Dissertation Example: The Development of an IT Disaster Recovery Plan

Information technology has over the years become integral for all organizations that rely on it to run, manage, and facilitate business functions. Businesses use information technology to quickly and effectively process information. Businesses rely on IT for their employees and clients to communicate via electronic mail and Voice over Internet Protocol (VOIP) telephone systems. Business-to-business transactions including orders and payments are frequently conducted through Electronic data interchange (EDI), which enables firms to transmit data. Consequently, company Servers process and transmit voluminous data. Electronic devices such as computers are used to create, process, manage and transmit this data (Derksen & Luftman, 2016; Kappelman, McLean, Johnson, & Gerhart, 2014; Tallon, Coltman, Queiroz, & Sharma, 2016).

Information and communication technology can provide firms with a competitive advantage that can enable them to consolidate their marketplace positions (Shao, 2005). Therefore, it can be disastrous if information technology stopped working at any given time. One of the essential requirements of all organizations is continuity. There have been many cases where disruption of IT services caused deleterious impacts on business functions resulting in serious loss of revenue and reputation of businesses (Alhazmi & Malaiya, 2013). Besides these losses, disruption of information technology services can lead to decreased productivity of employees and injury to the relationship with clients (Nilson, 2006). Empirical evidence has illustrated that many firms that survived serious disasters often faced difficulty due to not having any strategy to manage the damage (Shao, 2005). As such, many firms have learned from these experiences of other organizations and adopted emergency disaster recovery plans leading to operation without significant interruptions. Further evidence shows that organizations that have disaster recovery strategies in place recovered thrice faster and minimized financial and reputation lose than those organizations that were least prepared or not prepared at all (Nilson, 2006). In cognizance of the need for business continuity, organizations should have plans that address all disaster types in order to avoid disruption of their operations. Shao reports (2005) that organizations can face any type of disaster ranging from a power outage to natural disasters such as hurricanes, earthquakes, fires, or terrorist attacks. He suggested that lack of a disaster recovery plan from any form of danger, small or large, can be a recipe for organizational failure. For example, in the event of a fire, which is the most common type of disasters organizations encounter, as much as 50% of the firms that encounter this kind of emergency often go out of business due to lack of the disaster recovery plan (Snedaker, 2013). It is for this reason that researchers and IT practitioners have given significant attention DRP. For IT management, the information technology disaster recovery plan has become the major concern (Derksen & Luftman, 2016; Kappelman, McLean, Johnson, & Gerhart, 2014; Tallon, Coltman, Queiroz, & Sharma, 2016). Development and implantation of an effective disaster recovery plan are essential for protecting organizations from losses (Cumbie, Cegielski, & Sankar, 2009; Hawkins, Yen, & Chou, 2000).

In their latest study on global key management concerns, Derksen & Luftman (2016) report that business continuity and disaster recovery occupied the seventh place among organizations and their information technology executives. Therefore, the development of an IT disaster recovery plan in conjunction with the business continuity plan can help a company to keep its essential operations to continue in the event of a disaster at the earliest time possible (Hawkins, Yen, & Chou, 2000). This involves various policies and procedures put in place ready for recovery of the firms technological infrastructure.

Aim

Development and implementation of a disaster recovery plan are critical for organizations' response to crises. However, Snedaker (2013) suggests that implementation of such a plan can be time-consuming and firms need to put in extra effort for its effective implementation. Previous studies have focused on IT DRP processes and risk management at the expense of other aspects disaster recovery plan. Besides, previous research has done very little in explaining a structured approach that encompasses DRP and associated aspects of disaster recovery plan for healthcare organizations. The aim of this study is, therefore, to explore a structured approach to developing and implementing a disaster recovery plan using a case of a healthcare firm. The main research questions will thus be as follows;

How effective is a structured approach to developing and implementing a disaster recovery plan for healthcare organizations?

What are the benefits and challenges associated with a structured approach to developing and implementing a disaster recovery plan?

Understanding the effectiveness, benefits, and challenges of a structured approach will help healthcare organizations to develop better disaster recovery plans. A qualitative research study has been done in order to answer these research questions involving various actors in a medical laboratory organization. This firm realized the importance of developing a contingency plan against potential disasters in order to protect their critical business operations.

Literature Review

The idea of disaster recovery plan is closely associated with the concept of business continuity, business impact analysis, and risk management. Consequently, a lot of research has been done on these three streams.

