Mark, we've seen plenty of businesses brought to their knees by the effects of flooding this summer. In your opinion, what impact (if any) do the horror stories have on investments in business continuity?

Flooding is just one of the many disruptions that can stop a business from operating. Often, we plan for the ‘obvious', unplanned events such as fire, gas attack, terrorist activity, pandemic and so on. But often it is the minor incidents, like the cable duct that was flood-damaged, or indirect consequences, such as the key worker not being able to get in because the school was flooded, which get overlooked but typically have the greatest impact on business continuity. The thing I hear most often after such an outage is that the cost of doing something (that is, investing in business continuity), might have been considerably less than the cost burden that resulted from the outage.

How can an organisation strike the right balance between cost effectiveness and confidence when formulating their business continuity plan?

That's the $64 million question! You can't plan for, nor afford to cover, every eventuality, so the natural response is to cater for the probable events, in the hope the improbable events don't happen. The alternative approach is to look to duplicate the current, already overly complex infrastructure; however, the cost of this approach is also too great to be cost-effective.

The correct approach, then, is not to view business continuity from a technology perspective, but to look at what is necessary for the business to continue to transact. Often, this will go hand in hand with a simplification project, the cost savings of which help subsidise the cost of the business continuity project.

An alternative strategy: rather than continuing to fund the current costly but ineffective business continuity plan, the ongoing, recurring cost associated with that plan can be used to simplify the current infrastructure, which typically means that, in turn, the business continuity becomes simpler, too. For example, look at the impact of server virtualisation and the relative ease with which it allows you to move tasks from physical server to physical server, regardless of their geographic location. By implementing a server simplification based around virtualisation technologies, such as those offered by VMware, you can also implement a more cost-effective business continuity plan.

What aspects of a business continuity strategy are most likely to be overlooked or omitted for reasons of cost?

Typically, it's those areas that have been overlooked or omitted that will cause the problem. As mentioned above, the need to compromise is often due to the prohibitive costs of duplicating the existing IT infrastructure. The other area where costs are reduced is in the service provided by the remote location. In order to fit within cost constraints, often a business continuity plan will have reduced capacity. This is also an unwise economy to make: in the event of a disaster, offering your customers a reduced service may at best solicit some sympathy for your plight, but more often than not in a competitive market, customers will simply go elsewhere.

If your business is a price-comparison site, for example, and you suffer an outage, then your ‘customer' and their ‘per-click' [your revenue] will go to a competing comparison price. By protecting your ability to transact, even though your physical location or primary data centre may no longer be there, your business will keep running. Therefore, it's not wise for your business continuity plan to overlook, omit or lose sight of those elements that enable your business to transact. The good news is that all other items could be overlooked or omitted.

Who should be responsible for an organisation's business continuity strategy?

Since business continuity is about the continuance of the business, then there should be a steering committee, comprising representatives from all parts of the business. The one group who should not be in charge is ICT [Information and Communications Technology]. This is because the ICT team understands what technology can potentially achieve, and consequently has optimistic expectations about recovery times and recovery points.

Often, the critical factor in the recovery or failover is not the technology, but the resumption of the business processes. In one situation, the recovery time took an hour, of which the technology or traditional ICT part took less than 200 seconds. It took the business the other 57 minutes to get the processes activated. The business's expectation was an hour, which is typically how long it took. ICT's expectation was under 3 minutes, which clearly was never going to happen. Also, no one individual can understand all the areas that need to be ‘failed over'. Therefore, responsibility needs to be shared between the business and ICT.

How should that strategy be communicated across the organisation as a whole?

Business continuity needs to be taken out of the realm of the infrequent and the ‘act of last resort' and brought into the realm of the routine and ordinary. This way, whenever an incident occurs which requires the business continuity plan to be activated, it is done with the calm, rigour and method of a regular administrative task. Some ways to achieve this include the use of two data centres, either in an active/active configuration, or operated as a ‘flip/flop', in which the production side moves between the data centres transparently to the business.

How often should a business continuity strategy be updated?

Continually. Like any other routine administrative task, it needs to be updated in light of new experience and evidence. Business changes, the threats to the business change, therefore the business continuity plan must also keep up-to-date to reflect these changes.

Your Comments and Questions

vshah, 29 days ago

Yes, you are right about business failure after a major disaster. This we have also seen recently in the UK when major flood caused a major breakdown for various IT and non-IT companies to lost their data. To avoid this, any business, either SMB or enterprise, must have disaster recovery plan. Bare Metal Recovery is one a technology which is available in the market but not all people know about this. Check this out at, www.unitrends.co.uk They are the originator for Bare Metal term. Using this technology one can restoer OS and Data very quickly.

Mark Sweeney, 6 months ago

Hi Gary, We're actively working with a number of customers who are implementing solutions to enable the movement of DR/Business Continuity as a routine management task. The general strategy is to first simplify your existing ICT infrastructure then look at implementing a suitable DR soluiton. Heaven can be nearer than you think :-)

Gary Edwards, 6 months ago

Thanks for your response Mark. Out of interest, are you aware of many organsiations that have got it right, in that they already treat DR and business continuity as a routine administrative task? Or are the majority some way off this nirvana?

Mark Sweeney, 7 months ago

Hi Gary, It is always worth investigating since outsourcing may be appropriate for your business, however I'd offer the following advice. Most will want to do some form of chargeble audit to see what you have. Prior to doing anything which involves parting with your cash, understand what approach they take and what thier typical failover process consists of. Most who have done this before shoud be willing to do this as a pre-sales or non-chargable activity bacuase they are talking about what and how they operate. Most important to undertand is the trigger point that initiates the business continuity plan. However more and more customers are looking at how they can bring this in house for a number of reasons. The main ones are:- The ability to support tiered, appropriate response. Just becuase one server has failed you don't always want to invoke DR. Secondly more customers are looking at how they can make their DR & BC more like a regular administration task rather then something that happens in an exceptional circumstance. Thirdly the technology is available to help facilitate cost effective DR and Business continuity. Finally as more IT support teams shrink in the number of members, so the business sees it as a risk to have a percentage off-site to reherse failover. So in conclusion I'd say invesigate it and if you think its for you, be sure you're absolutley clear about what is expected of you and just what exactly any outsourcer will do for you. Thanks Mark

Gary Edwards, 7 months ago

Mark, there are lots of third-party service providers around now, which offer to manage an organisation's business continuity planning and execution. Would you advocate outsourcing, and what are the pros and cons of this approach?

What's Your Question or Comment?

Name

Email Address

Your Website URL (please include http://)

Your Question or Comment

type the text from the image