Understandably, the news tends to focus on how dramatic natural disasters threaten life and personal property. However, as professionals, we must also consider how disasters large and small can impact our business. In doing so, we can begin to strategize the steps we will need to take in order to secure our assets, property and investments-all while managing costs. Of course, one of the best things we can do to protect our business is to ensure that our BC/DR (business continuity/disaster recovery) initiatives are up-to-date and ready to implement.
At DRJ's Spring World conference March 30-April 2 in Orlando, I noticed just how many of the attending business professionals seemed to be affected by the tough economic climate. Not surprisingly, conversations heard among exhibitors and attendees alike involved rising gas prices, energy and food shortages, and the devaluation of U.S. currency. Not only do today's businesses need to increase their BC/DR efforts-many on a global scale-but they must also remain cost-conscious. So, how are today's businesses achieving these seemingly incongruous objectives?
Focus on in-house savings
The current trend toward maximizing BC/DR efforts and minimizing costs seems to be that businesses are taking their BC/DR in-house. In fact, many businesses are terminating their hot site contracts, opting for in-house infrastructure or co-location space. BC/DR professionals have discovered that housing the infrastructure within a co-location facility can complement their business, improve operations, ease their accessibility to information, add to their help desk activity and enhance overall storage capacity.
Because of the inevitable pressure to provide for the businesses who wish to increase their BC/DR initiatives and reduce their costs, many established hot site vendors are now converting their facilities into co-location space. Another way in which the marketplace is evolving is the large number of new companies entering the scene that are focused on providing recoverability tools for planning, as well as for actual disaster recovery. These tools deal with both tactical and strategic issues within planning. They represent a dramatic change from where we were five years ago, when tools were primarily focused on technology recovery.
There are two tools that help companies perform BC/DR gap analysis, but in very different ways. One is a software product that measures actual recovery times of all the components within an organization's existing infrastructure, to ensure that none of them is an obstacle to the overall recovery time objective. Another tool is an interactive application that provides a variety of fiduciary responsibility inputs to determine an organization's risk profile. Both tools help organizations ensure that their BC/DR recovery objectives can be met.
Aging infrastructure = opportunity for BC/DR improvement
Aging data centers are a potential disaster on their own. This phenomenon will be tipping the scales in the year 2009 because most of today's data centers were developed in the late 1980s. This makes the majority of our current infrastructure at least 20 years old.
Twenty-first century technology often exceeds the capacity of our existing data centers-requiring additional cooling, space, electrical or storage. It is critical to update infrastructure not only for BC/DR needs, but also for overall functionality. Business professionals are beginning to recognize the connection between BC/DR and their business. In many corporations, IT is their business, so potential IT failings can exponentially impact their business.
Four steps toward ultimate preparedness:
1. Consider potential gain and loss
When executives think about changing their BC/DR strategies, they often consider what they will gain by spending "X" amount of money. These professionals will also benefit by considering, "What will I lose if I don't spend -X'?" For example, a major financial institution has a lot to lose if it faces a potential disaster. It might experience a security breach and lose customers and credibility. It might face a natural disaster and lose its database and history of financial records. A company like this will develop more effective policies and plans if it considers both what it can gain with an effective BC/DR plan, as well as what it could lose without one.
2. Look at IT and business together
Investigate your business and IT needs in the full scope of their environments. Consider all the elements-industry trends, potential growth, areas of weakness and/or decline. In doing so, you can ensure that your long-term IT strategy and business strategy work together toward common, business-enhancing goals.
3. Examine best practices
BC/DR is an industry that has been in existence for more than 20 years; therefore, you can draw upon the best practices already developed by other industry professionals. As you evaluate and identify your best practices, you will want to consider widely accepted standards such as those developed by the Uptime Institute. You will also need to quantify measurements like recovery time objectives and recovery point objectives in terms of cost and risk to your business. All of this will help show you where your BC/DR plan is efficient and appropriate, and where it may need improvement.
4. Outside look
Because BC/DR is an area of business and IT planning that, if you're lucky, you never fully "test," it is critical to build upon the (fortunate and unfortunate) experience of others. It can be particularly useful, therefore, to draw upon the accumulated experience of third-party BC/DR professionals. Hiring BC/DR experts to evaluate your business and its IT needs from a holistic viewpoint can pay off by helping you identify areas where best practices can be incorporated. This will help you ensure that your long-term BC/DR strategy is both efficient and cost-effective.
So, how prepared are you?
You might find out just how prepared you are if you take the time to ask yourself these five simple questions:
1. What am I willing to lose?
2. What information needs to be protected?
3. What are my company's legal obligations?
4. Is my business' reputation at stake?
5. What am I willing and able to spend to protect "X"?
If you are unsure of your answers, you may not be prepared enough. In many organizations, there is a gap between the actual availability of a company's information systems and the level of availability expected by its business units. Closing this gap requires participation by the IT department, business units and key stakeholders. All these entities must work together to assess vulnerabilities and develop effective risk management strategies. The more an organization works to close this gap, the better prepared it will be should crisis strike.