Prepared or not ... that is the vital question: when unplanned events or full-blown disasters strike, RIM professionals must have a strategy to ensure survival and at a cost that organizations can afford.
* defines three types of disasters and explains how to deal with them
* identifies potential natural, mechanical, and human risks
* provides an outline and guidance for creating a disaster plan
Too few organizations are prepared for the emergencies that wait just off stage--their entrances are unrehearsed, but they will happen. Every day, there is the chance that some sort of business interruption, crisis, disaster, or emergency will occur. How prepared organizations and records and information management (RIM) professionals are to handle these events may determine whether those organizations--and RIM jobs--will survive. In fact, according to the U.S. Bureau of Labor, 93 percent of companies that suffer a significant data loss are out of business within five years. A 2002 Gartner survey found that only 35 percent of small and midsize businesses have a comprehensive disaster recovery plan in place.
Another Gartner report, The Business Continuity Readiness Survey, revealed that only 36 percent of the companies and government agencies surveyed have a plan for the complete loss of their physical assets and workspace.
Whether an unplanned event or full- blown disaster strikes an organization, having an adequate, comprehensive, and tested contingency plan can mean the difference between functioning as usual and not functioning at all. Management must implement a strategy to ensure an organization's survival at a cost, in terms of money, time, and effort, that it can afford.
What are Disasters?
The U.S. Code of Federal Regulations (CFR) in 36CFR1236 defines a disaster as "an unexpected occurrence inflicting widespread destruction and distress and having long-term adverse effects on agency operations." An emergency is defined in the same CFR as "a situation or an occurrence of a serious nature, developing suddenly and unexpectedly, and demanding immediate action."
Identifying Potential Risks
In planning to meet potential disasters and emergencies, organizations must identify what those disasters might be and how they could impact operations. The potential severity of these events greatly influences the response and the cost to protect against and recover from them. While the exact nature of potential disasters and their impact may not always be predicted, the benefits derived from identifying potential hazards and then working to eliminate or mitigate them are obvious.
Level of Impact
Most disaster planners divide the possible threats and hazards into three areas:
1. Natural or environmental threats or hazards
2. Technical or mechanical hazards
3. Human activities or threats
Disasters must be identified by the extent of their influence. The broadest range of influence affects large populations. They may be community-wide, such as an earthquake, tornado, flood, power blackout, or terrorist act. These would affect not only one organization, but thousands of others as well.
Disasters that may be local to one building or a few businesses and people might include a water leak resulting from mechanical failure or faulty building construction. Another local disaster could be caused by arson, which is said to be the most prevalent cause of business fire disasters today.
Disasters may be individual, affecting only one organization or department. The disgruntled employee's sabotage of computer record systems is becoming a more common, costly problem. And lost or misplaced files can cost companies tremendous amounts. In fact, lost information often damages an organization more seriously than a major natural disaster. Yet these occurrences are often easy to prevent by educating staff about simple safety and record handling procedures.
Business Impact Assessment (BIA)
In disasters, RIM professionals must have a strategy to ensure the survival of their organization's information. Human life is always the first consideration in any emergency or disaster. The next issue is the risk to mission-critical functions and operations. A business impact assessment/analysis (BIA) is a process or methodology that determines critical functions of an organization's business or mission. The BIA involves identifying such functions and determining the impact of the unavailability of records and information to keep those operations going. The BIA presents findings documenting the financial, service level, or other impacts to the organization.
Sample BIA questions might include:
* If the online computer systems were not available, how would the department continue to operate?
* What is the minimum office space the organization needs to continue to operate?
* Could the organization operate without most of its office equipment for five days?
The BIA also determines declines in service levels, the areas of a company most likely to be impacted, an estimate of the effects, and the anticipated allowable recovery time. The process includes workflow analysis to determine business-process interdependencies and interviews with department heads to select restoration sequencing. This analysis is essential to establishing the proper sizing and configuration of the selected recovery strategy.
The Planning Process
It takes planning to be prepared to prevent the worst from happening and practice in order to recover and survive. Investing in the planning process can be thought of as a type of insurance. The basic planning steps include:
Step 1: Obtain Top Management Support and Commitment
The first step is to secure senior management support and commitment. They must be responsible for coordinating the development of the disaster preparedness and recovery plan as well as implementing and maintaining it. For the plan to be effective and ongoing, adequate time and resources must be committed to the process. Appropriate resources will include financial allocations, specific staff time involvement, and general staff education.
