You may be able to come up with the best disaster recovery (DR) plan, assign responsibilities to various personnel involved and ensure everything is in place. However, the critical part is maintaining the plan, testing it, and ensuring that it is aligned with the changing business needs and increasing risks. One way to ensure the above is to integrate ITIL with the DR plan.
ITIL, in its Business Continuity Management (BCM) section, prescribes a set of practices that need to be followed in case of the occurrence of risks or incidents. In ITIL v2, this section mentions that: ‘The Business Process responsible for managing Risks that could seriously impact the Business. BCM safeguards the interests of key stakeholders, reputation, brand, and value-creating activities. The BCM process involves reducing risks to an acceptable level and planning for the recovery of business processes should a disruption to the business occur. BCM sets the objectives, scope, and requirements for IT service continuity management.’
BCM is a process by which a set of best practices are put in place so that business processes run despite incidents. It is not only about putting reactive measures for continuing ongoing processes but also, establishing proactive measures so that the risks of the future occurrence of a disaster are reduced.
BCM Involves a Set of Actions:
- Identifying the business to be recovered and prioritizing it
- Assessing each of the IT processes and identifying the threats and vulnerabilities within them
- Formulating the key recovery options and evaluating them
- Formulating the contingency plan
- Testing the plan
ITIL service lifecycle can enhance the disaster recovery process in your organization in a number of ways, some of which are described below.
-
Service Level Management (SLM):
Service Level Management has a set of activities that ensure that business processes are in line with ITIL’s best practice guidance. When determining the business strategy, its effect on disaster recovery needs to be taken into account. While drafting the service level agreements, the business should understand how it can recover in times of disaster.
-
Incident Management:
An incident is the occurrence of an event that disrupts the services of an organization temporarily. Incidents that go beyond control take the shape of a disaster. Disasters require organizations to follow a set of established practices to restore services to an agreed-upon level. The process of detecting incidents, recording, and resolving them must be established through IT service continuity management so that the incident can be handled with efficiency.
-
Service Desk:
The service desk is an efficient tool to document an incident and establish the workflow to be followed thereafter. The service desk’s standard template will be used to assign responsibilities to everyone involved so that the disaster recovery process can be accelerated.
-
Defining Individual Roles:
While formulating the DR plan, it is important that the roles of individual personnel are clearly defined. The ITIL Service Design guidance recommends that each individual should work on key recovery areas based on business impact analysis (BIA) and risk assessment.
-
Conducting Risk Analysis:
Risk analysis identifies the possibilities of risks and the frequency of their occurrences. ITIL prescribes the Management of Risk (MOR) for assessing risks. This method advocates the creation of risk profiles on the basis of their severity and possibility of occurrence. While performing the analysis, risk acceptance criteria should also be formulated following which the key measures to reduce risks can be planned.
-
Conducting BIA:
For Business Impact Analysis (BIA), the key disaster areas should be identified, following which the impact on business processes should be measured. A BIA should measure both financial and non-financial aspects of a disaster, such as the impact of revenue loss, data loss, and reputation loss after a disaster.
-
Recovering from Disaster:
ITIL mentions two concepts – Recovery Time Objective (RTO) and Recovery Point Objective (RPO). RTO is the minimum time within which services should be recovered to a normal state and RPO is the acceptable amount of loss in data after a disaster. Once the RTO and RPO are set, a crisis management team needs to be appointed to put the DR plan into action.
-
Develop Resiliency:
Resiliency is the ability of a set of configuration items (CIs) to continue to function, given the circumstance of the failure of a few other CIs.
-
Update or Change and Train:
Disaster Recovery plans need to be updated and changed as per the situation. This can be done in line with ITIL change management guidelines.
-
Training of Staff:
ITIL also recommends regular tests and training of staff to speed up the process of DR. Regular training schedule needs to be established for staff members so that they are prepared to take immediate steps in case of the occurrence of a disaster. In order to measure the effectiveness of the tests, ITIL prescribes the use of KPIs.
-
Implementing the DR plan and IT Recovery:
The list of people to be contacted during DR should be planned in advance. The service desk should be equipped with this information so that it becomes the Single Point of Contact (SPOC) to mobilize personnel and distribute tasks. Once the DR process is completed, the recovery site should be evacuated and operations should resume in the primary site to minimize downtime.
-
Updating Business Processes:
The Service Strategy section of ITIL defines a list of services offered. It gives an idea of the business impact of the services and the return on investment (ROI). It is crucial that regular research is carried out to ensure that the DR services offered are up to date.
The occurrence of incidents, problems, and disasters is not uncommon in organizations. However, the crucial part is how a disaster is dealt with. Adoption of ITIL is the best way forward in such scenarios. The best practices and tested methodologies of ITIL guarantee speedy recovery after a disaster.
