Other Stories

Branding Your Organization Through Your Web Site

Telling Stories Online Makes That Vital Connection

IT Crash And Burn: Prepare For the Inevitable

By Tim Johnston
Like firms in the private sector, nonprofits are increasingly dependent on information technology to operate effectively and efficiently. The more organizations depend on their information technology (IT), the greater the business disruption should these systems or the information they provide become unavailable.

If you find this topic overwhelming, you're not alone. Most nonprofit organizations feel woefully unprepared to prevent and recover from a major business disruption -- inadequate funding and staff often mean that disaster preparedness is a low priority "luxury." Many for-profit companies are also under prepared, and those that are well prepared have mixed feelings about the return on investment of such preparations.

Let's face it: most people only feel they've "gotten their money's worth" when they've experienced a disruption and benefited from their investment. IT vendors don't help matters much. Most try to induce fear in potential customers to get them to buy and can distort prospects' perceptions of the likelihood of various kinds of disasters.

advertisement

Exhausted by vendor-induced anxiety, unsure about the relationship of business continuity and IT, and overwhelmed by an abundance of articles and differing viewpoints about what constitutes sufficient planning, nonprofit managers often ignore the subject. They don't creating suitable plans with measured investment, or they reduce disaster planning to simply maintaining data backups.

Here are a few guidelines to help you understand the issues and take appropriate next steps to ensure your organization's preparedness regardless of where you are right now.

Common Misconceptions about Disaster Recovery and Business Continuity
A couple of common misconceptions often create impediments to effective disaster recovery and business continuity planning:
Business Continuity is not an IT Issue
It is important to remember that the purpose of IT is simply to enable information flow in an organization. Think about the management of information as a pyramid with three stacked sections.

Your IT infrastructure (servers, PCs, printers, and the devices that connect them to each other and the outside world) and software applications (email, membership databases, case, contact management, and accounting systems, Word documents, spreadsheets, etc.) form the base of the pyramid. They enable and facilitate the storage and transfer of information.

Next, your hardware, software, and data repositories exist to support specific business processes.

At the top of the pyramid sits your people. The business processes exist to support the work of your staff and other stakeholders-the mission.
These three components function together; when they operate in harmony, your business functions efficiently and effectively.

These interdependencies are important because they reveal that business continuity is not an IT issue-it is a business issue. Therefore, an effective planning process and plan require that:

  • All business processes and the people that perform and manage them have appropriate input into and responsibility for the plan
  • The IT portion of the plan aligns with the people and process aspects in terms of priorities and investment
  • These are prerequisites for an effective plan.
  • Data backups are not enough

Many non-IT people think that they're all prepared for a disaster if the organization's data are backed up. As a result, many nonprofit leaders have unrealistic expectations about how quickly they can be "up and running" after a disruption.

While certainly critical, having good backups of your data does not imply that you can recover quickly from a disruption. Application software-along with updates, patches, customizations -- are required to access application data. Servers or workstations and operating system software are needed. In the case of multi-user applications, a network may be required. The time involved in getting this infrastructure ready so that you can actually get to your data and resume functioning may be days or even weeks, depending on your level of preparedness. It is critically important to understand this in the context of your organization's specific IT environment so that all stakeholders have realistic expectations about how quickly operations can be restored.

Here are some basic truths:

  • Disaster Recovery is not an IT issue; you should own the IT part.
    Today's business and system complexity makes identifying and quantifying risk more daunting than ever before.
  • Before you can manage risk, you must identify it and quantify it
  • Appropriate response is defined differently for each organization
    You can decide to do nothing about a particular risk, but that should be a conscious decision made collectively. For example, you can decide that if a major interruption occurs you won't worry about getting the newsletter out.
  • Planning is evolutionary and ongoing.

Here are some practical tips:

  • Conduct a Business Impact Analysis. This process helps you identify your risks and the order in which to address them. It is the basis for sound disaster and business continuity planning
  • Have good antivirus protection and data backups. These are the most commonly overlooked and basic protections
  • Take backup tapes, CDs, or drives offsite.
  • Use managed antivirus clients (Symantec Corporate Edition from TechSoup) to ensure that antivirus is up-to-date on each PC
  • Identify all single points of failure in your network and systems
  • Where might a little redundancy go a long way?
  • Are you dependent on others -- shared office space, shared connectivity, etc.?

Keep critical info on a USB Key, such as telephone numbers of all staff and vendors, passwords, etc., and a copy of disaster/continuity plan.

  • Post a contact sheet on building door if you need to leave
  • Tell stakeholders how to find you
  • Have an alternative means of communication
    Home phone, cell phone, place to meet (virtual or real), conference call service

Consider an externally hosted Intranet. If your office is out of commission, you can be sure the site will be up. They are very inexpensive these days

Have an internal backup person, someone on your staff who can fill in for you if you're unreachable? And, return the "favor."

Have an external backup person, someone outside can you turn to for extra help when you need it. It could be trusted vendor(s) or IT staff at another nonprofit.

Consider off-site storage. Online backup for data is now relatively cheap if you manage your data and keep backups to a reasonable size. Avoid the music and vacation photos

Keep copies of application software off-site Have a reciprocal agreement with another non-profit to store most critical stuff

Here are some some additional resources to help you take the next steps -- you may download them here: http://portal.npowergdcr.org/continuity/documents/Forms/AllItems.aspx

***
Tim Johnston, chief technology officer of NPower Greater D.C, Region, has more than 20 years of information technology experience. NPower Greater DC Region (www.npowergdcr.org) is a nonprofit technology consulting firm serving other charitable organizations and foundations in Washington, DC, suburban Maryland, and suburban Virginia

advertisement

 

© 2007 The NonProfit Times Privacy Policy