Who will develop and implement the plan? Will outside consultant help and software programs be necessary? How much time and capital should be devoted to program development, implementation, and maintenance? These and other resource and scope questions can only be answered at the senior management level.
Step 2: Establish a Planning Committee
The second step involves people. The planning effort will need leaders. A disaster planning committee should include representatives from all functional areas of the organization. Key committee members should include operations/administration management, computer processing, and RIM professional staff. The committee will define the scope of the plan and develop a policy statement.
Step 3: Perform the Risk Assessment
In order to allocate appropriate funds for developing programs to prepare, protect, and recover from a disaster, there must be an adequate and thorough risk assessment. The risk assessment is an analysis that includes the
* identification of and likelihood of various types of disasters (natural, human, and technical) occurring
* consequences and impact on the entire company of each disaster scenario
* estimated costs of lost/damaged information/records and lost time and customer goodwill
* costs to replace and restore records, equipment, and facilities, as well as to hire or replace staff, versus the costs to develop and maintain the disaster plan
* risk of the worst-case scenario striking the organization
Step 4: Establish Processing and Operating Priorities
The critical operating and processing needs of each department should be carefully evaluated. Part of the preparation must be concerned with business as usual, only with fewer--perhaps untrained--staff located in another building or city, and with fewer supplies. Other operational concerns include:
* What equipment is needed to complete jobs, e.g., computers, copiers, calculators, or microfilm reader/ printers?
* What communications devices are required, e.g., phone, long-distance lines, or fax machine?
* What if the main phone system is affected by the disaster?
* What detailed steps and procedures must be followed? Where are these steps documented?
* What people will be needed to complete daily business? Will they be able to work and under what conditions?
* What vital records (those records that should they be destroyed, lost, or stolen would place the organization in jeopardy of survival) must be protected? (Editor's note: Comprehensive information on this topic can be found in ARMA's Vital Records Programs: Identifying, Managing, and Recovering Business-Critical Records, which is an American National Standard Institute standard available through the ARMA online bookstore.)
These questions must be answered and prioritized as part of the disaster preparedness process. While many organizations have some sort of disaster/contingency plan for their computer-generated records, few have adequate provisions for the same type of identification and protection of their paper records (especially inactive records), and even fewer address the maintenance of regular business functions during an unplanned event.
Step 5: Perform Data Collection
This important step involves
* determining and locating external resources and making contracts/ agreements with them
* determining backup/duplication systems
* preparing staffing information
* gathering various inventories, e.g., records, equipment, supplies, or forms
* locating policies and procedures manuals
* preparing master lists, e.g., staff, telephone, vendor, or insurance
* reviewing all security systems
* evaluating the facilities for potential problems
* locating cold sites (an unequipped facility that can be used as a backup site) and hot sites (a backup site that has the equipment and supplies to recover affected business functions)
Step 6: Prepare the Written Plan
Where feasible, it is advisable that the staff is involved in the planning phases and updating of the plan. An outline of the plan's contents should be prepared to guide the development of the detailed procedures. Top management should review and approve the proposed plan. Any changes to the scope and goals of the plan will be finalized before writing the formal plan.
A standard format should be developed to facilitate the writing of the detailed procedures. If the organization decides to use a software package for this plan, the software should be easy to understand, use, and update. In addition, there should be procedures that allow key personnel or an outside consultant to review the plan on a regular basis.
Just as staff in all areas of the company should be involved in the planning process, internal teams need to be created to implement the disaster procedures. Responsibilities should be assigned to appropriate teams for each functional area of the organization. Some of the teams' functions include
* administrative activities
* facilities services
* user support
* computer and hard copy backup systems
* department operations
Those responsible for the filing, storage, and retrieval of an organization's records (including vital records) must understand and be able to execute the plan, performing protection, recovery, and, possibly, salvage tasks for their areas of responsibility.
Step 7: Test the Plan
It is essential that the plan be tested and evaluated on a regular basis--at least annually. The tests ensure that the plan's steps and assumptions are accurate, inclusive, and, most important, that the staff can easily follow them. Other objectives include
* identifying areas in the plan that need modification
* reviewing the reliability and compatibility of backup systems, facilities, and procedures
* ensuring that backup and duplication procedures are adequate and appropriate
* providing training for team members
* demonstrating the organization's ability to recover
* providing motivation for maintaining and updating the plan
After testing procedures have been developed, an initial test of the plan should be performed. This test should be done in sections, by each operating unit and after normal business hours, to minimize disruptions to the overall operation of the company.
