Disaster recovery and the King
If your business's next financial year starts in 11 days (ie 1 April), it must abide by King IV.
In 2016, the King Committee published the Draft King IV Report on Corporate Governance for South Africa. Although the code is not enforced by law, many of its principles are embodied in the Companies Act.
King IV emphasises IT governance and addresses cyber security for the first time. It recognises information as being separate from technology as a corporate asset, and confirms the need for governance structures to protect and enhance this asset. The code applies equally to listed and unlisted companies, profit and non-profit organisations, as well as private and public entities.
It recommends that the company's board (or governing body) govern both technology and information, so that they support the company in achieving its purpose and strategic objectives. Lee Jenkins, Head of Technology at ETS Innovations, says: "The board needs to be specifically tasked with approving and overseeing the technology and information policies of the company."
One of these policies relates to the provision for business resilience, continuity and disaster recovery. Jenkins continues: "The key thing to note is that under King IV, the board is required to periodically carry out a formal review of the adequacy and effectiveness of the organisation's technology and information functions. This could prove a stalling point for many businesses, as while infrequent testing of business resilience (high availability), backup and restores (continuity) is commonplace, a 'formal assessment' is rarely conducted."
For this reason, it's critical that organisations carry out formal planning and conduct assessments of both their processes (including the relevant people) and their technology around the above-mentioned activities. They also need to develop a disaster recovery plan to ensure business as usual in the event of an unforeseen failure, he says.
How to plan disaster recovery
Disaster-recovery plans should be based on a business impact analysis that identifies critical systems, services and applications that support business processes. Jenkins goes on to outline the typical current challenges organisations face around conducting end-to-end disaster recovery exercises:
* Availability and isolation of disaster recovery environments.
* Replacing hard-coded IP addresses and host names.
* Integrating upstream and downstream systems that don't have dedicated disaster recovery environments.
* Proper sequencing of applications.
* Coordination and planning of human resources.
* Proper back-out plans.
A key requirement to help overcome these challenges, according to Jenkins, is the creation of an application interface topology diagram, which illustrates how applications interact with each other. This allows proper sequencing of all upstream and downstream systems, to work out the exact dependencies. Once it's clear how the various critical applications interface with each other, recovery time objectives (RTO) can be more accurately calculated.
Challenges related to how desktop clients/end users connect to the disaster recovery environment should be carefully planned, so as not to disrupt production applications.
Jenkins says that a walk-through and simulation test among participating teams (including the network/firewall, server, database, middleware, and various applications) is crucial to a successful end-to-end exercise. "Everybody needs to know what the scenario is, who needs to do what, and the exact sequence and co-ordination of tasks. The simulation test will highlight potential risks to the production environment, as well as eliminating most human errors."
He urges businesses to refrain from adopting a wait-and-see approach to implementing this particular principle of King IV. "The big question is, which South African mid-sized publicly listed company will be the 'test case' for prosecution of its directors for failing to formally test its disaster recovery process? It could well be your business, which is why your company should start performing formal, documented end-to-end disaster recovery exercises."