Hurricane Katrina made every IT organization question the viability of its disaster recovery (DR) plan. A natural disaster, a major accident or a terrorist act in the headlines forces us to think about survival. Could your facility, or your business, take a hit like that and survive?
At such times, many businesses resolve to ensure that their data assets are protected. Yet in the years since 9/11, the 2003 blackout, the Quebec ice storm and Hurricane Andrew, there has been little real change in the way businesses manage these sorts of risks. While spending on disaster recovery and business continuity (BC) activities has risen, such increases are gradual and do not reflect the attention spikes that follow disasters.
A year after the 2003 blackout that left a large swath of North America’s industrial heartland without electricity for several days, the Leger Group surveyed 300 Ontario business leaders about their business continuity plans. They found that only 30 per cent have a full-blown business continuity plan, while another 32 per cent claim to have an informal plan; 28 per cent had no plan at all.
Toronto-based IDC Canada Senior Analyst Leslie Rosenblood attributes this gap to a natural human tendency to lose focus once the risk abates, but also to the perceived complexity of disaster recovery planning. Also, the time and people required to do the planning are often seen as non-productive drains on resources.
Yet most businesses are fully aware of the critical importance of their data. As Rosenblood puts it, “Bits are more important than atoms” to all but the smallest business. A business may lose tools, equipment, or even a building and still survive, but if it loses its data, it no longer has a business.
Protecting the “bits” by applying such traditional IT strategies as tape backup, off-site storage, disk mirroring and uninterruptible power supplies, is the focus of disaster recovery systems, while business continuity planning encompasses a wider range of business activities. These may include — along with DR — facilities and personnel security, crisis communications and employee assistance.
The good news is that effective DR systems are no longer just for the largest and richest companies. Hoping to nudge Canadian businesses out of their apparent somnolence, a growing cadre of vendors now offers more varied and affordable solutions than ever. Falling technology prices, open standards and the Internet also makes it possible for more — and smaller — businesses to participate.
Rosenblood points to a recent move away from monolithic DR systems based on a single vendor’s proprietary hardware or software, toward “integrated solutions: specialized solutions that incorporate the best of both software and hardware platforms.” But he feels that vendors need to do more to educate customers about the solutions available and let them know that DR doesn’t have to be prohibitively expensive.
Reluctance to undertake company-wide DR planning as a stand-alone project is another characteristic of the Canadian market. On the other hand, DR elements are routinely being incorporated into other IT projects, such as migration of data centres or major software upgrades. Now, new legislation, like Sarbanes-Oxley in the U.S. and PIPEDA in Canada, while not directly addressing DR, add an indirect driver by forcing companies to look very carefully at their data lifecycle management.
What are the obstacles to buil-ding a comprehensive DR plan? Colin Charlesworth, Director of Business Continuity Services at Emergis Inc., a transaction processor to health insurance and financial services clients, asserts that you need an internal champion to drive change. But he also warns, “It truly takes commitment from the top executives. You have to get the attention of the person who has the most to lose — those who will feel the greatest pain if a particular function is unavailable for six hours, 24 hours, three days, a week.”
The other strategy that Charlesworth advocates is a careful, systematic approach, backed up by effective project management. “The first step in developing a plan is to do a business impact analysis (BIA). This will identify the business’s most crucial services, applications and business functions,” he advises. It also gives you a much better fix on the cost of an appropriate DR system. The first step in developing a plan is to do a business impact analysis (BIA). This will identify the business’s most crucial services, applications and business functions.Colin Charlesworth>Text
IDC’s Rosenblood points out that Canadian companies tend to prefer getting a consultant to teach them what the best practices are. Then they buy the equipment, possibly retaining a contractor or consultant to assist with the implementation and training, but then run the solution in-house. This is essentially what Emergis did, selecting SunGard Availability Services to help them develop, install and test their DR system, with Emergis staff going on to run the program for the past three and-a-half years without outside help.
The benefit of a DR system like that developed by Emergis was brought into stark relief during the havoc caused recently by Hurricane Katrina. Dave Palermo, VP of Marketing at SunGard, tells of a customer in New Orleans whose critical applications were running in their Philadelphia data centre.
With the category 4 hurricane about to make landfall, the client dispatched an IT team to SunGard’s Smyrna, Ga. data centre where members were given temporary workstations. They were able to access the company’s data at the secondary site and keep the business up and running throughout the storm and its aftermath.
According to Palermo, the key to this seamless recovery was the space and attention given to the people element. “At its base level, Information Availability is about keeping people and information connected,” he asserts.
For many companies, the private networks and multiple data centres offered by SunGard are still out of reach, but there are a number of viable alternatives for smaller enterprises. Bell Canada, for example, offers a Business Backup service for small businesses, which allows companies to transfer critical data to a secure server over the public Internet.
The DR system a company ends up adopting may vary, but the process always starts with careful planning. As Rosenblood predicts, there will be a disaster of some sort somewhere that will affect your business. It’s just a question of when. Having a plan in place to cope with the unexpected may mean the difference between survival and (literally) going under.