REQUIRED READING: Last year was marked by unprecedented weather scenarios that, in retrospect, have left a lingering thought in the minds of many: preparation. It is often in the aftermath of events such as ice storms, tornadoes, flooding when individuals, businesses and communities evaluate how to better respond the next time.
But this reactive planning actually stems from a greater, almost dangerous mistake: approaching disaster recovery planning (DRP) from a seasonal or strictly weather-related perspective. Ensuring effective business continuity results from a more comprehensive, ongoing plan that is practiced, reinforced and evaluated year-round.
In this industry, the concept of holistic DRP should reverberate even more strongly. Servicers and their industry partners are responsible not only for critical information, but also for the integrity of the work they perform. When foreclosure volumes started on their initial sharp rise, many companies grew too quickly to keep up with the workload, and some perhaps did so without the proper infrastructure to support it. While the up-front investment to back up a workplace, its people and the systems can be intimidating, it is a small price to pay compared to the financial loss that is possible without it.
DRP and business continuity planning are not only steps that every servicer or service provider should take; rather, they must be a mind-set and a culture in which to invest.
Although it is impossible to guarantee structural, system and personal safety in the midst of any disaster, defining procedures for anticipating how to best react to an interruption will prove beneficial in every situation.
Where to start
After recognizing that DRP is necessary, the question then becomes where to start. Forrester Research and the Disaster Recovery Journal published theirs fourth annual joint survey in early 2011, aimed at deciphering what changes have occurred in disaster recovery over the past three years. It found that 53% of respondents spent less than $500,000 on disaster recovery last year, which is down from the 45% reported in 2007.
Fortunately, in Forrester's ‘Global IT Budgets, Priorities And Emerging Technology Tracking Survey,’ released in the second quarter, 32% of enterprises and 36% of small- to medium-sized businesses said they expect to increase their business continuity/disaster recovery spending by at least 5%.
Any plan must be comprehensive in scope, including details on how to address the responsibilities of every function and every employee, top to bottom. In doing so, it is also important to receive buy-in at all levels on how to thwart long-term disruptions and loss in each department. Tapping into actual users of each process can help an organization capture the accurate expertise on how to best address the problems that may arise. Companies are responsible for executing risk assessments and departmentally reviewing each process and system to determine what steps need to be taken.
For technology and service providers in the default sector, both internal and external systems and processes are executed daily. It must be understood, then, how they all interact and impact one another, as well as the business as a whole. From that, a plan of action can be drawn to notify all necessary parties and design a work-around procedure.
DRP is often associated with – even limited to – data redundancies and systems backup, but it spans so much more. Planning for true business continuity also involves the workplace, or the physical locations where those systems are housed, as well as the actual people in those locations who man the systems. Delving into each component more specifically, the following represent a few key considerations.
Systems. Data systems are obvious priorities in information back up, but there are other critical departments and processes that should not be forgotten. For example, while a finance system may be recovered, what happens if checks cannot be produced? A temporary site will be required, and a small amount of petty cash should be on hand.
What about moving deliveries, notifications to employees about working conditions – whether to come in or work remotely – or even dealing with a downed phone system? These appear to be minute administrative concerns, but they are each part of daily operations and, therefore, need to be addressed in any business continuity plan.
Workplace. The aforementioned Forrester and Disaster Recovery Journal research found that only 27% of organizations had more than one secondary recovery site in 2010 – down from 33% in 2007. Costs can definitely be a factor in maintaining multiple sites, but consolidating locations can also be an ill-advised decision. Even a single backup site will help mitigate the threat of a total shutdown of operations and of internal and external communication.
Beyond additional sites to house systems recovery, it is also necessary to have a means of workplace recovery, or a place to actually house the workforce to ensure business can continue as usual. Recovery sites should also have enough distance in between them to avoid the threat of being subject to the same disaster scenario. In strategically separating the locations geographically, companies allow for a stronger distribution of their operational integrity.
People. If possible, equal distribution of expertise and responsibility among a workforce can prove invaluable. Dual-site operations are ideal to ensure timely responses in the event one site is lost. But when that is not the case, and even when it is, employees impacted by the crisis situation need options for continuing business as usual.
One option for incorporating DRP is workload shifting, whereby differing groups offload processes or operations in the event of an inability to work. This approach, complemented by a workplace recovery plan, will help avoid costly delays or halts in daily operational activities.
When to test
Many companies do not have formal plans in place. However, for those that do, often the plans are not regularly tested or even evaluated for their effectiveness. Proper re-evaluation of a DRP is ongoing. Testing (or, at least, reviewing) a plan is key to help locate what is missing in a current plan, what can be improved, what must be modified or – in some cases – what may no longer be necessary.
Upon reviewing a plan, it is important to first proactively look for obvious changes within the organization and its business model: Shifts in employee numbers, differences in client demographics and extensions of existing services are all drivers to revisit an existing plan.
Plan testing will vary by company. Perhaps monthly testing of major disaster recovery systems is necessary, or an annual drill for workplace recovery and site simulation. If procedures are identified that warrant improvement or change, ensure that those items are not only addressed formally in the plan, but also that they are executed through employee training when appropriate.
It is impossible to know how or when to prepare for a disaster. Even in doing a probability of disasters, all of the guesswork cannot be taken away. Though often easy to define, geographic vulnerabilities will still vary, and weather-related instances are not the only concern. After all, the most commonly declared ‘disasters’ are power outages. As any company can likely attest, it does not take questionable weather for the lights to go out.
Despite the uncertainty, organizations can and must prepare. Proper preparation enhances efficiency and effectiveness. Companies that take a comprehensive, non-seasonal approach to DRP can anticipate a more fluid response to any threat in the disruption of their business, regardless of what or when it may occur.
James Wade is vice president of IT security and compliance for Mortgage Contracting Services LLC, a Tampa, Fla.-based provider of property preservation, inspections and REO property maintenance. He can be reached at (813) 387-1100.