For anyone driving to the data centre of Nottingham-based credit reference agency Experian, some advice: even if there are no parking spaces, don’t park on the reed beds. The reed-covered swamp around the site’s perimeter is just the first line of protection guarding the new £31 million centre.
Further inside, beyond the bomb-proof reception, is the computer room, where access is highly restricted: administration tasks are carried out in a separate, secure area.
Experian’s management invests more and takes greater steps to protect its data centre than many companies. But to achieve the £1.3 billion it generated in revenues for 2004, the availability and integrity of its 543 million records was a requirement. The lengths it will go to in order to protect its data reflect how seriously its management team take business continuity.
For managers at other organisations, the business case for a £31 million investment in a resilient data centre might not stack up. “Businesses must be pragmatic about risk,” says Correy Voo, head of business technology services at BT.
In some cases, that pragmatism must extend to accepting that there will be interruptions in operations, he adds. “If your organisation operates in an area that is known for high winds, for example, there is no point in spending every thing you have to guarantee constant availability, because however much you spend you will still get an interruption when a telephone line falls down.”
So how much should businesses be spending on business continuity? According to business continuity analyst Datamation, systems downtime costs on average £52,000 per hour – that at least gives managers a ball-park figure to begin with.
The costs of downtime were brought home to executives at French footwear manufacturer Pikolinos International, after a systems failure, which halted operations for a day and a half. Its managers estimated that that the cost of downtime was roughly E160,000 per day.
Although as BT’s Voo points out, there is no fixed formula that can be used to calculate costs. “The same company can have various services, but there may be only one or two that the customers associate with the value of the brand. For instance, if some of the BBC’s servers fell down, they might want to prioritise their news sites over some of their other services,” he says.
According to analysts at IT advisory group Forrester Research, business continuity investment is second only to security in terms of priorities for IT directors – nearly one in five managers cite it as a critical area for investment.
But despite the acceptance of the need to mitigate risk, senior managers may have very different views of what constitutes a priority.
“There are three areas to think about when evaluating the cost of [IT service] downtime,” says Paul King, senior security advisor at network equipment maker Cisco. “We can split threats into those that concern the CIO, those that concern the CFO, and those that concern the CEO.”
Such divides can frequently mean that spending is allocated to the wrong areas, says Michael Rasmussen, research vice president at Forrester. Priorities are skewed by high profile events such as hurricanes or terrorist attacks, rather than more mundane – but equally disruptive – events such as application failures. “Attention span that is only galvanised by disaster is another business continuity risk,” he adds.
At the UK’s top children’s hospital, Great Ormond Street, medical care is highly dependent on the availability of patient information systems. It has invested in an on-site and remote disaster recovery service, to insure against calamity. But, notably, the only time its management team has had to invoke the disaster recovery plan was to cope with a software problem.
“IT incidents happen much more often, and therefore they aren’t seen as major incidents,” says Tony Halliwell, managing consultant at SunGard, which provides the Great Ormond Street service.
Halliwell advocates a holistic approach to business continuity spending: evaluating the risks associated to any given business process, combined with an assessment of the value of the process to the organisation. This then drives decisions about investment in redundant systems or recovery plans. It is the CIO’s job to relay those calculations to the executive board, he adds, taking responsibility and also adding value to the business.
However, while it is relatively simple to evaluate operational risks, such as potential loss of sales, reputational risks are much harder to quantify. The Great Ormond Street Hospital may be able to rely on its paper-based systems to carry on providing care in a crisis, but what of its reputation? Currently, the hospital attracts some of the world’s leading paediatricians; its reputation is precious.
In such cases, evaluating what constitutes an appropriate level of business continuity investment is all about managing risk.
For Claude Philipps, programme director for the Torino Winter Olympics, reputation was paramount, business continuity costs had to be borne: the Olympic games could not be let down by inadequate IT support, and that meant that resilience was essential. Each mission-critical server was replicated at the main data centre – and that data centre was replicated on a different site, several miles away.
To justify that level of spending, Philipps explains: “The Olympics is about athletes, not IT. It is critical that IT remains behind the scenes. IT failure will not be forgiven and cannot be allowed.”
Business continuity is clearly grabbing mindshare at a senior executive level, as indicated by the numbers that have increased their spending.