_______________________________________________________________

_______________________________________________________________

Report Information from ProQuest

15 February 2012 01:13

_______________________________________________________________

Document 1 of 1

Critical elements of a disaster recovery and business/service continuity plan

References Moore, P. (1995). Critical elements of a disaster recovery and business/service continuity plan. Facilities, 13(9), 22-22. Retrieved from http://search.proquest.com/docview/219641993?accountid=31562

_______________________________________________________________
Abstract
Ideas are outlined for a well-designed crisis plan applicable to many corporations, institutions, or government agencies. In the light of numerous community-wide disasters, as well as the singular disasters that corporations, institutions, municipalities and government agencies have suffered in the last few years, disaster recovery needs are detailed. Issues of site assessment such as whether or not a building is occupied, repairs, fire, and water cleanup, are discussed.

_______________________________________________________________
Full Text
We all know that a well-designed, implemented and tested contingency planis the best insurance against financial peril for any corporation, institution or organization with a future. In the last few years we have seen the contingency planning process progress from earlier issues of addressing primarily information services and data centre priorities, to include equally important corporate issues involving telecommunications, human resources, vital records, risk management, security, environmental concerns, product recovery, and the facility itself. The numerous community-wide disasters, as well as singular disastersthat corporations, institutions, municipalities and government agencies have suffered in the last dozen or so years, have shown us that planning for disaster recoveryonly is simply not enough. We must also planfor business resumption and business continuity. We cannot expect to recover fully and continue our business or services without planning for the recoveryof the facility which houses the business or service operations and which provides the environment in which the business units and processes operate. More often today it is the facility manager, risk manager, administrator, or director of security, or safety who are being asked to complete the plan--to address issues far beyond the recoveryof the data centre or information services alone. These additional issues also directly affect the bottom line, including business interruption and loss of market share and stockholder confidence. They can include not only the physical recoveryof the facility, but such critical disaster recoveryand business continuity issues as: * emergency response plan; * emergency notification procedures; * emergency relocation procedures;

* emergency access control and security; * emergency acquisitions and authorization; * emergency command centre requirements; * hot site-cold/site--warm site requirements; * asset management and retrieval; * product and distribution recovery; * vital records recovery; * telecommunications recovery; * electronics recovery/restoration; * hazardous contamination; * environmental compliance; * health and safety issues; * insurance loss documentation. Where do you begin? No planis more important than that for human health and safety. Singular and community-wide disasters You must write your planso that your recoveryprocedures and processes can be switched instantly from one disasterscenario to the other. For example, the same resources on which you depend to respond to your needs from a singular disastersuch as a fire or water damage at your building, must be able to respond equally well to your needs in a community-wide disaster. How thoroughly have you identified and prequalified your resources and alternatives in this area? It would be helpful to discuss with your facilities their own disaster recovery plansto see whether or not they are going to be able to respond if they are disabled by the same geographical disasterwhich affects you. You will have major notification, mobilization and acquisition concerns that may be more difficult to address in a community-wide disasterthan in a singular one. Your planning process must identify your needs and resources in both situations. Make sure your prequalified resources are able to respond 24. hours a day, seven days a week, and your contacts with them are updated. If they are local resources only, make sure they have a regional or national arm of their company that can come in to assist them in assisting you, or in providing you with the necessary supplies if they are affected by the same disaster. For example, if you are housed in a building with considerable glass, you may want to have all your glass premeasured, and then store the measurements in your glass company's computer, with a backup facility with this information elsewhere. You will also want to make sure that your labour resources can supply the necessary skilled labour, as well as general labour. Always consider singular, communitywide and hazardous material incidents when qualifying facilities and their capabilities. Notification procedures Some of the critical notification concerns you must address involve determining who gets notified, how they are they notified (and you must consider whether or not the telephone lines are operable) who notifies them, how often your notification list is updated, where a copy of that notification list is kept (always keep a backup copy off-site) and what mobile

