Source: http://en.wikipedia.org/wiki/Disaster_recovery

Dilbert on Disaster Recovery

Is this your current plan?

SETTING GOALS FOR OPERATIONAL CONTINUITY

Deciding goals for operational continuity?

• What are your organizations key business processes?• How long can your org survive without these operations

business process?• Do manual methods make time to restore less critical?• Do you have any processes with very little tolerance for

downtime?

Sample Business Continuity Process Ranking

Process Level Recovery Point Objective

Donation Acceptance and Processing

Critical 1 hour

Elderly Meal Delivery Services

Critical 4 hours

ERP High 1 day

CRM Medium 1 week

SUGGESTIONS FOR BUSINESS PROCESS “DISCOVERY”

“Follow the Money” planning methodology

• Trace how money flows through your organization

• Start with income (donations, grants, revenue, etc)

• Map where that money goes as expenditures• Document the process flow and include all of the

systems used to process the transactions

“Committed Service” planning methodology

• Identify services your organization provides (meals, counseling, etc.)

• Map how raw materials used in that service become usable and delivered (groceries, people, transportation)

• Document the process flow and include all of the systems used to process the transactions

COMPOSING A DISASTER RECOVERY PLAN

Decide Criteria for invoking the plan

• What is the maximum amount of time a process can be unavailable before action must be taken?

• At what point does the cost of executing the plan become secondary to the outage?

Critical Business Process Recovery Section

• Critical Business Process Workflow • Physical Plant Related Recovery Plans• IT Related Recovery Plans• People Related Recovery Plans• Assignments and Execution• Preconditions / Preventative Plans

Critical Business Process Workflows

• Use the process workflow that was developed through a “Discovery” methodology as outlined in the earlier sections

• Make sure the workflow shows enough detail that someone who isn’t you can understand!

• Be sure to identify critical systems and applications used in the transactions

Physical Plant Recovery Related Plans

• Office space?• Lights?• Heat / AC?• Power?• Water?• Delivery Transportation?

IT Related Recovery Plans• Hardware?• Power?• Internet?• Email?• Phone Service?

• Applications (got media and a license key?)

• Data Recovery from Backup? (Do you have backups offsite?)

• Tech support contact information?

Technology Time out: Consider Hosting, ASP or SaaS

• Consider preventing server disasters by owning and maintaining as few as possible

• Consider a provider that will be contractually bound to 99%+ uptime for your critical services without your efforts

• Ideas to look into:– ASP or SaaS from your software vendor– Rackspace (Managed service provider)

People Related Recovery Plans• Who knows how to contact vendors?• Who knows how to cut payroll checks?• Who knows how to process credit card

payments?• Is there more than one person who can perform

each critical business transaction?• Do you have cell phone numbers to reach

employees / volunteers / service providers?

Assignments and Execution• What steps need to be taken to restore this

process?• Who has the authority with vendors to do so?• Who has the required knowledge or training?• Is there a backup operator to execute this plan if

the primary is unavailable or unreachable?• Who can make the decision to enact the plan?• Assign roles and communicate expectations to

staff

Required Preconditions / Preventative Plans

• What needs to be part of your regular operating plan to enable your disaster recovery plans?

• Set these actions in motion as part of your finished recovery plan

Example:• Its really hard to restore from backup if you don’t have

any or they were in the office when it burned down!

Technology Time out: Cloud Backup Solutions

Example of cost : Amazon S3 $0.15 / GB / month

• Don’t want to “Roll your own” try one of these:• www.crashplan.com• www.jungledisk.com• www.spideroak.com• TechSoup Stock: Backup Software

Testing The Plan

• Test each business process in your section when finished and at least annually after that!

• Make sure that your interactions with your vendors work as planned

• Streamline your plan based on your test results• It is unlikely your plan will work exactly as you

have planned it, do not be disappointed and focus on making corrections for the next test.

Plan Maintenance

• Review your business processes at least annually• Update the processes for changes in how things work

Examples:• Did you add new software applications?• Add new vendors you rely on?• Are there new processes or services to constituents you

need to protect?

Technology Time out: Gosh, Where did I put that plan?

• Here in my desk (now melted and charred)?• On 3 duplicate and encrypted USB drives carried by 3

different key DR team members (updated monthly)• Available on encrypted secure storage on the internet to

select DR team members (synced with a local folder)– www.box.net– www.spideroak.com– www.elephantdrive.com

OMG! YOU SCARED ME!

Practical short term risk reduction

Fix Your Backup Strategy

• Find out if you are doing backups at all• Make a list of additional data that needs backing

up• Get a plan in place to backup everything on your

list weekly• Store your backups offsite• Do it this week

Inventory your computing resources• Make a list of all of the computers and storage devices

(workstations & servers)

• Annotate the functions and applications that are used on each

• Rate each resource as critical or disposable

• Critical resources are those that cannot be rebuilt quickly from new hardware and a backup (app servers, databases etc)

• Disposable resources are those that can be recreated from backups and install disks easily

• Focus your attention on plans to recover from failure of only the critical resources as your first step

• Do it this month

Start talking about needs for a full plan

• Your ED and Board of Directors should easily realize the need

• Pass around this presentation for education• Ask for assignment of a project manager / owner• Begin a project plan• Ask for budget

RESOURCES YOU SHOULD CHECK OUT

• http://www.techsoup.org/toolkits/disasterplan/

• Highlights –– Techsoup Disaster Recovery Guide (PDF)– Disaster Planning: What Organizations Need to Know

to Protect Their Tech (Webinar)– Disaster Planning: Backup, Backup, Backup!

(Webinar)– TechSoup Stock: Backup Software

Questions?

Sources / useful links

• http://en.wikipedia.org/wiki/Disaster_recovery• http://www.drplanning.org/portal/• http://www.techsoup.org/toolkits/disasterplan/

Evaluation Code: 174

How Was this Session?Call In Text Online

Call 404.939.4909

Enter Code 174 Text 174 to 69866 Visit nten.org/ntc-eval

Enter Code 174

Session feedback powered by:

Tell Us and You Could Win a Free 2011 NTC Registration!