Business continuity once had a lower priority than other IT issues, but today’s IT managers recognise that any enterprise is vulnerable to unplanned disruptions. Reliance on complex supply chains, for example, can cause even a small interruption to bring an organisation’s operations to a halt, as can a disaster occurring even a continent away, says David Spate, Sales and Marketing Director, EMEA Disk Solutions, Overland Storage (EMEA).
Witness the problems resulting from the cutting of two undersea cables in the Mediterranean in February and December 2008 that affected IT operations in fourteen countries throughout Europe and the Middle East.
Road works outside the office, a power cut or a computer virus infection or the more likely event of a computer malfunction or human error are all commonplace IT interruptions that can occur without warning and impair the business activities of any organisation. If any interruption damages stored data than a company quickly finds itself in a tricky situation.
The well-designed business continuity plan
A good business continuity plan covers all IT resources, including telecommunications, networks, servers and storage. Some 80% of companies have disaster recovery plans, but most cover only their datacentre resources.
Does your organisation have an enterprise solution to address business continuity? Business continuity plans depend upon the protection of data for backup and recovery, as well as these components: Data and storage networks; data on LAN workstations; internet access and information availability; phone systems, e-mail etc.
At the core of the plan an organisation needs to set its recovery point objective (RPO) and its recovery time objective (RTO) based on the critical needs of the business and the technology that the company has to manage the process.
The RPO is the point in time to which you must recover data as specified in the plan. For example, data must be recovered from a backup an hour ago, last night or last month. With continuous data protection this ‘acceptable loss’ window can be cut to no data loss at all or mere milliseconds of loss.
The RTO is the time when business processes and data must be restored after a disruption. Clearly shorter is better for any organisation, but it depends on the skills and technologies, especially backup, that are in place.
Most importantly, to ensure that these targets are met in the event that disaster strikes, and to ensure that data is not inaccessible for too long, the organisation needs ‘failover’. An organisation’s backup and storage systems are the memory of an organisation. Without this stored data orders cannot be filled, contracts cannot be checked and compliance issues are faced.
What are the steps?
The goal of a business continuity solution is to identify the most cost-effective disaster recovery plan while addressing the need to continue business in the event of a disaster, a complex task involving many departments. For IT, the plan requires research, implementation, validation and maintenance:
- Create a crisis management command structure
• Open a secondary work site (where necessary)
• Choose, install, and maintain the telecommunication architecture between the primary and secondary work sites
• Choose, install, and maintain the data replication or movement methodology between the two work sites
• Choose, install and maintain the hardware at the secondary work site
• Choose, install and maintain the application and software at the secondary work site
Many organisations must also ensure the safety and confidentiality of their records, even in case of disaster, to comply with national and industrial legislative requirements. The hardware an organisation requires to manage business continuity generally consists of:
- A storage solution
• An appliance to manage service failover
• Disk backup
• Tape backup and archiving
• Tiered solutions with flexibility for upgrading and expansion
The software required to run state-of-the-art business continuity technologies can include:
- Server virtualisation
• Application failover
• Continuous data protection
Business continuity in a downturn
Business continuity is as desirable and sensible as it always was, however a renewed focus on costs and cash flow means that IT managers who know its value may struggle to communicate it to the board in language they will respond to at present.
The IT manager, concerned with uptime and continuous availability, knowing that their heads will be on the block in the event of loss of service, must position business continuity in terms of both potential financial and reputational loss in the event of disaster outweighing costs of implementation. As insurance in other words.
An interruption of IT services and the loss of data (customer orders, research, contracts, financial transactions, etc) can cripple a business, but the board may see the cost of implementation as too big an issue to contemplate in these turbulent economic times.
The issue should not be between having business continuity IT systems in place or not having that protection; when budget is an issue it as a question of what is the level of risk an organisation is prepared to take. Once that level is ascertained the correct systems need to be sourced and implemented in line with the company plan. When more budget becomes available the issue can be revisited and adjusted to better fit the ideal risk profile the organisation would like to aim for.
An Intellect report (State of the UK Technology Sector – President’s Report 2009) demonstrated that whilE the recession has tightened budgets, companies are also focusing on using IT to increase efficiency and cost reduction projects. Any organisation reappraising their risk profile in this way will certainly, or certainly should be, concerned with using this scrutiny to iron out existing problems and to implement cost effective new solutions where deficiencies are found.
If an organisation merely cuts budgets without considering impacts and making allowances for the new situation then business continuity staff may find their roles changed and important security projects postponed indefinitely. This can save costs but impair continuity plans and systems, potentially bringing underlying problems into the limelight at a difficult time.
Maximising risk reduction and ensuring the business carries on
For the average medium size business with a few hundred staff, the minimum technological business continuity requirements (assuming that policies and plans have been put into place in advance) include:
- A storage solution that reliably performs under all network conditions, preferably with an uninterruptible power supply to counter one of the most commonplace technical difficulties: power cuts.
- An appliance to manage service failover including real-time replication and application awareness to achieve near-zero RTO and RPO objectives. The use of an appliance eliminates the burden on existing resources that are typically already resource constrained and ensures heterogeneous interoperability with existing and new servers, storage and networks.
- Disk backup, possibly at a mirrored separate site to counter site disruption like a fire or network disruption. This allows fast acting recovery in the event of most likely business interruptions. Ideally the solution should write and read data fast and should integrate seamlessly into vendor neutral storage networks.
- Tape backup and archiving for longer term, lower cost storage in case of large-scale disaster recovery requirements. These should be highly scaleable as stored data can only grow, and should interface with every storage connector to allow flexible and fast connections to any network if offices need to move in the event of disaster.
- Tiered solutions with flexibility for upgrading and expansion which allow cost effective data storage and recovery depending on network usage and application importance regardless of location, local and/or remote.
Organisations can also benefit from utilising server virtualisation to reduce physical server numbers, decreasing the network topography complexity, minimising an IT infrastructures mean time between failure (MTBF) ratings and greatly reducing maintenance costs.
Continuous data protection can also ensure an organisation never loses data by automatically saving changes to backup areas/appliances as data is edited. In this way if disaster occurs, rollback to latest versions is guaranteed to very fine tolerances, enabling an organisation to meet its recovery point objectives with ease.
Managing the risk against the budget
The factors of budgetary pressures, risk aversion versus allowance, technical know-how, the RPO and RTO and individual organisations’ ideas of best operating practices all must be debated and worked out between IT and the board.
Posing the issues of business continuity like insurance should ensure that an organisations’ planning for the worst should not be bogged down in ‘IT issues’. Just because there are technical solutions to the business continuity problem does not make it a wholly IT issue or wholly IT’s problem for IT’s budget alone. After all, if data is lost an organisation will literally not know what its history is or at what status it may be with customers, suppliers and the law?a sobering thought.
However, IT is the most important component and the various backup technologies should be weighed and measured and chosen carefully and not stinted on for the continuing safety of the business. Business continuity should be the proper concern of the board who need to consider the matter appropriately, plan for various risk scenarios and implement backup and recovery solutions which are a mix of IT and sound policy.