What is disaster recovery?
In the IS context, disaster recovery is the restoration of computing and telecommunications services after an event has disrupted those services. The event might be something huge—like an earthquake or the terrorist attacks on the World Trade Center, which killed thousands and affected everything from telephones to the New York Stock Exchange—or something comparatively small, like malfunctioning software caused by a computer virus.

How is disaster recovery different from business continuity planning?
Business continuity planning (also called contingency planning) determines how a company will keep functioning until its normal facilities are restored after a disruptive event. This encompasses how employees will be contacted, where they will go and how they will keep doing their jobs.

What do these plans include?
Disaster recovery plans vary greatly, depending on the size and scope of a company and how critical IT is to its operation. For example, at one global manufacturing company with a robust plan, the manager of business continuity knows exactly how the company would recover. It would restore critical mainframes with vital data at a backup site within four to six days of a disruptive event, obtain a mobile PBX unit with 3,000 telephones within two days, recover the company’s 1,000-plus LANs in order of business need, and set up a temporary call center for 100 agents at a nearby training facility.

Business leaders and IT leaders should work together to determine what kind of plan is necessary and which systems and business units are most crucial to the company. They should decide which people are responsible for declaring a disruptive event and mitigating its effects. Most importantly, the plan should establish a process for locating and communicating with employees after a disruptive event.

What role does outsourcing play?
Disaster recovery services—offsite data storage, mobile phone units, remote workstations and the like—are often outsourced simply because it makes more sense than purchasing extra equipment or space that may never be used. In the days after the Sept. 11 attacks on New York City and Washington, D.C., disaster recovery vendors restored systems and provided temporary office space, complete with telephones and Internet access, for dozens of displaced companies.

What’s the best way to get started?
The first step is conducting a business impact analysis (BIA). This will identify the business’s most crucial systems and the effect an outage would have on the business. The greater the potential impact, the more money a company should spend to restore systems quickly. For instance, a stock trading company may decide to pay for completely redundant systems that would allow it to immediately start processing trades at another location. On the other hand, a manufacturing company may decide that it can wait 24 hours to resume shipping. A BIA will also help companies set a restoration sequence to determine which parts of the business should be restored first.

In the wake of attacks on the World Trade Center and the Pentagon, is this a good time to set up a business continuity plan?
It’s a great time to start the process. Unfortunately, it takes a tragedy for many companies to start thinking about how they would respond to a disruptive event. High-level executive support is crucial for a successful contingency plan, and now is a good time to get that support, but be warned that disaster recovery vendors and consultants are still busy dealing with emergency situations in New York City and elsewhere. Service providers report that they’re swamped with requests for proposals from potential customers.