Read an Excerpt

System i Disaster Recovery Planning

MC Press

Building a Disaster Recovery Plan — The Need

Disasters can strike any time, anywhere. Years of organizational success can be lost in minutes. Suppose you had to piece your organization together if it were to all go away tomorrow. It is a difficult task and a big job. You need a starting point, an ending point, and a roadmap to show you the way to systems recovery. You need a disaster recovery plan in place and staff dedicated to making the plan actually happen. The difference between losing your business and surviving in business depends on how well you're prepared for the unexpected. If a disaster struck today, how would your company do? Organizations must not only protect mission-critical data, but also put disaster recovery plans into place to prevent and support the recovery of any business outages.

Why is it that many organizations today still do not have a disaster recovery plan? Here are some typical excuses I have heard:

• There's not enough time.

• We're downsizing.

• My résumé is offsite.

• It will never happen to me!

• It's not in this year's budget.

• I just do not know where to start.

Do any of these sound familiar? If you have used any one or even all of these excuses and still don't have a comprehensive written and tested disaster recovery plan, you are not alone. A great amount of creative energy is spent formulating excuses instead of developing a plan. Even if you have a disaster recovery plan, are you really prepared? It is equally important to regularly test the plan to ensure that your business can be recovered as documented. Survival in business depends on how well you're prepared and trained for the unexpected. It is safe to say that disasters come without warning. A disaster will not happen during a convenient time to meet personal or work schedules.

The need for disaster recovery planning has been recognized by industry as an essential tool for business survival. Don't kid yourself — disasters do occur. The very survival of a business is in question when that business does not have a current, documented, and implemented recovery strategy. Insurance can help fund recovery, but it cannot service or replace your valued customers.

A fully documented and tested disaster recovery plan keeps bad things from happening to good companies. Disaster recovery (DR) means being aware of the threat and supporting the resumption of your business following any man-made or natural disasters. A disaster recovery plan not only protects your organization's most vital asset — your corporate information — it also helps create awareness within your organization. In addition, a DR plan helps you refine your infrastructure processes. Incorporating DR methodology into all IT integration strategies is forward thinking.

Most companies depend on their Information Technology (IT) to remain in business. Planning helps eliminate the need to gamble the livelihood of your business in hopes that a disaster will never strike your organization.

The success of your company can be attributed to years and years of hard work and risks that you successfully managed. Companies simply do not financially recover from a disaster when there is no fully documented and tested plan integrated into the business. Disaster recovery planning helps mitigate risks associated with the failure of the IT services on which your business depends. The most important goal is to enable your company to remain in business. If a disaster strikes, your company has everything to lose: critical data, profits, and information. All of these are critical assets in any company.

After 14 days without access to IT systems, 43 percent of businesses will not reopen; 29 percent of those that do reopen will close for good within two years.

U.S. Bureau of Labor

The Need

What happens if the power goes out in your home? You grab a flashlight or light a candle, and look out the window to see if the neighbors' homes are dark. If they are, this is probably a widespread outage rather than just a circuit breaker in your basement. In that case, you know that your lights will come back on when the utility company restores power. You can view your company's computer processing as just another utility, like power and water. It is a utility that supports your business; it's not the business itself.

For over 15 years, I have had the opportunity to study disasters first-hand. The one thing they all have in common is that no one ever believes it will ever happen to them. You will have a halt in your business activity ... a halt in your flow of information. How quickly you recover will determine if it is business as usual. If the business is worth the investment in the first place, it's probably worth protecting and recovering.

Some companies take for granted that a disaster will never strike. Rather than developing proactive solutions for such an event, importance usually falls on other corporate IT deliverables. Does your company have a comprehensive disaster recovery plan (DRP) that would allow it to continue to function in the event of a disaster?

Recent events around the country have kept us all on our toes. You just cannot pick up a newspaper or watch the news without hearing some bad news that requires some form of disaster-recovery planning response. Hurricanes Katrina and Rita in 2005, and Ivan and Francis in 2004. The great power outage in the American and Canadian northeast. The events of September 11, 2001. There are more everyday disasters, too, such as rotating power shortages or brown-outs. Finally, do not forget hardware failures. (Yes, the System i does break down!) All of these can have major impacts on today's business needs.

The underlying philosophy of disaster recovery planning needs to be deeply rooted in your organization's desire to protect the viability of its business, public image, and information assets. Your sales and marketing teams work extremely hard to build your corporate image and acquire new customers. New customers can be very difficult to get. Statistics show that it takes much more effort to gain a new customer than to maintain a customer. And once customers are lost, it is nearly impossible to get them back. So customer satisfaction is paramount. Trying to get new customers or convincing the old ones to hang around in a disaster is an uphill struggle if your corporate image has been damaged.

What Is a Disaster?

The textbook definition of a disaster is "a sudden, unplanned event that causes great damage and loss to an organization." The time factor determines whether the interruption in IT service delivery is an inconvenience or a disaster.

The time factor varies from organization to organization, of course. What does the face of disaster look like? What types of disasters should you consider? The list in Figure 1.1 is by no means complete, but it should give you an appreciation of the types of disaster you might wish to evaluate.

My own definition of a disaster is quite simple: "A disaster is anything that stops your business from functioning and that cannot be corrected within an acceptable amount of time." Disasters are defined and quantified in relation to time. Time is important from the standpoint of when an interruption occurs and how long the interruptions lasts. The bottom line is that a disaster is defined as any interruption of mission-critical business processes for an unacceptable period of time.

