Should you be faced with a disaster, that is the wrong time to ask yourself how you could have prevented this disaster, or what you should do to deal with this disaster... you should already be satisfied that all possible prevention failed and now you should be into react mode, to redirect the work to your backup site and to resume business as best possible under the circumstances. It is nice to have copies of critical files in an off-site location, provided that you can get access to these file quickly and that you are able to load these critical files on a functionally adequate backup computer configuration. Not to mention, your employees should have access to adequate facilities that enable them to start processing work as soon as possible after the disaster. The newspaper is not a good example of where employees might find information about what has happened to your company and how you failed to prepare a plan for mitigating the disaster.

Possibly the most important stage of all is the prevention stage, where we consider all the steps that we can take to reduce the likelihood of any event turning into a disaster for the company. We recommend that your annual checkup includes an assessment of what can be improved to minimize the risk of any disaster event, and that you incorporate this feedback into your long term strategic planning. Over time this may turn out to be the best and cheapest strategy for company survival.

A major purpose for the impact analysis is to determine what can be done to prevent the impact by incorporating early warning opportunities. While not strictly part of the response in terms of a traditional BCP it makes sense to do what is reasonably possible to prevent the consequences from impacting the operations in the first place. Prevention does not necessarily mean that an event response is no longer a priority, but it may lower the probability of occurrence and thus the imputed event costs. For example, you may be able to minimize the impact of a disaster by storing copies of your critical data off-site as a normal part of your recovery strategy, but there are many other steps you can take when you go through the list of potential disaster scenarios. Maintaining a BCP and the risk awareness that is inherent in the BCP can be a major preventive initiative, because it refreshes the awareness of what backup and recovery facilities must be kept up to date. This way you can prevent an actual situation we experienced where a backup tape turned out to be unreadable and useless.

You want to stay on top of your strategic prevention initiatives. Perhaps you may have plans to abandon the site in the wake of a disaster and relocate to a safer location, or perhaps you want to maintain a hot standby in a backup site. Perhaps you need an intermediate site for transfer shipments in case your facilities are shut down. You may need an emergency command center that is kept up to date as recovery plans change. Sometimes you can make reciprocal arrangements with other companies in your business, such as airlines that accept each other's passengers on standby. You want to eliminate single points of failure that leave you exposed to risk by implementing automated processes like remote disk mirroring and electronic vaulting. Logging and journalling should be a part of every process that must be recoverable.

PM4HIRE.COM recommends that you establish a BCP organization that is on standby by assigning the right people to manage this process part-time with other responsibilities. Real people must have real tasks as part of a recovery team so that you have an instant response capability when disaster strikes. The specific roles and responsibilities will be predefined, as will be the actions taken in response to the event so that you are not vulnerable waiting for decision makers to arrive on the scene. There should be coordination between sites if a process diversion is initiated, according to a predefined master plan, so that Executives can focus on the less predictable aspects of dealing with the disaster. How your preparedness will be implemented is unique to the organization, but we have some blueprints that you can use to get started.

Last, but not least, comes the dreaded part of planning the actual steps that you should take when a disaster strikes. One of the most important preparation steps is to have a good evacuation plan. Nothing is worth more than the safety of your employees, the very resources that are critical to the survival of the company. We never recommend actions your employees should take that involves them putting their lives at risk, which is why we emphasize prevention if possible.

Our emphasis on personal safety does not mean that your employees should not be prepared to deal with emergencies before they turn into potential disasters. What we discourage are heroics of people running into burning buildings to recover business assets that are easily replaced, but knowing how to put out a small fire before it takes hold is quite a different matter that could potentially save the lives of many employees. Hopefully you will never have to execute recovery processes in response to a major disaster, but it is reassuring to have a predefined response plan that can be invoked and executed without waiting for key decision makers. Key people should have copies of your recovery plan at home as well as at work, and you should keep copies offsite, such as with your backup service providers. Most people plan how to get out of harm's way if the unthinkable should happen, but that is not enough planning to get your business back into operation.

The basic execution plan should be broken down into 5 stages:

Prevention addresses the positioning of those measures and activities that will lessen the possibility or the impact of an adverse incident occurring in your organization. The preliminary goals and objectives of this phase of a Business Continuity Plan are to protect the assets of the company and to manage the risks. Because this should be regarded as an essential part of the normal business operations we treat prevention as a separate stage (above) as its role is to demonstrate the link between preparedness and the ability to recover.

Response is the reaction to an incident or emergency to assess the damage or impact, or even to mitigate the impact immediately. We must ascertain the level of containment and control activity required to deal with the emergency. In addition, the response element will address the issues of personal safety and the safety of others. Response also addresses the policies, procedures, and actions to be followed in the event of an emergency, with emphasis on avoiding heroics where people put themselves at risks for physical assets.

Resumption refers to the process of planning for and/or implementing the resumption of only the most time-sensitive business operations immediately after the disaster. This includes procedures to return the computer systems to an operational state at the alternate site based on prioritized critical business functions. The plan will identify critical functions by department and function hierarchy as determined in an exposure assessment, in order to resume the basic business operations to the outside world.

Recovery is the process of planning for and/or implementing expanded operations to allow less time-sensitive business operations to resume after the disaster. This typically includes all essential support operations and general business systems, such as billing and receivables, necessary to keep the company alive. There has to be an organized sequence with a time-table so that everyone understands what to expect if the recovery requires a move to an alternate site, for example.

Restoration is the process of planning for and/or implementing procedures for the repair or relocation of the primary site and its contents in order to resume normal operations. This is basically the phased migration from a recovery site to a permanent site, which follows the above response and resumption plans, but onder less trying circumstances. Depending on the damage repairs, or the time required to find an alternate site, the time span between Recovery and Restoration can be significant.

Do not forget that you have to perform a dry run from time to time to iron out potential flaws in your plans, before you end up faced with a real disaster. This can be combined with a periodic audit to assess your disaster readiness and to replace or restore items you may need in a recovery that have gone missing or malfunction in the test. Batteries need to be replaced, for example, and you need to periodically verify your backup tapes, etc., there are literally hundreds of things to check in a typical disaster response plan. PM4HIRE.COM can help you to implement the B.I.R.P. methodology summarized on these pages. Although there is never a good disaster recovery, nor is there ever a guaranty of success, you can definitely improve your odds by being ready for any eventuality. You may find that it is not as difficult as you think.