Gone are the days when a comprehensive business-continuity plan meant mailing back-up tapes to a hot site a few miles away. Today, businesses are always on, running at break-neck speed 24/7. And their business-continuity plans need to reflect that reality.
“If we’re not getting data from our customers, we can’t run our business,” says Jeff Flanigan, director of IT infrastructure at E-gatematrix, an Atlanta company that tracks and stocks meals, headsets, blankets and other service items for major airlines around the world. “There are airplanes in the sky 24/7, and we’re always either loading aircraft or getting ready for aircraft to come in. It’s a nonstop process. We can’t be down, and our disaster-recovery plans have to take that into account.”
Fortunately, new data center technologies, such as business process monitoring, continuous data protection and virtualization, are emerging to make recovering such environments easier and more cost-effective. Experts and users who have built successful business-continuity plans offer the following best practices for business continuity in the era of the new data center.
1. Tier applications by criticality. Today’s organizations are becoming increasingly data-intensive and, as a result, the amount of data they potentially need to recover quickly can become overwhelming. “Up until now, many companies aimed to recover absolutely everything in one fell swoop,” says Michael Croy, director of business-continuity solutions at Forsythe Technology, an IT consultancy. “But that’s just not feasible anymore because most organizations have too much data, too many applications and too many interdependent processes.”
The solution is to take a holistic view of the business and bring back only the most critical applications right away. “It is not always feasible to bring everything back straightaway,” says Penny Turnbull, senior director for crisis management and business-continuity planning at Marriott International, in Washington, D.C. “If you don’t need certain things immediately, you can be wasting time, effort and money planning for their recovery. And that’s what business-continuity planning is all about: Knowing the must-haves, because you can’t recover everything.”
Marriott has built an enterprise business-continuity framework that guides users through the process of deciding business process and application criticality and tailoring continuity plans accordingly. “You need to put applications into context because this isn’t business as usual,” Turnbull says.
2. Weigh criticality against overall cost. In some cases, business-continuity planners need to weigh even the most critical applications against the overall cost of recovering them after an incident.
“You can create any solution if you have enough money,” E-gatematrix’s Flanigan says. “But in a lot of situations, you don’t have to.”
Instead of instantaneous recovery, E-gatematrix realized it could get by on a four-hour window for getting its most critical applications up and running after a disaster, he says. “Just because the technology is available to get everything back right away doesn’t mean my business can afford it. I try to craft the solution that best fits the needs of the business and go from there,” he says.
3. Buy with an eye toward business continuity. Savvy organizations virtually never purchase technology for disaster recovery alone. Today, companies can leverage most new data center technologies in building robust, just-in-time business-continuity plans.
The Chicago Tribune, for example, has consolidated its critical applications onto two Sun Fire 15K servers, located on opposite sides of town, says Pete Mashek, director of production systems at the newspaper. It links those servers via AT&T fiber and Nortel metropolitan Ethernet switches. The whole point was to build more reliability into the production systems, but the company also made huge strides in business continuity.
“We needed to upgrade anyway, so it made sense for us to take disaster recovery into account while we were at it,” Mashek says. “From a purely financial point of view, disaster recovery is a cost. But when you’re buying new equipment and putting in new architectures to support the business anyway, you can mitigate the disaster-recovery costs at the same time.”
For the Tribune, the result is an active-active clustering solution that supports day-to-day business and offers less than a second of downtime when a disaster affects one center.
4. Emphasize the “business” in business continuity. “Business continuity can’t be a one-off anymore,” Forsythe’s Croy says. “It should be an integral part of day-to-day business.”
This means evangelizing continuity across the business so that not only is it taken into account each time a new system or application is brought online, but also so that business expectations and actual systems availability align appropriately.
“There can be an awful lot of assumptions made about what’s backed up, what’s protected, what’s recoverable, how quickly and who’s going to do it,” Marriott’s Turnbull says. “It’s only when you sit down and talk it through that you find the gaps.”
Ensuring ongoing discussions between the business units and Information Resources (Marriott’s technology department) is a core part of her job, Turnbull says. The goal is making sure assumptions are correct and everyone is clear on their roles and responsibilities.
“The business-continuity planning discipline has changed so much in the last few years. It used to be much more technology-focused. Now it needs to be far more comprehensive,” she says. “You need to go beyond technology to look at the whole business – the people, facilities, assets, reputation and brand image, and so on. It has to become part of everyday operations.”
5. Don’t get enamored with technology. Sometimes a company can support critical business processes with plans that involve simple paper-based procedures or focus on more important assets, such as people. “Bottom line, it is important to recognize which business processes can go manual,” Turnbull says.
At Marriott, this emphasis on the bigger picture of business continuity, as opposed to simply a technology-centric view, was underscored during the Sept. 11 terrorist attacks, Turnbull says. Sept. 11 “highlighted the importance of people,” she says. “You can recover all the systems you want in the world, but if you don’t have people to operate and utilize them, then why are you recovering? Business continuity is more than that.”