Recovery and Salvage Processes
The disaster has happened. What now? If the event occurs when people are in the building, the first concern will be for the safety of the individuals inside. Practice drills should be conducted on a regular basis to reduce panic during the real event. Escape routes and procedures for evacuating the building should be presented to all personnel and visitors. The following are recommended steps for an effective recovery operation:
Step 1: Assess the Damage
The first step immediately following a disaster is to assess the type and extent of the damage. Once an accurate assessment has been made, salvaging operations may proceed based on the priorities established in the plan. The basic objective of salvage and recovery operations is to stabilize the condition of the records before and after removing them from the disaster area by creating the necessary environment to prevent future damage.
Questions that should be answered include:
* How much damage has occurred?
* What kind of damage is it? (fire, smoke, soot, clean or dirty water, heat, humidity?)
* Is it confined to one area or is the entire building affected?
* What types of materials have been damaged? Are the records vital, important, or non-records?
* Are the containers holding the records damaged? Will it require help to remove the records?
* Can internal staff salvage the records, or will outside resources be required?
* Has contact been made with the insurance carrier and supply sources?
Step 2: Stabilize the Environment
Mold grows in 48 hours or less. Paper starts sticking after 24 hours and warping after 48 hours. Microfilm and photograph emulsion begins to break down within 24 hours. Therefore, it is critical that the environment be stabilized as quickly as possible. The following equipment and supplies should be readily accessible to help with this task:
* portable power generators (if backup power is not available)
* pumps to remove standing water
* fans to circulate air
* thermometers, hygrometers, and/or sling psychrometers to measure temperature and humidity
* plastic sheeting to hold wet records and material and to protect dry materials
* absorbent paper, such as newsprint paper, paper towels, or wax paper
Step 3: Activate the In-house Recovery Team
Organize the work crews. Be sure procedures are understood by all members and that responsibilities are clearly defined. Plan for frequent rest breaks; food and beverages should be available.
Step 4: Restore the Area
After the plan has been activated, the initial problems handled, and people are safe, the area must be cleaned. Fungicides and other chemicals should be used by professionals.
Other Recovery Considerations
In most scenarios, an organization's staff will not participate in the actual recovery process. Many processes require the use of hazardous and dangerous chemicals or knowledge of detailed salvage methods. However, internal staff should know how to act quickly and effectively in obtaining outside help and supplies. In small, localized disasters, knowledge of recovery techniques and being able to complete simple recovery steps may be all that is required to save the records, information, or equipment.
There are restoration companies that can assist with the technical and dangerous recovery processes and activities. Knowing who they are and possibly having written agreements with them will be particularly crucial in times of widespread disasters, such as earthquakes or floods, when many organizations will be seeking help.
Disaster planning involves more than offsite storage or backup processing. Written disaster/emergency plans must address all the critical business operations and functions. It must include methodologies for protecting and recovering both hardcopy and electronic information and records. It must provide information on the organization's non-information--its equipment, supplies, security systems, forms, and checks. It must include documented and tested procedures and methods to update and revise the plan.
No organization is immune from disasters. A disaster plan, however, like insurance, provides a measure of protection. It gives the organization a road map or path to follow and provides a tool to make decisions under stress-decisions that sometimes are life-or-death. Above all, when the unplanned emergency happens or disaster occurs, an effective disaster plan will help you and your organization return to business-as-usual as soon as possible.
Potential Types of Exposure Natural Threats Technical and Human Activities and Hazards Mechanical Hazards and Threats Fire Power outage/failure Computer error Flood Gas leak Lost or misfiled documents/records Hurricane Software failure/ malfunction Vandalism Earthquake Sewage failure/backup Theft Lightning strike Building structural failure Bomb threat Tornado, wind storm Electrical shortage/ faulty wiring Civil disorder Snow and ice storms Toxic spill Strikes Wind Radiation contamination Kidnapping Tidal wave Loss of physical access to resources Terrorism Typhoon Biological contamination Sabotage Mold and mildew Train derailment/ airplane crash Loss of key personnel Insects and rodents Epidemic
ARMA International. Vital Records: Identifying, Managing, and Recovering Business-Critical Records (ANSI/ARMA 5-2003). Lenexa, Kansas: ARMA International, 2003.
