Very few IT executives will be blind to the risk of a significant outage and the potentially devastating impact it could have on their business. But at the same time limited budgets make mitigating such risk a major challenge.
The chances of a business-crippling catastrophe such as the data centre burning down may be small, while the inevitability of a server or disk drive failing at some point needs to be balanced against the likely lower impact on the business.
This type of risk assessment has polarised thinking – whether businesses should invest in full disaster recovery or adopt business continuity measures. Perhaps they should not be treated as separate concepts, says Bill Crichton, European consultancy manager at the business continuity practice of Hewlett-Packard’s Synstar division. “Business continuity is about looking at the impacts of not being able to serve your customers. It is about understanding the risks to your business,” he says.
It all comes down to calculating the impact a failure would have on the business.
Aside from disaster scenarios and systems downtime, risks might include a weak security policy that does not protect systems from either physical intruders or hackers and viruses attacking electronically. Less obvious risks might include an over-reliance on contractors whose knowledge cannot easily be replaced and may be vital for running applications on obscure or antique hardware.
Undertaking this analysis will ultimately guide strategy decisions, says Debbie Rosario, head of the business continuity practice at Compass Management Consultancy, and formerly a business continuity manager for Marks &Spencer.
“If you can’t cope with an interruption to your service you need to be thinking about business continuity. It is only the business that can decide what the impact of an interruption would be and whether they are willing to stand that,” she said.
It is a rare company indeed that avoids downtime. According to research by Synstar, half of European companies suffer 20 minutes of unscheduled downtime a month; one in four admit to more than an hour of unexpected downtime a month; and one in eight say systems are down for more than two hours every month.
Priorities need to be attached to different systems to determine different levels of business continuity and disaster recovery. If downtime afflicts systems that are not core to the business then it may be possible to live with modest measures for recovery. Synstar’s research shows the most important systems according to IT directors are email and file and print services – with the least mission-critical application for most identified as staff Internet access.
As John Holder senior research analyst at Butler Group explains: “It is that risk assessment that is the key – and it is a continual process. It’s no good looking at it every six months because application priorities can change radically.”
After assessment, the next step is to build a risk mitigation programme to take practical measures of avoid downtime by tightening up procedures and replacing systems. The programme may involve some element of building in redundancy or remote processing.
In doing so, organisations can minimise or even avoid the need to build in extra capacity so they can hot-switch to another set of systems – either internally or remotely – in the event of a problem arising. While that option of designing high availability into the IT architecture is attractive, some organisations in areas such as financial services or telecoms need guaranteed uptime and cannot dispense with a disaster recovery site.
“There are an awful lot of side benefits of looking at the organisation from a risk perspective,” adds Synstar’s Crichton.
Another benefit of the analysis is that costing for business continuity becomes much clearer, argues Chris Frampton, head of business continuity practice in Europe at back-up software company Veritas (soon to merge with security company Symantec).
“By doing this they get the architecture set, they know what the business needs are and they know the cost of their current disaster recovery strategy – and if anything new comes along they can apply the same procedures,” he says. The final stage of such a risk management programme is to build the recovery strategy. For example, organisations should calculate how many people will be needed to keep the business running in the immediate aftermath of a major outage, where they will go and what key systems they will be using. And of course, testing the strategy – regularly – will ensure that no eventuality is overlooked.
Organisations are opting to implement business continuity without disaster recovery, but the key is to understand which systems are vital to the business and then to take necessary – and affordable – steps to minimise their lack of availability.