Key Definitions and Concepts

Business Continuity Plan (BCP): Wallace& Webber (2010) define BCP as the set of procedures that an organization has in place in order to keep the critical functions of the business running during and after the occurrence of a disaster.

Risk Management: Fallara (2003) has defined this as the processes used in identifying all threats to critical business processes.

Business Impact Analysis (BIA): Fallara (2003) further defines BIA as the processes used to identify and evaluate the impacts of disaster aftermath on critical business processes.

Disaster Recovery Plan (DRP): DRP refers to all the systematic activities involved in the disaster recovery within the shortest time possible in the event of a disaster (Hawkins, Yen, & Chou, 2000).

Business Continuity

Previous studies recommend that organizations should have proper contingency plans for survival after a disaster happens (Nicolette & Schmidt, 2001; Rozek & Groth, 2008; Wunnava, 2011). These studies point to the significance of DRP and BCP implementation to responding to unexpected disasters and keeping keep business going on post-emergency respectively. According to Nicolette and Schmidt (2001), business continuity planning is useful in ensuring the business functions continue before, during and after a disruption. The process involves the gathering of information and activities necessary for successful disaster recovery (Rozek & Groth, 2008). The beauty of implementing a BCP is that not only does it protect the information technology system but also the entire business organization ecosystem. Fulmer (2004) suggested that BCP addresses information technology as supportive of the business processes. This is particularly important since IT systems play a major role in supporting organizations to meet their business goals. As such, the IT system should be protected in order to prevent the deleterious impacts of a downtime on business functions. Snedaker (2013) stressed the need for every firm that depends on IT to drive its business functions to have a disaster recovery plan irrespective of its size.

Risk Management

Risk management and disaster recovery are closely associated with each other since their main objective is to prevent and/ or minimize risk (Fallara, 2003). Risk management has been at the centre of IT professional's functions whose one of the major interests is to protect and secure data as well as to help their firms to prioritize the type of risks. This protection encompasses the entire information technology resources such as hardware, software, data, staffs, and facilities from any conceivable natural disaster, technical failure, unauthorized access, and vandalism. According to Hawkins and Chou (2000), protecting and securing information technology resources will enhance the ability of firms to achieve their organizational goals and business objectives. The concept of risk management has attracted huge research interest and highlights the significant role risk management plays in contemporary organizations (Stoneburner & Feringa, 2002; Fallara, 2003; Solms & von Solms, 2008; Tohidi, 2011).

Stoneburner & Feringa (2002) classified disasters into natural, human, environmental threats. Natural disasters consist of events such as floods and hurricanes, which have a major impact on information technology infrastructure because of their large geographical coverage. Human disasters arise from deliberate human actions such as attacks on the network, upload of malware, and unauthorized access. Environmental disasters are related to factors such as pollution and long-term power failure. These threats differ from one firm to another. Consequently, Fallara (2003) suggests that the role of IT disaster recovery plan is to put in place procedures and processes that identify the risk-types and how to handle them. According to Solms and von Solms (2008), IT risk management systems address all potential risks associated with the disasters identified by Stoneburner & Feringa (2002). Therefore, the goal of risk management in every firm is to support the organization to manage potential risks better (Tohidi, 2011).

Business Impact Analysis

According to the international organization for standards (ISO), Business Impact Analysis and risk management are the main components of understanding firms (ISO 22301, 2012). BIA is associated with the process of evaluating the effects disruptions have on businesses. Fallara (2003) opines that BIA is central to the disaster recovery plan. Sikdar (2011) suggests that the main objective of business impact analysis is to gather and analyze information for purposes of preparing a BCP. According to Hawkins and Chou (2000), BIA's goal is to identify the critical resources for business continuity and to guide the organization through reasonable timelines for the resumption of business after a disaster strike.

The literature proposes several frameworks based on the importance of business impact analysis on effective Business Continuity Management Systems. According to The Australian Business Continuity Management Institute (2000), the BIA framework consists of identification and ranking processes of an organization according to their effects on its finances and operations. In addition, it involves recognition of critical functions and allocation of necessary resources to these functions. According to The Federal Financial Institutions Examination Council (FFIEC, 2008), BIA involves identifying the key products, ranking, determining important requirements, and identifying dependencies. Another framework has been proposed that involves time correlation to estimate the effects of disasters on specific functions (Sayal, 2006).

Tjoa et al. (2008) discussed the steps for Business Impact Analysis including identification of activities and functions, resource allocation, recognition of severe threats to organizational reputation,...