Â© 2007 Cynthia Golden and Diana G. Oblinger
EDUCAUSE Review, vol. 42, no. 3 (May/June 2007): 10–11
The Myth about Business Continuity and Disaster Recovery
"We've Got Backups, So We're Ready for Any Disaster."
On most campuses, central systems that manage functions like payroll, human resources, development, and registration are backed up every night. So are course management systems, mail servers, and other key systems that run the campus IT infrastructure. Having well-managed processes that include full and incremental backups of data and that utilize offsite storage is, however, no indication that a campus is ready for a disaster. Backup procedures form only one part of a complex plan that should involve senior administrators, business and operational units, faculty, students, and, yes, technology to ensure that the institution can operate through and beyond a disaster situation.
The man-made disaster of 9/11 and the hurricanes and tornadoes of more recent years have focused attention on campus preparedness for disasters. But most campuses will not see such dramatic events. A broken water pipe, a cable cut by a local construction company, or an electrical failure is far more common. In a recent survey by the EDUCAUSE Center for Analysis and Research (ECAR), about half of the respondents reported that in the past five years, they had experienced disruptions that had triggered an emergency response by the IT group.1 These seemingly minor events, as well as major natural disasters, can be devastating to a campus. The process of anticipating potential problems, assessing risk, and preparing for recovery and continuity of campus operations during and after a disaster is not just the IT group's business—it is everyone's business.
Planning for business continuity, defined as the institution's ability to maintain or restore its business and academic services when some circumstance threatens or disrupts normal operations,2 needs to involve a collaborative and integrated campus approach in which each department understands the role it will play in restoring services, managing the crisis, and returning to normal operations. Although IT departments have traditionally been the drivers of the recovery process, they cannot accomplish campus recovery and continuity without help. Others on campus are critical to the success of this process:
- Senior administrators and boards must clearly understand the risks of not being prepared for problems when the campus is not ready or able to handle a disruptive event: damage to the institution's reputation; loss of instruction time, research data, and eventually, students. Support and direction from the president and senior officers can serve as a catalyst for planning and preparation. Senior executives can establish a leadership structure, delineating expectations and accountability for every unit on campus to ensure involvement.
- Department-level administrators play a pivotal role in the planning process. They have direct responsibility for how a process will operate. On one campus, the payroll manager used to quip: "If payroll goes down, get a big basket of money and pay the faculty first." Understanding how—and being able—to move to a "manual" mode for some campus processes can be a key part of the planning and preparation. System enhancements made for the sake of business-continuity readiness can actually drive the overall reliability of daily operations, a benefit that engages many of these administrators.
- IT not only plays a crucial role in the recovery of the technology but also facilitates communications during some disasters.
- Faculty engagement in the process ensures that business continuity can be built into academic activities (e.g., alternative ways to deliver classes, determination of potential impact on research data), as well as administrative operations.
- Auditors are often instrumental in the process of business-continuity planning, not only acting as compliance drivers but also helping to assess risk.
The process of producing an institutional plan for continuity after a disaster is probably as important as the plan itself; its benefits will be evident even if the plan is never needed. Much like Y2K, business-continuity planning requires that key stakeholders work together to assess risk, prioritize work, and engage other campus units. Planning develops understanding across campus units, builds relationships, and fosters confidence.
The process of planning may also reveal weaknesses in current processes or systems. Addressing these weaknesses can improve campus operations on a day-to-day basis—a potential "selling point" for business-continuity planning on campus. The planning process could, for example, identify the need for immediately replacing or upgrading aging hardware, resulting in less maintenance downtime and fewer system outages for a key campus operation.
But producing an integrated campus plan is only one part of the process. If the plan sits on a shelf, it does no good. Testing the plan is an ongoing project. If backup tapes have never been tested, they may not work at a critical recovery point, and data won't be restored. If the payroll process is not routinely tested at the hot site, what price might the institution pay in the event of a disaster?
Lack of adequate funding is reported as the primary barrier to business-continuity planning, according to respondents to the ECAR survey.3 But even though having an effective plan will likely require an investment of resources, the cost of investing is typically much less than the cost of trying to recover from an unplanned disaster. If things go very wrong, the cost to the institution's reputation can't be underestimated. Developing a financial model that allocates resources for business-continuity planning and that does so across all institutional units is necessary for a plan to be successful.
In thinking about business continuity and disaster recovery, the CIO and other members of the executive team should ask themselves the following strategic questions:
- Can we risk not having a well-developed disaster-recovery plan? Performing risk assessment and identifying vulnerabilities can help a campus begin the planning process.
- Is business continuity considered an IT issue, or is it considered everyone's responsibility? Although "disaster recovery" has long been seen as the domain of the IT unit, the involvement of everyone on campus is key to recovery.
- Are we conveying the importance of business continuity in our planning, support, and communications? Senior executives and campus leaders must work to foster an environment in which being prepared for problems and building recovery into normal business are part of the routine.
- As we develop the plan, are we willing to address any/all shortcomings that are found? Doing so will not only benefit the planning and recovery process but also have an immediate, positive impact on campus life.
Even the most thorough and well-funded plan has people at its core. People make the plan work, and the success of every recovery process depends on people. If everyone realizes that the planning process is a priority—and understands the role that he/she plays in the process—a successful plan and a prepared campus is the likely outcome. During an EDUCAUSE business-continuity summit, CIOs involved with Hurricane Katrina noted that good communication—before, during, and after an event—is what makes everything work. During a disaster, the safety of people comes first, followed by the restoration of campus operations. Having multiple communication channels (including parents, students, faculty, staff, and the public) enables a campus to deal with the circumstances of the moment, to make those decisions that can be made only during the actual event, and to eventually resume normal operations. In short, people are the essential "backups" for any disaster.
1. Judith A. Pirani and Ronald Yanosky, "Shelter from the Storm: IT and Business Continuity in Higher Education," EDUCAUSE Center for Analysis and Research (ECAR) Key Findings, March 2007, 6–7, http://www.educause.edu/ir/library/pdf/ecar_so/ers/ERS0702/ekf0702.pdf.
2. Ibid., 2.
3. Ibid., 3.