Literature Review
advertisement
LITERATURE REVIEW 1 Running head: LITERATURE REVIEW Literature Review: Disaster Relief Student Date LITERATURE REVIEW 2 The research literature covers business continuity and disaster relief (BC/DR) themes in some depth. Although the projects detailed in these papers were not necessarily undertaken as action research studies, they provide a useful source of information about the BC/DR process. This information includes defining what disaster recovery and business continuity entail, and how to determine which functional areas are essential for successful recovery, especially in terms of information technology (IT) functions. These articles also cover how to plan and implement BC/DR strategies, the role of IT in these processes, and whether previous BC/DR strategies have proven useful for specific organizations. This literature review both justifies the need for successful BC/DR strategies and documents approaches that may be taken toward their utilization. Swartz (2003) discusses BC/DR plans and which elements are needed for their success. These plans are defined as policies that “ensure a strong likelihood that [businesses] will survive a disaster without long-lasting adverse effects,” but Swartz (2003) notes that only around onefifth of American businesses have developed them. Many organizations prioritize business continuity methods that take IT into account, but there are other elements that are important. Plans should be made using input from, and considering the needs of, facilities management, human resources, and executive staff (Swartz, 2003). According to Swartz (2003), overall BC plans should include DR as a subcategory, alongside other types of disruption that may cause varying amounts of damage. They must also determine backups and alternatives for processes, especially IT functions, along with which functions cannot be interrupted for the business to remain viable. Although Swartz (2003) often gives broad recommendations, they could prove useful for establishing general BC/DR policies. LITERATURE REVIEW 3 Business continuity management, and its goals, are further discussed in Jones (2011). According to Jones (2011), BC management is a comprehensive process, which determines likely risks and their potential impacts, and plans for both risk mitigation and DR strategies. This process must consider not only an organization's stakeholders, from customers to employees, but also its brand and value-generating functions (Jones, 2011). Furthermore, it must be “fully integrated across the entire organization” to be effective (Jones, 2011). Along with incident response, information security and records management should also be considered. This includes documenting records and information systems to be protected and recovered, and codifying policies for doing so; however, Tijan et al. (2009) discuss these processes in more detail. An organization must consider its goals for BC/DR plans. The Federal Emergency Management Agency (FEMA) states that the main BC/DR goal is “to reduce the consequence of any disruptive event to a manageable level” (Jones, 2011). This may include several different objectives that can vary based on organizational function. However, at the very least, they should minimize damage to life and property, prevent or mitigate disruptions, and protect essential assets, records, and equipment (Jones, 2011). Overall, plans must provide for resuming critical functions as quickly as possible, which can then transition to a shift back to normal operations (Jones, 2011). Access to records and information systems can be essential for meeting these objectives, which is why organizations must keep regular inventories of their records, and have a means of protecting and retrieving records and IT systems in a prioritized manner (Jones, 2011). The information provided in Jones (2011) is based on IT industry best practices, but could be useful for health care organizations which have a large volume of records. Its discussion of BC/DR goals and objectives is also more comprehensive than many of the other articles considered in this literature review. LITERATURE REVIEW 4 Lanter (2011) also considers the role of managing records and information systems in BC/DR planning. This article is written from an IT industry-specific viewpoint, but could have useful information and practices for other types of organizations as well. Disruptions to IT networks are fairly common and can be extremely costly, even outside of a disaster setting (Lanter, 2011). However,82 percent of significant disruptions could be prevented or reduced by a BC/DR plan (Lanter, 2011). Additionally, having these plans in place, along with the ability to implement them when needed, can help prevent potential litigation which can sometimes occur following a harmful incident (Lanter, 2011). Therefore, BC/DR policies should include provisions for managing records and information systems that can be applied in DR and non-DR situations. In order to apply these policies, staff must be trained to be able to manage records, systems, and documents during incident responses (Lanter, 2011). Lanter (2011) suggests using information governance strategies, along with standardized measurement systems for evaluating their efficacy in an organization, that are created by IT and records industry professionals. Although organizations must purchase these materials, they do provide a means of ensuring that industry best practices are followed when planning how records and information systems will be managed, maintained, and recovered during a BC incident. They can also prove useful for training employees in these procedures, and creating a team of individuals that will be able to look after these systems in an emergency (Lanter, 2011). Although Jones (2011) and Tijan et al. (2009) provide greater detail on the subjects of records and information management, Lanter (2011) does contain useful references and justifications for implementing formal policies to accomplish these tasks. Planning BC/DR strategies as quickly as possible, and ensuring that staff are familiar with them, can help to promote success in the event of a disaster. Seyedin, Ryan, and Keshtgar LITERATURE REVIEW 5 (2011) discuss a case study for BC/DR planning in a health care organization. Unfortunately, many health care staff, particularly trainees, are unfamiliar with