UK city councils’ disaster recovery plans are encouraging, but there is room for improvement…

Published: Tuesday, 27 October 2015 13:18

All of the UK’s major city councils have disaster recovery plans in place, but almost 40 percent have not tested their plans within the past 12 months. This information was gained via a Freedom of Information (FOI) request issued on behalf of disaster recovery specialist Databarracks to the UK’s major cities, including Birmingham, Liverpool, Manchester, Leeds, Newcastle, Sheffield and Bristol to determine their plans in the event of an IT disaster.

The results showed that all responding councils had disaster recovery plans in place to restore essential functionality, including revenue, benefits and welfare services. While these findings are encouraging, it was also revealed that as we approach the end of the year 38 per cent of those surveyed have not been regularly tested, despite their absolute necessity in the event of a disaster.

The figure seems especially high when compared to large organizations in the private sector. In Databarracks’ 2015 Data Health Check, the company found that only 21 percent of large private organizations have failed to test their disaster recovery plans in the last 12 months: significantly less than the public sector.

Peter Groucutt, managing director of Databarracks explained the findings:
“City councils’ attitudes towards disaster recovery are excellent. Many councils are prioritising council tax and other business-critical functions in a disaster recovery scenario, which serves to protect critical sources of income for the public sector.

“All of the councils that responded to our FOI showed excellent best practice when it came to prioritising the most critical IT systems in a disaster and they all had structured plans in place that outlined their priorities for recovery. This is particularly difficult for the public sector, as not only do they need to protect revenue-generating systems such as council tax, but they also need to protect their care systems such as Children’s Services, for example. To see councils putting so much consideration into disaster recovery planning is very encouraging. There were one or two questionable answers though, with ‘car parking’ being listed as a top priority by one council.

“However, just having a disaster recovery plan in place is not enough – plans need to be regularly maintained, updated, revised and tested to guarantee their effectiveness. The results of our FOI request exposed that a significant proportion of city councils had not tested plans for over a year, meaning that they cannot be confident in their effectiveness in the event of a genuine crisis. With services to constituents, such as childcare or benefits, as well as management of income being affected by IT disasters, city councils have a duty to ensure that their disaster recovery plan is up to date, tested and verified.

“The best advice we can give is to update your disaster recovery plan every time something in your organization changes. Your plan should give a true and current picture of your entire organization, and your disaster recovery test is what helps find the gaps. If you don’t test your disaster recovery plan, these things won’t get picked up until your time of crisis – at which point the damage they could cause is huge.”

The findings also revealed large variances between councils when it came to recovery time objectives (RTOs) and recovery point objectives (RPOs). In some cases the RTO for a council could be as long as four days, with others able to recover within a few hours.

Groucutt commented:

“Earlier in the year we conducted a similar survey across the London Borough councils and it revealed that RTOs could vary from 24 hours to two weeks. This time we looked at how long it would take to retrieve council tax data and the figures showed that this could be as little as two hours for some councils and as long as four days for others.”

Groucutt concluded: “It is encouraging to see that all city councils have thorough DR plans in place, but that’s only half the job. To guarantee effectiveness, regular DR testing must be performed and plans must be constantly updated.”

www.databarracks.com