Let’s take a practical example in relation to disaster recovery plan.
If your company produces and ships 20 trucks of products a day, stopping the distribution system that brings your products to trucks could probably cause you substantial monetary losses. For this reason you will be equipped with spare parts to no end, a team of maintenance technicians always available and it is easy that, of the most delicate and vital joints, you will have more possibilities of maneuvering (more machines, more spare parts etc). In the event of a serious break you could compromise parts of the system and still be able to move forward while the maintenance team solves the problem.
At the business level, imagine what it could mean if you no longer have the system that manages the plant. Not having it means “disconnected computers, inaccessible warehouses, loss of visibility when ordered and shipping lists etc”. How vital is it to “restore” such a situation?
And if the backup took 12 hours to be restored? Would your company be able to survive?
In this case the IT systems that govern the heart of the company, the critical ones, vital for its survival, are duplicated in full and kept up to date in a second site. With a cost that is usually not negligible, it is possible to make even rapid restarts to ensure the survival of the entire organization. It’s disaster recovery, and anyone should – at least – have it evaluated correctly before deciding “I don’t need it”.
At this point the Disaster Recovery Plan comes into play.
Not only IT professionals need to do this, all company management must be involved to analyze each flow and lay the foundations for a correct evaluation. Here are the main steps needed to set it up correctly:
Identification of disastrous events;
Estimate of the impact of these catastrophic events on the company business;
Choice of the personnel in charge of the security plan and of the one who will implement it in case of emergency (who does / what / roles / responsibilities);
Training and periodic updates of the personnel dedicated to disaster recovery and security procedures;
Check that the team of people involved in all security procedures knows their responsibilities;
Periodic planning of tests on emergency procedures, to verify the effectiveness of the safety plan and, if necessary, modify it;
Periodic verification of the actual “topicality” (and consistency) of security strategies and policies.
There are two parameters that dictate the level of efficiency and cost and are RTO and RPO.
RTO (Recovery Time Objective, or the time required for full recovery of a system’s operation) and RPO (Recovery Point Objective, or the maximum amount of data that a system can lose due to a sudden failure), are two parameters that when evaluating a technological solution they have a very strong impact on costs and must be guaranteed at the contractual level.
For example, a bank must have an RPO of zero (that is, even the last data, that of 10 seconds before, must be recovered, transactions, payments, etc.). For some production companies, an RPO of 24 hours is sometimes sufficient
As with crisis management, a disaster recovery plan should always be kept on hand. Of course, you often think it serves no purpose, but the time it becomes useful can be the dividing line between keeping the company active or closing it permanently.