communications equipment you will need to provide in advance. In addressing notification concerns, it is also important to have an updated listing of which facilities you own, lease space in, or are joint ventures. This information is critical in understanding who has legal responsibility for the physical recoveryprocedures and costs involved. For example, if you lease space in a building which has just suffered damage, your priorities, including retrieval of your critical contents such as vital records, etc., at that particular location, may not have been addressed in that building owner's plan. There could be a serious delay in the recoveryprocess. It is important to address these issues in advance and have thorough disaster recoveryprocedures in place at all locations. Delayed access Plansshould not be written with the assumption that the moment the fire is put out, or the water contained, the building can be occupied immediately. When damage occurs, and once the glass is stabilized, there can be a need for assessment of structural integrity, forensic investigations, or testing for toxic contamination, and this can delay re-entry into your facility. Allow for at least a 24-72 hour delay in accessing your facility when you write your plan. If hazardous materials are involved, you may not have access to your building at all for several weeks or longer. If you do not allow for delayed access, and it occurs, your disaster recovery planwill not work. Also identify in advance those areas of the building that you would need priority access to in order to do an initial emergency damage assessment. Establish a dialogue in advance with the proper authorities, and perhaps, depending on the type of damage involved, it may be possible for you to go in to the building, under proper escort, and assess certain specified areas fairly quickly. This would provide you with initial assessment information, allowing you to activate certain areas of your disaster recovery planmore quickly. Site assessment A planfor assessing the damage should address not only dealing with delayed access situations, but also whether or not special certifications will be required for entry into the building owing to hazardous contamination. Depending on the type and level of non-routine contamination such as polychlorinated biphenyls (lubricants), asbestos, lead, cadmium, mercury, etc., many government agencies require not only special protective gear, but special training to enter a contaminated or suspected contaminated site. You must comply with these regulations and training. Identify and prequalify in your planthose internal or external individuals who will provide the emergency response protocol, as well as the site assessment for you, and make sure your compliance documentation is up to date. It is also important to keep a current inventory of any hazardous chemicals materials you may have on site, facility by facility, and make sure you are in compliance with agency requirements. Your disaster recoveryplanning process must allow access to this information immediately. In addition to the normal structural repair and fire and water damage clean-up concerns, you may also be faced with corrosion, mould and mildew, hazardous contamination and microbial contamination. In the event of fire, heat and soot are generated, and areas of the building

you assume may be unaffected directly from the fire can still suffer damage. The initial damage assessment should always address both indirect as well as direct fire-damage areas. Contamination, such as fire combustion by-products, may lie hidden behind the obvious physical damage to the structure. These by-products are locked into the soot which condenses on all cool surfaces. For example, when heated, PVC generates hydrogen chloride gas. This gas, combined with water, forms hydrochloric acid, a very corrosive chemical. Other building materials can form sulphates and nitrates. A common cushion material, polyurethane foam, yields hydrogen cyanide when burned. Even fire-extinguishing chemicals can generate such by-products as hydrochloric acid, hydrofluoric acid and hydrogen bromide. Since each fire leaves its own unique chemical fingerprint in the soot, the chemical components are determined by what has burned, in what quantities, and under what conditions. Water associated with floods or fire suppression can carry contaminants also. Inorganic salts from building materials and atmospheric particulate matter can be deposited on exposed circuit boards. Also, chilled-water systems often contain glycol, which can adversely affect certain types of paper and magnetic media. The water's ionic content, acidity, suspended solids, and organic content should be analysed. Indoor air-quality issues such as proper decontamination of heating, ventilating and airconditioning systems must also be addressed to prevent future growth of microbial contamination and sick building syndrome. A thorough site assessment is critical in determining not only the extent of damage, but the time-frame and cost for recovery. Although an emergency site assessment of the critical and priority areas and contents of your building may be accomplished within several hours, it may be several days before the true extent of damage is identified. Assessment of contaminated sites will take even longer owing to the time-frames involved in analysis of test samples, and in some cases it may be as long as a week or longer before you actually know when you can re-enter to the facility, and that return depends on the levels of contamination and time allocated to decontamination. Relocation At what point do you temporarily relocate your employees and processes, and in what timeframe must you consider a permanent relocation? Your organization probably has a plan in place to bring up your critical business applications off site, but where will you relocate the remainder of your business units, and what are the time-frames in which you must do this? It is important to identify in advance not only the specific building or buildings you will utilize, but whether they can provide minimum requirements in the following areas: * Sufficient square footage, What is the minimum amount of space you will need for each of your departments to function! Which departments will need to be in close physical proximity to one another?