Commonwealth Films Inc. Ready for Anything: Business Continuity, Disaster Recovery, Preparedness. Boston: Commonwealth Films, 2002 (videocassette).
Disaster Preparedness Seminar Proceedings--1991. Atlanta: Southeastern Museums Conference. Pamela Meister, Editor.
Federal Emergency Management Agency. An Integrated Approach to Natural Hazard Mitigation. Washington, D.C.: Federal Emergency Management Agency, 1995.
Fortson, Judith. Disaster Planning and Recovery: A How-To-Do-It Manual for Librarians and Archivists (How-To-Do-It Manuals for Libraries, No. 21). Neal-Schuman Publishers: New York, 1992.
Jones, Virginia A. and Kris E. Keyes. Emergency Management for Records and Information Programs. ARMA International: Lenexa, Kansas, 2001.
Jones, Willie M. "Trial by Tornado." InfoPro. March 2000.
Myers, Kenneth N. Manager's Guide to Total Contingency Planning for Disasters: Protecting Vital Facilities and Critical Operations. New York: John Wiley & Sons, 1999.
National Archives and Records Administration. Vital Records and Records Disaster Mitigation and Recovery College Park, Maryland: National Archives and Records Administration, 1996.
Robek, Mary F., Gerald F. Brown, and David O. Stephens. Information and Records Management: Document-Based Information Systems, 4th Edition. New York: Glencoe/McGraw-Hill, 1995.
Stremple, Rosalie and Michael F Martone. "Disasters Come in All Sizes." InfoPro. March 2000.
Tiogo, Jon William. Disaster Recovery Planning: Managing Risk and Catastrophe in Information Systems. Englewood Cliffs, New Jersey: Yourdon Press, 1989.
READ MORE ABOUT IT
Contingency Planning & Management Magazine. Flemington, New Jersey: Witter Publishing Corp. Available at www.contingencyplanning.com (accessed 1 April 2003).
Disaster Recovery Journal, The St. Louis: Disaster Recovery Institute. Available at www.drj.com (accessed 1 April 2003).
Lewis, Steven. Disaster Recovery Yellow Pages, 12th Edition. Newton, MA: The Systems Audit Group, 2003.
The U.S. Federal Emergency Management Administration has a library of preparation and prevention publications that can be downloaded free from www.fema.gov/library/prepandprev.shtm (accessed 1 April 2003).
To locate disaster recovery services and products, consult ARMA's Records and Information Management Buyer's Guide or purchase the Disaster Recovery Yellow Pages, 12th Edition, through the ARMA online bookstore, both at www.arma.org.
RELATED ARTICLE: Sample outline of a disaster/contingency plan.
1 Introducton A. Policy Statement B. Purpose C. Overview 1. Definitions 2. Scope 3. Objectives 4. Structure of plan D. Planning Process Description (use of flow chart) E. Organization Documents 1. Organization description 2. Security/backup systems 3. Floor plans of electrical, water, exits 4. Insurance documents 5. Resource lists/contracts a. Equipment vendors b. Water-related recovery c. Supply/forms/blank checks d. Storage companies 6. Organization inventory 7. Vital records listing 8. Locations of operating procedures 9. Distribution of the plan 10. Maintenance of the plan F. Testing/Training 1. Program description 2. Types of tests 3. Testing frequency/schedules 2 Risk assessment A. Description B. Detailed risk assessments C. Results 3 Event Descriptions/Procedures A. Level One/Category One B. Level Two C. Level Three D. Level Four E. Level Five 4 Team Responsibilitities/Organization A. General B. Management C. Logistics D. Users E. Records and Information Systems (computers) 5 Restoration Procedures A. Specific procedures for handling each type of probable disaster B. Equipment and supply lists with phone numbers 6 Auditing Procedures
Barb Rike, CRM, is a consultant with BRike Consulting in Richardson, Texas. She may be contacted at Barbr28@hotmail.com.
|Printer friendly Cite/link Email Feedback|
|Publication:||Information Management Journal|
|Date:||May 1, 2003|
|Previous Article:||Information at a price: liberty vs. security: follow-up legislation proposes to increase the sweeping domestic intelligence and surveillance powers...|
|Next Article:||A disaster plan in action: how a law firm in the World Trade Center survived 9/11 with vital records and employees intact.|