The full cost of a business's failure to allow for interruption of its activities can only be guessed at. Few companies that suffer a truly catastrophic failure to their systems survive to tell the tale. The full costs – in lost trade, unpaid debts and in jobs – may never be measured.
The US-based Business Continuity Institute estimated that 80% of companies that suffer critical data loss go out of business within little more than a year. Whether it is the result of a simple IT failure or an external problem, from a power outage to a security emergency, a business continuity failure is a serious matter. Customers will most likely go elsewhere; regulators might well impose financial sanctions; and insurers are likely to take up to two years to pay out.
Such consequences make the case for investing in business continuity planning (BCP) straightforward enough: building a business case for specific investment, however, can be more difficult. It requires business units to be realistic about their continuity needs, and open to negotiations about how these can be met.
IT directors observe that if they were to list their priority systems, they would list them all. If they were asked for an acceptable recovery window, it would be immediate. Business units also want systems to be permanently available. This can be achieved, but the systems needed to provide near-zero downtime, almost total resilience and instantaneous recovery are either expensive or require investment in technologies, such as grid, that have yet to gain widespread acceptance within the enterprise.
Chris Frampton, who runs the EMEA business continuity practice at Veritas, argues that building a business case for BCP means moving the IT department to a service provider model, with the business unit acting as the client. This encourages both sides to engage in realistic negotiations over priorities. Also the user and IT department can present a consistent message to the board, when it comes to bidding for funds.
Boards are increasingly aware of their obligations under legislation such as Sarbanes-Oxley or the Basel II accord to ensure they do have a recovery plan. The danger for IT directors is that BCP is tackled as an afterthought, severely stretching the central budget.
Instead, Frampton recommends that every new IT project should have a disaster recovery element built into it, but that element should also be integrated with the overall business continuity plan. This has two effects. The first is to ensure that disaster recovery and BCP funds follow projects. If it takes 10% extra to build BCP into a project such as a new CRM system, that is unlikely to affect its viability unless it was already a borderline decision. It also removes the burden from the IT department of having to find funds for additional hardware, software and personnel.
This routine planning for business continuity costs also reduces the chances of companies over-specifying them. Instead of each project manager specifying ‘x+1' servers, where the ‘1' is the disaster recovery failover, there is a strong chance that the role could be met by existing disaster recovery equipment under the existing BCP plan, or that existing systems could be upgraded at the centre. Both approaches will control the upward creep of BCP spending.
At Veritas, Frampton also advocates the use of gap analysis to assess whether BCP spending is sufficient, or indeed excessive. Businesses should look at their ability to recover from a range of threats, and assess that against a period of downtime that is acceptable. This shows the work that needs to be done in BCP.
The gap will differ from application to application and company to company. Frampton has found gap analysis to be more commonplace in continental Europe than in the UK, but its use among UK business is growing. Companies are also more willing to use service-class definitions, to make it easier to match the right level of business continuity to a particular business system.
Chris Stuart, a technical consultant in the UK and Ireland solutions group at storage vendor EMC believes that breaking down the business continuity plan to a system-by-system level makes it easier to prove that an investment is necessary, in a field where all being well, ROI is never put to the test.
He points out that the relationship between recovery time and the cost of business continuity arrangements is typically exponential, with zero data loss generally cheaper to achieve than zero downtime. Achieving a five to six hour recovery window might cost half as much as a two-hour window. The longer recovery time is likely to depend on conventional and low-cost technology, such as tape back-up. Instant replication to expensive, fast hard disk will result in a shorter recovery window.
If IT departments can establish a formula for the relationship between the cost of BCP and the recovery window, they can provide businesses with a realistic set of choices.
Nor does such thinking apply only to hardware and the data centre, it can also work for standby office facilities. Here businesses are faced between either paying for company-owned ‘dark sites', having a third party supplier on site, or contingency plans to bring one in should the need arise.
Research firm Gartner argues that the move towards 24×7 business, along with the increasingly global nature of trade, has widened the task BCP must undertake. Businesses will have to consider a wider range of threats – to suppliers and possibly customers, as well as to themselves – from ever-wider geographies. While technology can meet most of these threats, a rigorous assessment of a system's criticality, and the recovery time it needs, is vital if BCP is not to be a cost burden.