their organization's BC/DR response plans, which jeopardize their successful implementation (Seyedin et al., 2011). Seyedin et al. (2011) identify several specific elements and practices that are conducive to success with BC/DR planning. These include identifying and acquiring resources that can serve as backup materials in an emergency, such as stockpiles of medical supplies and equipment, and finances that are reserved for a DR event (Seyedin et al., 2011). The BC elements of the plan should include delegation processes, locations for performing work, and necessary practices and technologies that are needed to resume normal functioning. They should allow the organization to serve a public that may also be affected by a disaster (Seyedin et al., 2011). Staff members should be consulted when planning and reviewing BC/DR strategies, and these reviews should occur at least annually to make sure that all staff are familiar with them. The review period should also include rehearsals of BC/DR activities, so as to reinforce familiarity. A combination of training and using action cards, which define critical processes and how they should be accomplished, has been shown to improve familiarity and execution of BC/DR plans (Seyedin et al., 2011). This case study could have applicability for other organizations, including those that specialize in animal health care. Krock (2004) considers how quality control may be maintained in an organization during a DR process. This may be accomplished by having a small team of trained individuals who can evaluate business recovery process quality rapidly during this time. Quality control may be needed because time pressures, limited space, non-standard procedures, and other factors can impact this quality (Krock, 2004). Krock (2004) notes that IT systems are some of the most vital for BC/DR functions, and should be considered to be critical in any relief plan. During IT LITERATURE REVIEW 6 restoration, which should be a top priority, staff may believe they are maintaining usual quality standards, whereas the numerous external influences discussed above may prevent low-quality IT function from being recognized (Krock, 2004). Having quality control staff can ensure that the correct IT contractors and suppliers are contacted, that all necessary IT equipment is accounted for, and that servers and devices are being properly installed and tested. This staff should have enough knowledge to replace or repair damaged IT systems, perform rewiring, and install software for critical systems (Krock, 2004). However, if training limitations, the lack of a dedicated IT staff, or other factors prevent quality control staff from learning all of these skills, they should at least be able to determine situations where these processes are needed, and to be able to contact professionals that can perform them. This team should be selected and have responsibilities and resources defined during the planning process, and they should ideally have broad IT knowledge (Krock, 2004). Although Krock's (2004) case study specifically discusses an telecommunications business, these concepts could be applied to organizations in other industries, too. Another case study regarding BC/DR implementation can be found in Tijan, Kos, & Ogrizovic (2009). This paper discusses the arrangement of hardware and software IT systems, and notes that, while mission-critical equipment and applications are usually defined in BC/DR plans, they may overlook certain crucial elements. Thee elements include user services, change management, and information security concerns (Tijan et al., 2009). User services may be particularly important during DR implementation, because it can allow staff unfamiliar with IT systems to assist in the setup and use of these components (Tijan et al., 2009). Consistency with Service Level Agreements should also be included as a medium-to-high priority in BC/DR IT planning, to ensure functionality and IT security. Critical software from general, database, and LITERATURE REVIEW 7 business application software should also be identified during planning, and include security elements such as antivirus software, Internet portal management software, and virtualization software that can help prevent against internal and external threats (Tijan et al., 2009). An information security management system created during BC planning can help to provide risk analysis, as well as testing controls for IT security (Tijan et al., 2009). These controls may include preventative, detective, and corrective measures that can be implemented as needed. For example, during a DR scenario that requires recovery of IT function, pre-planned measures for retrieving backups of hard disks, tape drives, or other data copying systems should be implemented (Tijan et al., 2009). This model is supported by a case study provided in Tijan et al. (2009), and could be useful for any organization. Organizations must also be able to assess preparedness risks in their BC/DR programs. Jrad, Morawski, and Spergel (2004) discuss a model for accomplishing this task. Like Krock (2004), Jrad et al. (2004) write from an IT organization perspective, but their model could be applicable for organizations in other industries as well. Identifying risks can help to proactively limit the adverse impacts of a disaster, rather than simply reacting to one after it occurs (Jrad et al., 2004). Planning for BC should include six steps, according to Jrad et al. (2004): validating plans, assessing risk, analyzing business impact, developing plans, testing plans, and maintaining plans. Risk identification should focus on determining the amount of data from IT systems, if any, is lost, and how much downtime a business can handle (Jrad et al., 2004). In order to identify risks, a network of functions and systems in the organization must be created. This allows for the risk to these components, and a total “aggregate risk” to be calculated, along with the likelihood of these events (Jrad et al., 2004). Expected downtimes can be calculated as well, and their effects compared to the capabilities of the organization under normal working LITERATURE REVIEW 8 environments (Jrad et al., 2004). The cost of these disasters can then be calculated. These costs should be compared to potential mitigation alternatives that would include both benefits and costs to the organizational network (Jrad et