* Voice/data communications, Does your new site provide you with the necessary capacity, circuits, etc.? * Security. Does the new site offer you the potential for a secure environment? What additional security provisions would you need at this new site? * Fire protection. Is the building properly configured to meet your minimum requirements? * Environmental controls, Can the building meet your needs for clean room, data centre, vital records area, etc., environment? * Production area, warehouse space, chemical storage area, shipping and receiving capability. What are your minimum requirements in these areas, and can the new site provide them? * Parking and public transport, What are your minimum requirements regarding parking and public transport, and can your employees or customers easily get to your new location? Where do they park? * Compliance. Regulations regarding disabled access. Will your new site meet these requirements immediately? * Employee needs. If you are presently providing food access and/or day care at your facility, will your new site have the same capabilities? If your building is the only one affected by the disaster, then there will probably be facilities into which you can move fairly quickly, but will they allow you an effective business recovery and continuity In a community-wide disasteryou will have many companies vying for the same square footage and supply needs. Begin identifying alternative facilities, costs involved in acquiring alternative space, and legal arrangements that must be put in place for acquisition. Do not identify an alternative site in close proximity to your existing one. There is a very good chance that this close alternative site could be affected by the same geographical disturbance as your existing facility. Security Does your facility security planaddress disaster recoveryconcerns For example, would you need backup security in the event of a major disasterat your building? Have your prequalified resources in this area interacted in advance with your in-house security team to prepare for protecting the facility and its contents during the recoveryand restoration phase? Have you identified, for example, those specific floors or contents which will require special security? Will your everyday security access identification be sufficient when you have numerous outside personnel in your facility, and under different conditions? Special identification is strongly recommended, perhaps badges--with a special code or colour that can be changed daily, and identifies those locations accessible by that particular badge for those in your facility during the recovery. An important part of the preparedness process is to review your everyday security measures to see if they will work equally as well in a disastermode. Emergency authorization procedures As you review your list of emergency supply and acquisition requirements, also consider who can authorize major emergency purchases, at what monetary levels those authorizations change and if the authorized individuals will be available when you need them. Set

procedures in place with backup authorization to help facilitate recovery. Special accounting procedures may be needed for emergency purchases. For example, it will be important for you to document that these purchases had to be made as a result of the damage that occurred, or, that in order to make the building tenable you had to keep it open for 24 hours so that the proper personnel could perform necessary repair and restoration, thus increasing your utilities and labour costs for that period of time. Whether you have insurance coverage or are self-insured, it is your responsibility to help mitigate the loss. Insurance Insurance plays another major part in your disaster recoveryand business continuity plan, and it will be important to interact very closely with your risk manager or insurance coordinator (terminology differs from company to company). This individual can provide you with information on the coverages in place for both owned and leased properties, including the building, betterments and improvements, foundation, machinery and equipment, and stock and supplies. In addition to property coverage, most commercial facilities carry some form of business interruption insurance, and this coverage is usually on an actual loss sustained basis. Another coverage often provided is extra expense, which covers the reasonable cost incurred to operate the business as nearly normal as practical during the restoration period. Public relations All too often, the individual(s) who is (are) to act as the corporate or institution spokesperson(s) has (have) not been identified in the plan, or if they have been, identification of the individual(s) has not been communicated thoroughly to all employees. In addressing public relations or public affairs information, it is critical to understand that you must address not only media relations, but also internal and community-wide relations. There must be a clear-cut line of communication to the designated spokesperson(s), as well as specific instructions on how and when the individual(s) can be reached. In addition to the media, it is equally important to address internal public relations so that your employees will feel comfortable with the way the recoveryis being handled. For example, it will be important to let them know quickly that, although your business has been interrupted, they will still receive their pay cheques. Information on how and when this will take place should be issued immediately. If your organization has a high profile in the community, it will be important, for example, to let those community leaders know what your plansare for continuing your community service. The designated spokesperson(s) should be responsible for communicating all necessary information. Command centre requirements It is generally recommended that you have two disaster recoverycommand centres, along with an incident command cenrre. If your responsibilities include equipping these centres, there follows a list of some of the items which should be included. One centre is normally dedicated to the recoveryof the business operations, and a second command centre would manage the actual recovery:

* Command centre for recoveryof business operations will normally require a subset of current operational equipment, such as local area networks, sufficient communications, including telephones, terminals, and shared print capability, such as high-speed laser printers, fax machines (individual or a fax pool), sufficient cabling, etc. These equipment and capacity needs will be driven by your current business operations. You will also need cubicles, furnishings, lighting, and will want to set up desk supply kits for recoveryteams so that they can be functional immediately. Of course, food and showering facilities must be available. * Command centre for managing the recoveryshould include the necessary configured computer equipment, including: PCs, printers; fax machines (outgoing and incoming); software to manage the recovery; a news intercept program; paper forms for itemizing problem issues and resolutions (separate forms for each); wall boards to track the progress of the recoveryteams and to list problem areas; a building board specifically for facility restoration issues; and an environmental board on which you can track transportation exposures and utility issues. Sufficient communication equipment will be critical and should include telephones (or least one shared incoming line and one outgoing line per emergency operations centre member, monitors, scanners, television and video recorder, radio, pagers, cellular phones, and any other equipment which is specific to your company's recovery). Many company recovery plansalso include planning for a "war room" which is fully equipped to handle voice and data, has a subset of the necessary computer equipment, radio, television and video recorder, news intercept, and in many cases includes a direct link such as an intercom to the other two command venues. This war room is normally occupied by such individuals as the chief executive officer, risk manager, legal counsel, and public affairs officer. The command centre or war room might be set up in advance, fully equipped and utilized during normal business operations as a regular conference room. Most important of all, there must be an area designated for your emergency operations centre (how ever many you have), and you must know and planin advance what your requirements for operating the centre(s) will be. You will, of course, have already determined what your own facility management and security incident command centre will require. Vital records recovery Although most of your vital records may be backed up and stored offsite, your facility probably houses numerous paper records containing information critical to the continuation of your business. Those documents could include: vendor contracts; manufacturing specifications; architectural drawings; medical records; personnel files; permits; building engineering drawings and updates; material safety data sheets; fire safety evacuation plans; government agency compliance documentation; asset inventories; equipment operating and repair reference manuals; plant management and reporting data etc.; as well as archival documents which are required through legal retention schedules to be saved for specific periods of time industry by industry.

