Plante & Moran
Disaster Recovery Planning
More collaboration forces more comprehensive strategy.
Itís been an interesting year. May brought an unprecedented number of tornadoes wreaking havoc throughout the Midwest. July was marked by powerful thunderstorms, which caused many businesses to lose network access and power ó in some cases, for days.
And then there was the blackout that caught all of us off guard just a few weeks ago. How did your organization fare in light of these disasters? Was it business or usual, or was your organization virtually inoperable for minutes, hours, even days?
The demand for business continuity and recovery solutions has never been higher. For many, the events of 2003 proved eerily enlightening in terms of just how vulnerable an organization can be. Businesses are inextricably bound to technology, and that dependence will only continue to increase.
Consequently, if your IT system goes down, the likelihood that an auto supplier can continue day-to-day operations is slim. This, of course, hits a company where it hurts worse ó its bottom line ó in addition to other concerns such as reduced productivity, loss of customers and brand value and legal liability.
To avoid these problems, itís necessary to develop a comprehensive disaster recovery/business continuity plan.Hitting Close to Home
Itís crucial that auto suppliers prepare for these disasters ó even more so than other companies, because of the way they operate and share information with customers and vendors.
As little as five years ago, most auto suppliers had largely internalized their IT systems. They had their own server and all applications were in a central location. If you backed up your servers and stored the collection tapes off-site, you knew you were in pretty good shape.
Then EDI came around and this involved using an outside EDI provider. All of a sudden, you needed to be concerned about what your EDI provider was doing to back up their servers. Were their computers going to stay up? Would your customers get their orders in the manner to which they were accustomed?
When the Internet arrived, auto suppliers started collaborating and communicating with customers and suppliers using e-mail and conducting transactions over the Internet via certain software applications and exchanges. So your e-mail servers needed to be backed up. And then you were conducting transactions over the Internet through certain software applications.
Today, collaboration among suppliers is at an all-time high, especially when it comes to product development and supply chain management.
In the product development area, suppliers are sharing designs and drawings. Theyíre suppliers are also sending RFQís out to their suppliers to get a quote on a part. This may entail putting that RFQ out on a web site that might not even be hosted by your company.
Moreover, you may receive an RFQ from a customer, which youíd then send to your supplier to get quotes on the materials. Through the supply chain, businesses are now sharing inventory data from customers to multiple suppliers and back and forth, which involves data on multiple servers. In short, IT complexity is increasing to the point that your data may be spread out over many organizations and many servers. These servers can be hosted by the software vendor.
Therefore, even if a blackout doesnít affect your location directly, it may affect any number of third parties with whom youíre sharing information. This creates all kinds of other issues. Who owns the data, them or you? Are the third parties properly backing the data up? Maybe it affects the software vendor. Your data can be disrupted or even lost. Data ownership issues, service level agreements, audits and assessments are things that need to be done to be sure the parties are up to the level of security and back-up procedures. Now you need to be concerned about their business continuity plans as well. Itís important to not only have your own disaster recovery plan but to also be vigilant about ensuring the organizations with which you do business have and are enforcing theirs. Develop a Plan
A complete disaster recovery plan includes the following elements: a commitment to continued business operations, an assessment of risk and probability, an application prioritization, assistance in determining personnel responsibilities, a list of resource requirements, and an analysis of recovery strategies. The two major phases of disaster recovery planning are : (1) risk analysis and (2) disaster plan development.
The key variables in a risk assessment analysis are impact and probability. Once a specific threat is identified (a power outage, for example), what are the impact and probability of this event? The answer to these questions will vary according to an auto supplierís location and operations. For example, in some parts of the world, a power outage is a common occurrence. For most of us, itís infrequent.
For some businesses, even a momentary power outage can mean disaster, but for others, even a few days are not a problem. The ultimate impact, and the dollars lost, are relative to your organizationís size, complexity, and reliance.
The first step of a risk analysis is to determine the probability that a particular disaster may occur. You must first determine the probability of an event in a certain timeframe. Given enough time, almost anything can happen.
Generally, however, suppliers should consider a one- to five-year period. The blackout of August was the first of its kind since 1977, but lightening strikes are common ó and can cause all kinds of localized power outages. Put simply, determine your risk and plan accordingly.
The second step of the risk analysis is determining impact, or what the dollar amount of damage an organization would absorb would be, if the an event occurred. Lowest impact events, like losing a light bulb, need not be a concern. Theyí are everyday events, almost business as usual.
However, higher impact events, like the loss of a disk drive, or a total loss of power, must be mitigated as the financial impact to the business can be much greater. You want to identify all tangible and intangible impacts on your business that would result if the core business processes were disrupted for an extended period of time. Disaster Plan Development
A disaster recovery plan is intended to facilitate the restoration of business operations at a level of functionality and within a timeframe acceptable to management.
Critical recovery resource requirements and recovery time objectives (RTOs) should be set and will serve as a basis for analyzing alternative recovery strategies.
The disaster recovery plan should include:
What To Do About Third Parties
- Core business functions to be recovered.
- People, equipment, processes and supplies necessary for recovery of the core business functions. Perform an impact analysis for setting recovery priorities.
- Shared computers and communications required for the recovery.
- Personnel required to respond to the crisis, make the transition to alternate facilities and perform business functions and support services.
- Checklists of specific steps required to recover business processes in alternate facilities.
- A plan for periodically testing and exercising the disaster recovery plan.
As mentioned earlier, itís not enough to simply protect your own company, given the amount of shared information with suppliers and customers, itís equally important to make sure these third-party organizations are as vigilant in protecting your data as you are. Consider the following action steps:
Protect Your Business
- Review your suppliers and customers recovery plans.
- Review your service providers recovery plans (e.g. telecom, ISP providers).
Considering vulnerabilities to disaster, and subsequently guarding against them, is hardly your core business. However, given recent events and companiesí increasing dependence upon technology, itís important to make planning it a priority and to carry it through ó to do the analysis, and make the logistical arrangements a comprehensive preparedness plan demands and to continually test and refine that plan in an ongoing way. Make one companyís disaster your business as usual. Raj Patel is Manager of Security Assurance with Plante & Moran in Southfield, Michigan.