This time-related definition reflects the very nature of a disaster and avoids the problems that frequently arise by only applying categorical adjectives to a disaster. We all tend to get caught up in categories and types of disasters instead of the impact they can potentially inflict. A category that constitutes a disaster for Company A might not be a disaster for Company B. For this reason, you need to take a holistic approach to examining what constitutes a disaster and examine the business and regulatory impacts to your specific organization. Whether it is a hardware failure of the RAID5 disk array or the loss of power due to a weather- related event like an ice storm, anything that could severely impact your own company is a type of disaster.

What Is Disaster Recovery?

Disaster recovery is your IT response to a sudden, unplanned event that will enable your organization to continue critical business functions until normal IT-related services can resume. Disaster recovery must address the continuation of critical business operations. A major incorrect assumption made in our industry is that disaster recovery can be fully realized by simply prearranging for hardware replacement with your business partner or channel distributor. Write one check and you have a DR plan. Call the supplier and they will come running with all the hardware you require at time of need. Will they? Even if they will, is disaster recovery only about hardware? The obvious answer is NO!

What Is Your Level of Disaster Preparedness?

Most of us initially think our chances of being hit by a disaster are remote. Unfortunately, this view might not change until after the fact — like buying a home alarm system after you have been robbed. While threats of a major disaster from a storm, earthquake, or flood are always present, it is more likely that your IT department would experience an extended communications outage, technology failure, or loss of power. Most organizations are ill-prepared to manage any sort of emergency. Time and money spent on a disaster recovery plan is a good business investment. Planning and preparation before a disaster can minimize the loss of revenue and help ensure an effective, timely recovery.

Suppose you get a phone call in the middle of night. (We all know those types of calls can only bring bad news!) The IT person at the other end of the call states that there has been a terrible accident in the manufacturing plant. The fire marshal has cut power to the building, and things do not look good. Your centralized data center is there, which supports national manufacturing plants, sales offices, and distribution centers.

Quick — what would you do?

If your answer takes longer than 10 seconds to formulate or includes more than "make one telephone call," you've got a problem. If you simply do not know the answer, or if you answer "Maybe I'd do this ...," you have a serious problem. It might be some comfort to know that, unfortunately, you have plenty of company. Despite the increasing dependence on the integration of technology into nearly every aspect of business, most corporations remain unprepared to recover IT infrastructure supporting critical business functions in a disaster. By remaining unprepared, you are putting your successful enterprise at risk.

Organizations fall into one of four levels of disaster preparedness, compared in Figure 1.2 to popular movies. Which level of preparedness best represents your organization? This question is vital to knowing the organizational culture in the eyes of senior management.

If you don't know what level you're at, there's a relatively quick and easy way to find out. Ask yourself what are your organization's key business functions and which server infrastructures support these functions. Now assume that you were no longer able to use the systems because of an unplanned event — one hour, 12 hours, one day, two days, more? Then, estimate the financial impact this loss would have on your business based on how long your systems would be out. Determining your level of disaster preparedness may be a sobering exercise, when you consider lost sales, lost revenues, penalties from regulatory agencies, SLA-driven fines, and worst of all, damage to your public image! Obviously, quite a bit is at stake.

Questions for Preparedness

Here are some questions to help you assess your level of preparedness:

• Is your IT department positioned to respond in a disaster situation?

• What appropriate steps are currently in place to resume IT services?

• Is IT positioned to continue critical business functions during a disaster?

• Which daily business functions could IT afford to lose without suffering potential financial loss or disruption of expected services?

• Is IT positioned to respond to its business expectations, needs, and commitments in an acceptable manner despite a serious disruption?

• Is the IT management team trained in the discipline of crisis management?

• Who will make decisions during the disruption, and how will those decisions be communicated through the IT department?

• Is there a vital-records program in place that will allow the organization to retrieve and restore information following a major loss?

• Is there a contracted commercial or internal solution in place to test and train for disaster preparedness?

Effects of a Disaster

The effects of a disaster include the following:

• Business momentum

• Competitive edge

• Cash flow

• Human elements

In a disaster, one of the first things you will notice is a halt to your business momentum. It's not business as usual. The key is to minimize that and have a quick response so you can make your organization viable. A halt to your business momentum for an extended period of time could lose you any competitive edge that you hold in the marketplace. If it's a day or two, your customers will roll with you. If it's for an extended time, they will go elsewhere. So, if you are out for an extended period of time, it will start to effect your cash flow at a time when your company needs it most. If you experience a halt, you are going to need cash to control the problem. If you cannot send out your invoices to collect your accounts receivable, for example, you are effecting the thing that hurts the most: the bottom line.

Shock is another important effect of a disaster. Even your most competent staff, the person who's cool day-in and day-out, can experience shock. That's one of the reasons to document your course of action and develop task lists to keep people on track.

Information Technology Dependence

It is not necessarily the size of the disaster, but the likelihood of its occurrence and it potential effect on your IT installation, that you should weigh when evaluating and maintaining a disaster recovery plan.

Today, IT has become a strategic part of everyone's business. If the IT systems go down, it's very likely your business will not be able to continue its day-to-day operations. Disaster recovery planning is all about being able to mange the impact of disasters. More precisely, it must be about the ability to meet your organization's commitments, maintaining reliability, consistency, and dependability. A properly managed disaster recovery response can be a differentiating factor in this highly competitive business world. Most importantly, it supports your organization's commitment to shareholders, employees, customers, and suppliers.

It was not all that long ago that most companies were only open for business from nine to five, and just Monday to Friday. Having a system unavailable did not prevent a sale from happening. Customer transactions were usually conducted in person or over the phone, with details transferred from paper via a data-entry department, usually overnight. If a disaster shut down computing services for a few days, you could simply continue working in a manual business mode. In other words, it was business as usual.

---

Excerpted from System i Disaster Recovery Planning by Richard Dolewski. Copyright © 2008 Richard Dolewski. Excerpted by permission of MC Press.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

---