This article is available in other languages:
You’ve planned for every possibility. Your systems are entirely redundant and automated. They’re ready to failover when something happens. And then it does happen. A 7.1 earthquake levels the city you live in. The business’ systems come up in Amazon EC2 automatically thanks to some wizardry with the DR product you chose. Your Disaster Recovery plan worked.
Except. There’s a problem. Nobody’s going to work on the system. They’re all trying to find their family. The office is gone and there isn’t anywhere to work. You couldn’t even get electricity or an internet connection if you tried and the 3G network is completely clogged. You can’t even contact your staff.
The reality here is that many IT organizations seem to think that a Disaster Recovery plan is something that is the same as a Business Continuity plan, and that it should be left up to the IT guys to build, and that the “big one” is something of folklore, but it’s more fundamental than that. The business itself actually needs to make changes and plans for such an event. A DR plan encompasses the processes around bringing up your systems, but it doesn’t cover the human factor in the equation. That’s where a Business Continuity plan comes in, and is oft-ignored.
A lot of enterprises we encounter have an infrastructure team that’s been given the task of building a disaster resilient system, and have done so using tools that are advertised for just such an instance, and it works as advertised on the box. The cloud (such as EC2 or Azure) makes the IT side of DR even easier, but it doesn’t address the entire problem. They’ve got the IT plan, but not much more. It’s likely that the management of their organization hasn’t actually thought of a situation extreme enough where nobody is going to come in to work in a disaster because there are more important things in their life such as family.
Let me get this clear now: Business Continuity is not an IT problem. It’s a company-wide problem. You have likely been given the task of building out a DR system, but now, you should consider it your responsibility to make management aware of the other things they need to handle, otherwise the system will be to blame when it “fails” because nobody was there to work on it.
They need to plan for who’s going to run your systems while your city is out of action. Who is going to run payroll? Who’s going to respond to inquiries from your website? Where are your staff even going to work? Have you even considered where you will get the PC’s to keep working?
If you have a mirrored data-center at a separate location, that’s great, but you may want to consider getting an office there too, and additional staff at that location that can work when your primary staff aren’t able to.
The cost might look extraordinarily high, but if the business needs to keep running, and making money (like most businesses) it shouldn’t matter. Most organizations are ignorant when it comes to Business Continuity, assuming that a “major event” is unlikely to happen to them, so they don’t plan for it, or only plan to the bare minimum, ignoring the human factor in the equation.
IT is so critical to business now, so it’s foolish to assume that the business could recover without proper planning.
I’m not suggesting that you, as the IT guy for your company is now responsible for the development of a Business Continuity plan for the Finance or HR team, but you’re now responsible for making others aware of what they need to do. Take it upon yourself, or it’s likely no one else will.