True recovery planning is based on the belief that all plausible threats to or “interrupts” of a firm's IS/IT and communications operations can be assessed, weighted for their probabilities, and guarded against to a level consistent with appropriate risk-management strategy. No reasonable system can protect against all conceivable threats, but it is management's responsibility to ensure a prudent level of protection for the continuity of the business. To be blunt about the business strategy implications, the more devastating the business threat, the greater is the competitive advantage to be gained by those firms able to recover the fastest.

Without going into an itemized checklist of recovery planning procedures, which would be beyond the scope of this article, a few guiding principles may be relevant. Planning should radiate outward in concentric rings of risk, starting with the firm's own premises. Thus, damage to contents of the firm's premises would trigger one level of recovery—perhaps drawing on locally stored off-site backup media, and assuming that current personnel would remain available for restoration and continuity after the incident. Even so, what alternative premises would be used? Where would the replacement PCs and other equipment be procured and configured (and how quickly would that happen)? The point here is that restoration of all data, programs, passwords and security policies to the firm's servers (or their off-site replacements) cannot alone restore the firm's operations.

Larger-scale threats require different solutions. For example, with or without damage to a firm's own premises, a building-wide (or neighborhood) incident could render the firm's premises temporarily inaccessible. What alternative premises, equipment, etc.—as well as off-site backups and documentation—will be available? A prudent recovery plan should address the possibility (however slight) that key IS/IT personnel may not be available to implement a recovery plan; therefore, appropriate documentation and contingency recovery-team organization must be in place.

Threats need not be as dramatic as destruction of premises and equipment or loss of life. Prolonged loss of power or other building services could render the firm's premises effectively unusable—as in a high-rise building—even though the firm's own quarters, equipment, and personnel remain otherwise intact. For these reasons, an increasing number of firms are reevaluating centralized IS/IT strategies and office locations (in which the concentration of firm resources creates a single point of failure). Especially since September 11, 2001, many organizations have decided to turn (or return, as the case may be) to a more decentralized or distributed configuration of IS/IT resources. The resulting redundancy, while not optimally efficient, does improve robustness and recoverability. Similarly, firms that may once have rejected outsourcing and/or external hosting of mission-critical software applications as a security threat, are now reconsidering this ASP (applications service provider) model for the greater level of survivability and recoverability afforded.
JL

> Page 1, Business continuity planning
> Page 2, Computus interruptus
> Page 3, Backing up is hard to do
> Page 4, The road to recovery