Applied Information Management
 
News and Updates

Disaster Recovery Planning for Time-critical Business Information Technology Systems

In Brief: While the benefits of integrating IT into business operations are reportedly significant, the consolidation of important operations into information systems creates a serious liability. The primary risk is that the potential failure of IT infrastructure on which time-critical processes rely can increase the likelihood that companies will go out of business when disaster strikes. Disasters can include business disruptions that result from terrorist attacks, power outages, security breaches, nature, and human error. Hayes (2005) suggests that businesses create disaster recovery (DR) plans for IT systems that they determine are essential to operations. A DR plan "details the key activities required to reinstate IT services within agreed recovery objectives" after business operations have been interrupted by a disaster (Bradbury, 2008, p. 15).

Disasters interrupt operations for over 90 percent of businesses, nearly half of which close their doors within five years.

The purpose of this literature review is to describe key elements, supported by best practices, in disaster recovery planning for business information technology. The review is designed to aid IT professionals as they collaborate with business managers to determine (a) how each functional area depends on IT, (b) which IT systems are time-critical, and (c) how to recover those systems after a disaster.

The selected literature reveals that DR planning activities are divided into as few as three or as many as ten distinct categories. This review organizes the major activities into five stages that are based on the models proposed by Spencer & Johnston (2003), Snedaker (2007), and Gregory (2008). These include Project Initiation, Conducting a Business Impact Analysis, Developing a DR Plan, Testing a DR Plan, and Maintaining a DR Plan (see Figure 1).

DR planning stage Major tasks to be conducted by the business
Stage 1:
Project Initiation
Businesses must establish the need for disaster planning and define a project plan to guide the development efforts (Clas, 2008, p. 47). An effective initiation process helps to assure the success of the resulting DR plan (Snedaker, 2007, p. 33). The major tasks included in the initiation stage are as follows:
  • Securing management support
  • Organizing the planning project team
  • Establishing the project management process
  • Obtaining the required resources
  • Developing initial project objectives
Stage 2:
Conducting a Business Impact Analysis
A Business Impact Analysis (BIA) evaluates an organization's IT systems to determine which systems should be included in a DR plan (Gregory, 2008, p. 51), and in what order the selected systems should be recovered (Bradbury, 2008, p. 16). A BIA involves these tasks:
  • Gathering information
  • Identifying the time-critical IT systems
  • Performing a risk assessment
  • Prioritizing the recovery efforts
Stage 3:
Developing a DR Plan
Based on the information revealed in the BIA process, this stage requires the identification and documentation of specific procedures to be invoked in the event of a disaster (Snedaker, 2007, p. 294). The following tasks are required to develop an effective DR plan:
  • Selecting the risk management strategies
  • Defining disaster severity levels
  • Identifying activation triggers
  • Defining and documenting specific recovery processes
  • Selecting disaster response team members
Stage 4:
Testing a DR Plan
Once a plan has been developed, it must be tested to ensure that it can accomplish the recovery objectives (Rothstein, 2007, p. 10) that are defined in the BIA for each time-critical IT system. If problems are revealed in this stage, the DR plan must be revised and the test repeated (Gregory, 2008, p. 218). Major testing tasks include:
  • Developing a test strategy
  • Training the recovery staff
  • Conducting the test procedures
  • Establishing the test frequency
Stage 5:
Maintaining a DR Plan
During the maintenance stage, processes are established to guarantee that DR plans are reliably updated to reflect the current requirements of continuously changing business processes (Toigo, 2003, p. 424). The tasks required to maintain a DR plan are as follows:
  • Identifying potential sources of change
  • Selecting the change management strategy
  • Maintaining the planning documentation

Figure 1—Summary of the five DR planning stages

It is important to test the disaster recovery plan. Depending on an organization's culture and the preference of the response team leader, testing can be either spontaneous to simulate an actual crisis, or premeditated to encourage a "calm, rational" implementation of test procedures. Some organizations can chose to utilize both surprise and planned testing to give test participants experience with both approaches.

References

  • Bradbury, C. (2008, April/May). Disaster! [Electronic version]. British Journal of Administrative Management, 62, 14-16.
  • Clas, E. (2008, September). Business continuity plans [Electronic version]. Professional Safety, 53(9), 45-48.
  • Decker, A. (2005, January). Disaster recovery: What it means to be prepared [Electronic version]. DM Review, 15(1), 44-46.
  • Gondek, R. (2002). Disaster Recovery: When more of the same isn't better [Electronic version]. Journal of Business Strategy, 23(4), 16-18.
  • Gregory, P. H. (2008). IT disaster recovery planning for dummies. Hoboken: Wiley Publishing, Inc.
  • Hayes, J. (2005, October). Reaping the whirlwind [Electronic version]. IEE Review, 51(10), 29-29.
  • Rothstein, P. J., ed. (2007). Disaster recovery testing: Exercising your contingency plan. Brookfield: Rothstein Associates.
  • Snedaker, S. (2007). Business continuity & disaster recovery for IT professionals. Burlington: Syngress Publishing, Inc.
  • Spencer, R. H. & Johnston, R. P. (2003). Technology best practices. Hoboken: John Wiley & Sons, Inc.
  • Toigo, J. W. (2002). Disaster recovery planning: Preparing for the unthinkable. Upper Saddle River: Prentice Hall PTR.
AIM alumnus Travis Luckey

Research Paper Author: Travis S. Luckey, Director of Information Technology, VTM Group—2009 AIM Graduate

Abstract: When disasters interrupt services provided by vital information technology (IT) systems, many businesses never recover (Decker, 2005). This review of literature published between 2001 and 2008 identifies key stages for consideration when performing IT disaster recovery (DR) planning to ensure business viability if disasters occur. Planning stages, presented as a guide for IT professionals, include Project Initiation, Conducting a Business Impact Analysis, Developing a DR Plan, Testing a DR Plan, and Maintaining a DR Plan.

Download the entire Capstone research project