al., 2004). Jrad et al. (2004) suggest plotting networks out to determine which components are needed for basic functions, which directly impact customers, and which stakeholders are involved with each component. Businesses may also use disaster models, based on Poisson distributions to determine the likelihood of certain events and their effects, such as natural disasters or technical failures (Jrad et al., 2004). The model discussed here could provide a useful means of evaluating risk mitigation strategies, and could form a best practices approach to risk identification, but it does have the disadvantage of having not been empirically tested for efficacy. This literature shows that BC/DR planning is a necessary function for any organization, and requires several key elements. Staff should be actively involved in every stage of the planning and implementation process for BC/DR programs, and organizations should be responsible for training and rehearsing for these incidents. Preparations should provide for stockpiling necessary resources, backing up needed IT systems, and having earmarked finances for BC/DR activities. Organizations should also include records and information management as critical components in any plan, and have employees that are trained to accomplish specific prevention, maintenance, and recovery duties. This type of preparation can ensure that an organization can successfully reduce its risks and manage stakeholder-specific functionality during any adverse event. LITERATURE REVIEW 9 Proposal Best Friends Animal Hospital is an organization that does not have a formal business continuity and disaster relief (BC/DR) policy. This action research project will involve working with multiple stakeholders to formulate and implement a BC/DR plan. Therefore, it must determine which needs and risks should be considered in this plan, consider the goals for, and the benefits of, an effective plan, and utilize the necessary resources and stakeholders to implement and realize the plan. This will help to ensure that Best Friends Animal Hospital can successfully navigate any risk or disaster it may encounter while meeting its key stakeholders' needs. This project will use five iterations to formulate a BC/DR plan for Best Friends Animal Hospital. Iteration 1 will involve a brainstorming session with the researcher and executive staff of the animal hospital. This session will be used to introduce all parties to the BC/DR concept, and will identify the requirements that the animal hospital would have for a BC/DR plan. It will determine the communication flow that will be involved in organizing the plan and assessing its specifics. It will also consider the key stakeholders that must be considered in any BC/DR plan and which needs they might have. The researcher will request that these participants discuss requirements with their subordinates as well for the next meeting. These processes will be necessary for defining BC/DR requirements at a later point. Iteration 2 will involve a series of one on one meetings with the executive hospital staff to discuss their perceptions and feelings on the brainstorming session. Each executive will be asked to offer their input on critical systems and functions that their department performs. These meetings will also allow each participant to discuss their departmental needs after consulting with their staff. The researcher will use these responses to create an overall list of needs for a LITERATURE REVIEW 10 BC/DR plan, along with which critical systems and functions will be necessary to include in the plan. Iteration 3 will involve a follow up meeting between the researcher and all executive staff from the animal hospital. This meeting will discuss organizational and stakeholder needs. In doing so, it will identify common needs for different departments, and determine which systems and functions are needed for both individual departments and the animal hospital as a whole. Methods to integrate systems and needs will also be discussed, and the participants will determine whether individual departmental requirements are centrally critical for meeting stakeholder needs. The researcher will actively involve these participants in the planning process by dividing duties, where the researcher will manage planning for overall and integrated system requirements, and assigning the individual requirements to the appropriate department. The participants will be responsible for creating BC/DR plans for their department-unique requirements by the next meeting. Iteration 4 will involve one on one meetings with the executives to collect plans for department-unique requirements. It will also allow the executives to supply the researcher with departmental feedback on needs and systems plans on an individualized basis. The executives will be requested to formalize their needs and systems plans for a final presentation, which the researcher will compile into a policy document. Iteration 5 will allow the researcher to present the BC/DR policy to the executives and staff in a final organization-wide meeting. Copies of the process will be provided to all executives and staff, and both executives and the researcher will be available to field questions on the policy from staff. LITERATURE REVIEW 11 References Jones, V. A. (2011). How to Avoid Disaster: RIM's Crucial Role in Business Continuity Planning. Information Management Journal, 45(6), 36-40. Jrad, A., Morawski, T., & Spergel, L. (2004). A model for quantifying business continuity preparedness risks for telecommunications networks. Bell Labs Technical Journal, 9(2), 107-123. doi:10.1002/bltj.20029 Krock, R. E. (2004). Effective quality control during disaster recovery. Bell Labs Technical Journal, 9(2), 163-171. doi:10.1002/bltj.20032 Lanter, A. (2011). Are You Ready? Getting Back to Business After a Disaster. Information Management Journal, 45(6), 4. Seyedin, H., Ryan, J., & Keshtgar, M. (2011). Disaster Management Planning for Health Organizations in a Developing Country. Journal Of Urban Planning & Development, 137(1), 77-81. doi:10.1061/(ASCE)UP.1943-5444.0000045 Swartz, N. (2003). Few Organizations Have Effective Continuity Plans. Information Management Journal, 37(3), 7. Tijan, E., Kos, S., & Ogrizović, D. (2009). Disaster recovery and business continuity in port community systems. Pomorstvo / Journal Of Maritime Studies, 23(1), 243-260.