In addition, what work in progress, which is not backed up and stored off site and is critical to the continuity of your business, remains in your facilities each night? How, for example, would you planfor the recoveryof your claims files, litigation files, research and development information, accounts receivable, financial information such as your general ledger, etc.? Electronics recovery In many cases, business resumption depends on the availability of electronic equipment and data. Loss of these critical elements such as operating systems, applications, databases and files can seriously affect a company's ability to resume and continue its business. Quick and proper response in dealing with the affected equipment is critical to restoration. A critical component of your disaster recovery planwill be your electronic data processing (EDP) inventory. Just as with all your other vital record, you will want to have a backup copy of your hardware, software and communications inventory stored off site. You will also want to make sure that it is updated as new equipment is brought in to your facility. A thorough EDP inventory will identify not only the manufacturer's name, model, serial number and any special configurations, but also the physical location of the equipment. In recovering from a disasterit will be important for you as the facility manager to know where the critical equipment is located, and your disaster recovery planshould not only identify this, but should allow you access to this information whenever needed. It will also be important to prequalify your electronics and telecommunications restoration and replacement vendors in advance. You want to make sure that proper emergency measures are employed to mitigate the damage. If the equipment cannot be restored and recertified, you want to make sure you have sufficient lead time for replacement items. Management's commitment As we review this partial list of concerns which must be addressed (and we have not even begun to address in this article the critical area of information systems, telecommunications, establishing a crisis team and their tasks), it is easy to see the amount of man-hours which will be involved in accomplishing the development of the plan. As time is money, how important is this planning process? We must understand the true nature of cost of risk to an organization. While the term cost of risk is often used by today's risk management world, it is often less understood by disaster recoveryor business recoverypersonnel, or by their senior management. In a broad sense, cost of risk is a way of measuring a company's degree of risk by examining several of its worst possible loss scenarios. Once identified, these scenarios should be communicated to senior management so they, too, can begin to see and support the value of risk management and disaster recoveryplanning co-ordinating efforts. Failure to support these efforts can directly affect the company's bottom line. A well-designed,--implemented and--tested contingency planis a teamwork effort. Through thorough input from the managers of the areas we have discussed here, as well as others (including the possible use of external consultants) and utilization of the proper analysis and software planning products, you can accomplish this enormous, but necessary task, and you will be able to respond to unexpected circumstances and their requirements for business

resumption and business continuity. Application questions (1) Has your organization identified which vendors may need access to your facility after a disaster? Have proper identification systems been pursued to ease their access during a short time-frame? (2) If your internal security team was overwhelmed during a facility emergency, what additional resources in your community could you access? What if every local business was attempting to hire from the same pool of resources? (3) Who has access to your facility blue prints? What if that person was not available during a disaster? Pat Moore is Vice-President of Business Continuity Education for Strohl Systems, based at King of Prussia, Pennsylvania, USA. Strohl Systems and its global network of distributors provide disaster recovery, business continuity, and business impact analysis software and consulting services.

_______________________________________________________________
Indexing (details)
Subject Security; Contingency planning; Guidelines; Disaster recovery 5340: Safety management, 5100: Facilities management, 9150: Guidelines Critical elements of a disaster recovery and business/service continuity plan Moore, Pat Facilities 13 9,10 22 6 1995 Aug 1995 1995 Bradford Emerald Group Publishing, Limited Bradford United Kingdom Building And Construction 02632772 Scholarly Journals

Classification Title Author Publication title Volume Issue Pages Number of pages Publication year Publication date Year Publisher Publisher Place of publication Country of publication Journal subject ISSN Source type

Language of publication Document type Subfile Accession number ProQuest document ID Document URL Copyright Last updated Database

English PERIODICAL Security, Guidelines, Disaster recovery, Contingency planning 01098521 219641993 http://search.proquest.com/docview/219641993?accountid=31562 Copyright MCB University Press Limited Aug 1995 2010-06-09 ABI/INFORM Complete << Link to document in ProQuest

_______________________________________________________________
Contact ProQuest
2011 ProQuest LLC. All rights reserved. - Terms and Conditions