Every CIO worth his/her salt will strongly defend their Disaster Recovery (DR) plans and put forward claims that it works well and is aligned to the Business Continuity Plan (BCP). Its only when some kind of disaster strikes, the reality test comes to fore. When IDC recently redefined expectations with new dimensions added and they called it Dynamic Resilience, I wondered whether the new paradigm will fly with our business users. I quote below the definition put forward by IDC:
Business continuity as a partner with security, which encompasses: high-availability/fault-tolerant computing, performance monitoring, RAID (redundant array of independent disks), SAN (storage area network), NAS (network-attached storage), load balancing, disaster recovery, back up, archiving, continuity services, consulting, implementation services, management services, and training and education. The holistic implementation of these fundamental enterprise controls, with constant testing and reviewing, will make for a dynamically resilient company.
That is indeed a holistic definition of what constitutes business continuity and disaster recovery readiness. But fundamentally this does not make sense to me as it ignores one key element, i.e. people. So when they invited me to speak in a seminar to unveil their concept, there were many questions that I had which I put forth to the audience as well as other fellow speakers.
When disaster strikes, do people behave rationally ? What is paramount on everyone's mind ? It's their and the safety of their family and near ones. Its a rare possibility that anyone will immediately commence execution of the BCP/DR steps towards recovery or continuity of services. In most cases, plans fail to address this effectively.
Humans are not unemotional machines that swiftly switch from one mode to other based on stimulus, e.g. if a router were to fail and if implemented well, the standby can take over with no disruption to the service. People will not do such an act even if trained with repeated drills.
When you have a crisis and are restoring status to business as usual, is training and education a priority in anyway ? The premise above expects business readiness even for such tasks. One could argue to say that in a people oriented business activity like a BPO or Call Center, it may be worthwhile to have this service given priority during a disaster, but only if you could find the staff to take over from those who are indisposed or unavailable.
Disasters like 9/11 (NY, USA) or 7/26 (Mumbai, India) or Katrina (USA) impact large segments of the population. When an entire city is impacted, such plans could be executed from other locations. The above will then be useful not for invoking the BCP/DR but to revert back to normalcy. Once again the BCP/DR plans should focus on how to revert back to normal with minimal disruption.
What is the preparedness of your Organization when facing any such event ?