I attended a very interesting dinner event recently at The Boxwood Cafe in London hosted by Andrew Barnes from Neverfail. The objective was to have a discussion about Disaster Recovery and the implications for IT and business. It was a very well attended event with some great input from the CIO and IT Director attendees. Sarah Hoyle took some notes of the discussion that really captured the main points and I reproduce the output here:
Many organisations see business continuity as just an IT issue and not a concern for the wider business. Trying to change this view is proving challenging. Generally except in organizations where there are regulatory imperatives (Financial Services and Sarbane Oxley) to deliver structured Business Continuity capability there is little interest from business people.
There was a strong emphasis on the need for IT executives to get the wider business to understand the value of business continuity and either positively accept the risks or invest time, money and resources into it.
Analysis – this is symptomatic of IT being seen as a cost rather than a business driver
Some companies started out wanting to protect every server and every application but as the cost of doing was prohibitive they were forced to identify their real business needs and define SLA’s and recovery times so that sensible decisions about business continuity could be made. The point was emphasised several times that business need should be clarified before even considering a business continuity solution as it is the only way to ensure the solution will address the need.
Analysis – this is generally true of all business initiatives – if you don’t start with a vision of what is needed, it is certain you won’t achieve it.
Many companies don’t even consider disaster recovery until after they have suffered some kind of disaster or outage – maybe because after experiencing significant downtime they’re able to put a price on what this has cost the business and are then able to justify investing in business continuity. A better option though would be for IT to quantify to quantify the anticipated cost of downtime before a disaster occurs.
Analysis – many businesses fail to understand the implications and costs of interuptions to business process, either caused by IT outages or otherwise. CFOs often look at the cost of protection rather than the value of investment in business continuity.
There is often a perception at board level that business continuity/disaster recovery is expensive but this doesn’t have to be the case.
IT is often seen, incorrectly, as creating a need for business continuity rather than identifying the risk. IT systems are often seen as part of the ‘plumbing’ and the assumption is made that it will always be available, come what may, without any need for investment in business continuity.
Analysis – Sometimes business continuity planning is about documenting processes and providing simple work arounds.
Many companies concerned about the legal implications of risk, particularly legal, finance and insurance.
The consensus was that the business itself should write the business continuity plan from a broader perspective and that IT would write the technical recovery plan to support the business need.
It was generally regarded as key for IT to drive business continuity/disaster recovery and manage the business’s expectations accordingly.
Analysis – this is absolutely spot on.
The conversation then covered some specific examples:
- One organisation insists that each department has its own business recovery plan, which is reviewed every 6 months.
- For some industries the opportunities around HA/DR offered by Cloud computing is not appropriate as there is a legal requirement for the data to be stored in the same country, which may not be possible.
- Some organisations see no immediate need for disaster recovery and are much more concerned with resilience.
- The implications of downtime vary, examples given included:
- Sheraton hotel website not available on a Saturday morning because of planned maintenance so the person booked a room with a different hotel chain.
- Whilst some industries, for instance estate agency, may be able to work reasonable efficiently without access to IT systems for a short while, customer satisfaction and retention is impacted if the agency’s websites are unavailable to house hunters – the house hunters won’t go elsewhere but the sellers get very concerned if their home isn’t available to view online. However, when a deal is about to close, or sealed bids are used, access to email and other IT systems becomes critical.
- The question was asked whether lack of availability affects staff morale and retention, particularly with sales staff who view having the right tools to do their job as essential to their ability to earn money.
- The point was made that using back up tapes and then transporting them to another location was often impractical as it would take too long to get them back and then recover from them.
- Although back up and recovery are ingrained in people’s minds when considering business continuity, recovery actually means you’ve failed.
- Simple issues like building access control can be critical if they fail as staff cannot get in or out of the building.
- Protecting data is essential (particularly personal data) as people get fired for losing it.
- 99.99% uptime is seen as the standard but this still means 0.1% of downtime or lost data a year, which may not be acceptable and availability often isn’t appreciated until it’s lost.
- Many people believe that eventually HA/DR will automatically be built in as an integral part of IT systems at point of purchase.
- Many companies focus on the most recent big event (bombs, floods, swine flu) forgetting that a plan needs to be in place to address the consequences of downtime, not a specific scenario.
- Although data may be secure, applications and configurations may not be so easily recoverable.
- Storage, bandwidth etc becoming commoditised but demand is also much greater, however the bigger concern is the staff resource required to manage the IT infrastructure.
- Sometimes legacy environments are built in such a way, and amended over such a long period of time that it is impossible to rebuild them.
Some companies are looking at virtualisation in order to enable maintenance windows, business continuity and to break the dependence on specific hardware. Also to reduce costs although this is a secondary objective.
Virtualisation is seen as a catalyst for resiliency as:
- It reduces reliance on hardware
- Allows increased flexibility
- Allows an environment to be replicated and run on any infrastructure