Planning for the unexpected is never easy. And when it comes to quantifying the risk of an IT interruption and allocating appropriate budget, many organisations struggle to formulate adequate continuity plans – whether for minor interruptions or major disasters.
Despite awareness of outages due to server overheating, security breaches and even the threat from terrorist activity or climatic change, analysts at industry watcher the Meta Group report that only 20% of the Global 2000 have comprehensive set of business continuity plans.
That 20% is mostly made up of companies from industries, such as financial services or telecommunications, where downtime is not tolerated or where regulations force them to ensure the very highest levels of continuity.
But the picture is changing. More organisations are coming under regulation pressure to ensure the robustness of their business systems. Added to this, business insurers are increasingly demanding some form of continuity planning is in place as part of standard policies.
A good example is Honda. The Automotive giant Honda has taken the decision to introduce disaster recovery standards for all its international units, including the UK, decreeing that plans must be in place for the business to be up and running within eight hours of an interruption.
According to Honda's calculations, total destruction of its Langley site near Heathrow Airport would cost it £41.2 million in the first 10 days; losing access to the site for just three days would cost £3.0 million. If there was an incident, it could be potentially devastating, says Mervyn Eyles, manager for customer support at Honda UK, "so an investment of £500,000 [in business continuity] seemed pretty worthwhile."
Meanwhile, other organisations are finding that operational issues are forcing them to consider strategies that go beyond recovering from damaging events. As businesses begin to take on board concepts of ‘real-time' interactions, it becomes imperative to invest in systems that will keep operations continuous. Ensuring that systems are robust, and not in danger of being taken down by server outages or power failures is playing an increasingly important part in organisational thinking.
This is reflected in predictions over future planning – and spending. According to Meta, 50% of Global 2000 businesses will have comprehensive business continuity plans by 2008.
The investment in business continuity is also coming from a much broader range of industries than purely financial services, which used to constitute the majority of customers, says Alexander Delcayne, European technical director of storage software maker FalconStor.
But expenditure must still be closely tied to business value, he adds, forcing the CIO to evaluate which aspects of his infrastructure are most critical. "It is easy for banks to argue their transactional systems are critical. For others, perhaps it is the ERP system. But what about email? Is it mission-critical?"
This sort of evaluation requires businesses to undertake two different calculations, says Dennis Ryan, European development manager at storage systems giant EMC. These are recovery time objective (RTO) and recovery point objective (RPO). RTO is the elapsed time from the time of a disaster until the IT infrastructure and data are recovered; RPO specifies the maximum amount of data that can be lost before having a critical impact on recovery.
"With high-end transactional systems maybe 30 minutes is an acceptable RTO with zero RPO. This kind of calculation can help you assess what layers of technology you need to put behind applications, whether you're looking at data cloning, snapshots or replication," says Ryan.
As businesses build up a picture of which applications are the most critical, investment can be prioritised to those areas. This can help drive down the cost of business continuity planning substantially. "Where data is not critical it can be siphoned off to the deep freeze," says Charles Cameron, CEO of storage service provider InTechnology. "This takes longer to recover, but the prices are much lower."
Building up a profile of the business requirements for supporting applications can help minimise the impact of an adverse event – and do so cost-effectively. But that still leaves questions of the physical location of data centres.
Honda UK, for example, quickly realised that its own disaster recovery plans needed to involve the capability of moving data off-site – its main plant is located on the Heathrow flight path, so disaster planning necessarily involved making contingencies for losing the site.
This has encouraged vendors to offer off-site services. These can range from hot sites, where businesses can quickly relocate should the need arise, to outsourcing the entire data centre, leaving the responsibility entirely in the hands of a third-party supplier.
Separately, a different approach to infrastructure is beginning to emerge; that of grid computing. Grid computing has matured in academic spheres over recent years, but now large vendors, Hewlett-Packard, Sun, IBM and Oracle among them, are beginning to apply the principles to enterprise computing. With a grid, there is no single point of failure, even the event of a large disruption to one data centre will not bring processing to a halt (see feature ‘Continuity guaranteed'). Some see this as the ultimate expression of business continuity.
Whether it can be widely achieved – and at a price organisations are willing to pay – has yet to be proven.