Disaster Recovery Is All About Planning

As this is being written, a major storm is bearing down on the Texas coast. Nearly a month ago, a similar storm destroyed much of Louisiana, Mississippi and Alabama. Tens of thousands of people were displaced, and as many as a million are seeking shelter again.

With those people are going the hopes of thousands of small and mid-sized businesses. Many of those businesses will lose everything, and will never be heard from again. Others will spend months or years recovering the information they need to make their business function, to pay their employees, and serve their customers. Yet a few are already up and running, because they planned ahead for disaster.

No doubt you’re aware of the ability of big companies to weather even terrible disasters. They depend on companies such as IBM and Sungard to safeguard their data, help them recover from a disaster, and even set up temporary offices and communications where necessary. But smaller companies may not be able to avail themselves of the services of these disaster recovery giants. However, that doesn’t mean they can’t plan ahead.

Fortunately, disasters on the scale of a category 5 hurricane are rare events. But that doesn’t mean you won’t have a disaster. “Your neighbor could have a burst pipe that floods your server room,” suggests Bob Boyd, president and CEO of Agility Recovery Solutions, in Charlotte, North Carolina. “There are simple things any business can do,” Boyd adds, “they can start backing up their data.”

Boyd notes that simply having a copy of critical business records, such as accounting data, critical documents, and copies of e-mails can make a huge difference between keeping a business running and having it slip quietly into history. “If you don’t have your data it’s difficult to overcome a catastrophic event,” Boyd explains. “You don’t know who your customers are, how much they owe, or how to bill them. You don’t even know your inventory.”Yet it's not enough to just have a backup copy of data. That backup copy has to be kept somewhere safe, for example. Usually, just having a company executive take the copy home at night, or having it placed in a safe deposit box will protect against small disasters. But Boyd notes that a regional disaster might require storage in a different location entirely.

In addition, Boyd says it’s important to make sure that you have somewhere to use the data so that you can recover it, and then use it to keep your business alive. In some cases, just knowing you can get to a computer with your word processing software and an e-mail application is enough. But if you have specialized software, including an accounting application, you need to be able to find that as well. In that case, parking a spare computer with the right applications at a location outside of your immediate area may be enough. Your mother-in-law’s back room or the office of a trusted colleague could do nicely.

Boyd, who has spent most of his time since Hurricane Katrina hit Louisiana recovering his customers, says it’s also critical to have a plan. The plan must include getting detailed contact information from your employees, and must include practice drills. That way you'll know that the plan is still viable and works when it's needed.

A disaster plan, for even a small business, should be put in writing and shared with employees. The plan should include checklists for each employee's role in planning the response to an impending disaster or recovering from one. Items on the checklist should include where to send backups, where to meet after the disaster is over, responsibilities for alerting employees, and where the alternate site for the company operations will be.

“They {IT and executives} need to talk to employees about what happens if they have a disaster,” Boyd explains. “They ought to practice it, call everyone on the phone tree, and travel to the alternate location.” He also says it’s important to actually restore your backups and make sure that they’re usable.Boyd notes that the aftermath of Hurricane Katrina convinced him that a carefully prepared plan is critical. He saw a lot of business people missing basic things. Sometimes, the results of very bad decision-making was due to the stress of the disaste, he adds.

Fortunately, if an enterprise plans well, and practices on a regular basis, its chances of making it through the next disaster – regardless of size – are improved.

Unfortunately, that doesn’t end the planning effort. Not only do you have to keep your business running, you also have to secure the information you’re leaving behind. For example, suppose your computers survive the disaster, but you just can’t get to them, as happened in the Gulf region after the hurricane?

“We’ve heard reports of a lot of looting happening with computers and equipment, including phones and PDAs,” says Eric Sommerton, marketing VP at Control Break International . Clearly, even if you’re up and running elsewhere, you don’t want someone looking at your business records. Worse, if those records include information protected by

Sarbanes-Oxley, Graham – Leach – Bliley or HIPAA, you could find yourself with a significant liability issue. Of course, not everyone who might be trying to use your office after an emergency is a looter. “People are trying to find ways to communicate, so they’re in these offices to reach out to family and friends,” Sommerton says. But that doesn’t really matter much if protected information is exposed.This could mean putting some sort of security system in place thatwill protect the computers left behind if they remain operable. Obviously, secure user names and passwords are a must, but for sensitive information, some form of data encryption is a must.

Whether the disaster that hits your business is a regional one such as a hurricane, something local such as a gas leak or a fire, or something as small as a leaky pipe in the office upstairs, there’s no substitute for a plan.

You have to back up your data, of course, but you also have to know where to send it, how to restore it, and what to do with your employees while your offices are inaccessible.

And once you plan for that, you need to practice it so that everyone in the company knows what to do, and so that you know that it actually works.