by Heshan Karunarathna

The following article focuses on two key areas as far as disaster management principles are concerned. One would be on the disaster recovery and the other would be on Business continuity planning. Before moving on to them lets analyze what a disaster is. A disaster according to the definition is the tragedy of a natural or human-made hazard that would negatively have an impact on the society or the environment. In modern-day academia, disasters are looked upon as the results of inappropriately managed risk. A disaster can be also described as any catastrophic event that may engage at least one victim of circumstance, such as an accident, fire, terrorist attack, or explosion.

For more than a century researchers have been analyzing disasters and for more than forty years disaster research has been institutionalized through Disaster Research Centers world over. The studies reveal a common opinion when they argue that all disasters can be seen as being human-made, their reasoning being that human actions before the strike of the hazard can prevent it developing into a disaster. Also it was learned that almost all disasters are hence the result of human failure to introduce suitable disaster management measures. Hazards are routinely divided into natural or human-made, although complex disasters, where there is no single root cause, are more common in developing countries. A specific disaster may spawn a secondary disaster that increases the impact. A classic example is an earthquake that causes a tsunami, resulting in coastal flooding, which as Sri Lankans all of us have faced. Therefore in such scenarios we need to be well prepared and have awareness on the activities to follow up as individuals and as organizations. When it comes to an organization, especially in the information technology sector it is quite important to be on guard on disasters which could be both natural and human made. The two areas Disaster Recovery and Business continuity have become the buzz words in today’s economy due to its importance especially due to the increase in man-made disasters such as Wars, Riots, etc.

Disaster recovery is the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-made disaster. According to the academia, Disaster recovery planning is considered as a subset of a larger process known as Business Continuity Planning and should include planning for recommencement of applications, data, hardware, communications (such as networking) and other IT infrastructure. A Business Continuity Plan or BCP includes planning for areas which are non-IT related such as key personnel, facilities, crisis communication and reputation protection, and should refer to the disaster recovery plan (DRP) for IT related infrastructure recovery continuity. Since my involvement is mainly with the IT sector this article focuses on disaster recovery planning as related to IT infrastructure.

 Business continuity planning or BCP on the other hand is the formation and validation of a practiced logistical plan on how an organization would recover and restore partially or completely interrupted critical and urgent functions within a predetermined time after a disaster or extended disruption. This logistical plan is called a business continuity plan. In plain language, BCP is working out how to stay in business in the event of a disaster. These Incidents include local incidents like building fires, regional incidents like earthquakes, or national incidents like war situations.

It is observed that prior to selecting a disaster recovery strategy, a disaster recovery planner should refer to their organization's business continuity plan which should indicate the key metrics of recovery point objective (RPO) and recovery time objective (RTO) for various business processes within the organization. The metrics specified for the business processes must then be mapped to the underlying IT systems and infrastructure that support those processes. The importance is because it would be extremely difficult sometimes to say No to a customer when he is in the need even though we are facing the disaster.

Once the RTO and RPO metrics have been mapped to IT infrastructure, the DR planner can determine the most suitable recovery strategy for each system. An important note here however is that the business ultimately sets the IT budget and therefore the RTO and RPO metrics need to fit with the available budget. While most business unit heads would like zero data loss and zero time loss, the cost associated with that level of protection may make the desired high availability solutions impractical. Therefore it is extremely important to communicate the message right across to all people within the organization.

The following is a list of the most common strategies for data protection that are commonly practiced in most of the IT organizations.

• Backups made to DVDs and sent off-site at regular intervals (preferably daily or weekly)
• Backups made to disk on-site and automatically copied to off-site disk, or made directly to off-site disk.
• Replication of data to an off-site location, which overcomes the need to restore the data (only the systems then need to be restored or synced). This generally makes use of storage area network (SAN) technology
• High availability systems which keep both the data and system replicated off-site, allowing continuous access to systems and data

In many cases, an organization may select to use an outsourced disaster recovery provider to provide a stand-by site and systems rather than using their own remote facilities. Today even in Sri Lanka there are a few companies coming up to provide the disaster recovery packages to organizations which would be interested in having them outsourced.

In addition to getting ready for the need to recover systems, organizations must also implement precautionary measures with an objective of preventing a disaster situation in the first place. These actions may include some of the following:

• Local mirrors of systems and/or data and use of disk protection technology such as RAID
• Surge protectors — to minimize the effect of power surges on delicate electronic equipment
• Uninterruptible power supply (UPS) and/or backup generator to keep systems going in the event of a power failure
• Fire preventions — alarms, fire extinguishers
• Anti-virus software and other security measures

If you are interested, for more details you could visit www.disasterrecoveryworld.com, www.disaster-recovery-guide.com, and www.drii.org. They would provide more information on these topics for further knowledge enhancement.