The need to improve the reliability of IT systems – and in particular the ability of companies to recover their data following a problem – has driven manufacturers and software companies to innovate around disaster recovery and back-up technologies.
Innovations such as snapshotting, shadowing, backing up data to disk rather than tape and the development of mirrored systems have all contributed to greater availability and reliability in data centres.
But this narrow focus on data back-up and recovery does not always translate into a strategy that allows a company to continue trading in the face of a serious disruption to its business operations.
Even if the data itself might seem secure – although in many companies even that basic assumption might not stand up to testing – a company might still not be able to recover. Too often insufficient attention is paid to how staff would access IT systems, or even where staff would sit, following the loss of a key office building, and whether they would have the resources they need to do their jobs.
The heightened security environment after 2001 has given rise to geographic clusters of business continuity planning (BCP) best practice and new thinking. Unsurprisingly these are most prominent in London and New York.
Typically companies with sophisticated plans are those that see themselves most at risk (perhaps because of the nature of their business but often because of their geography) or those with the least tolerance to failures. Financial services firms are the private sector bodies least able to allow downtime – in part explaining the concentration of clusters around London and New York.
According to Simon Mingay, a Gartner analyst, interest in the topic falls off sharply the further companies are from the high-risk, high-availability clusters. Even in California, a state prone to earthquakes, BCP is far less advanced than in New York.
A company that is forward thinking on BCP need not, according to Mingay, be deploying hugely expensive or complicated systems; nor need they be especially at the cutting edge when it comes to technical data back-up and recovery. Instead, it is attention to detail that sets them apart. “It is about doing the basics well, looking at the policies you have got, and making sure you are doing what you say you are doing,” he says.
One area where IT can help is in employing a greater level of automation to handle basic back-up and recovery. Tools, from vendors such as Veritas, Computer Associates and Hewlett-Packard, ensure that data centres follow back-up policies. For example, if tapes need to go off-site nightly, an IT manager can write rules into the system so that this is checked. This creates a fallback in the event of a drastic disruption.
However, automating back-up processes will not provide sufficient protection. According to analysts at the Meta Group, failure rates of between 5% and 20% are not uncommon for nightly tape back-ups.
Where continuity planning has to include plans for recovering from catastrophic disruption, companies have to also consider employees. That means ensuring staff have places to work, contact lists to ensure key personnel are kept ‘in the loop’ and that alternative sites are sufficiently equipped to allow staff to start the process of recovery.
Some businesses have opted to include ‘dark sites’ into business continuity plans. These provide locations where staff can transfer in the short to medium term.
Alternatively, through locating data centres away from operational sites, companies may be able to carry on ‘as usual’ through home working and mobile technologies.
Businesses rightly plan for a catastrophic loss, but in practice a number of smaller business process or IT systems failures can be almost as damaging in terms of lost business or reputation, especially when customer data is exposed. According to Meta, less than 3% of all data loss is a result of a disaster – it is the smaller incidents, left undetected and under-prepared for that can undermine business continuity plans.
Frequently, data integrity is threatened during periods of organisational change. Business continuity experts advocate building a business continuity element into any process change. Thus, BCP becomes inherent in all business planning.
In the example of change management programmes, these should account for the unforeseen consequences if the change does not go according to plan. Ultimately, companies may have to roll back the unsuccessful change, and a strong change management process is vital to do this. If project managers and those responsible for business continuity liaise from an early stage, the chance of the plans being tested in anger is much less.
Business continuity plans cannot be solely the preserve of the IT function. Business leaders need to establish objectives and priorities for recovery and downtime. That can then be used to inform infrastructure investments. And as with all plans, it is important to test them. Again this involves groups across the organisation, and not just the IT department.