Through the fog... Business continuity and disaster recovery

Natural phenomena, acts of terrorism, hacker vandalism and competitive disruption are all making securing businesses harder. Quocirca research director Clive Longbottom explains the key to how business continuity and disaster recovery should be approached...

As we have become more dependent on the technologies underlying our businesses, the requirement for a continuous technology service has become increasingly important. For this, we need to plan for business continuity – the capability to continue operating and trading even when things are going wrong. However, many companies are still stuck with the notion of "disaster recovery" – how to get back on line rapidly when the proverbial does hit the fan.

So, there's a need to approach this from a different point of view. Let's start with a team of people dedicated to ensuring that our systems stay up for as long as possible, even when there are things happening that impact the technology's capability to maintain its integrity.

This group of people will be our business continuity (BC) team. It will have the remit that failure is not an option. The team's target is for 100 per cent system availability – not 99.99 per cent, not 99.995 per cent but 100 per cent.

"Impossible!", I hear you thunder (or whimper, if this is your area of responsibility). Maybe so but if you provide someone with a target of 99.999 per cent and they reach 99.99 per cent, they will feel that it is 'close enough' – and there is no room for 'close enough' when it comes to business continuity. So, for every failure that the BC team is responsible for, a full report must be written and the lessons learnt to try and avoid this from happening again.

Now we have a team of people dedicated to 100 per cent system availability and, as long as their plans work, we have no problems. Unfortunately, the real world will always intrude – the BC team will fail, whether due to holes in the plan or due to circumstances beyond their control. When this happens, we should not have the BC team in charge of fixing the problem themselves – as this could impinge on their independence of thought and their capability to remain focused on 100 per cent availability.

We then will need to have our disaster recovery (DR) team, whose remit is to pick up the pieces when the BC Team has failed.

What differences are there between the teams and can they be constituted from the same people? To answer the second part, no – each team must be separate and for very good reasons, which define the answer to the first part.

The BC team must assume that any failure is going to result in complete and utter mayhem and that the people in the team's jobs depend on nothing going wrong. For these people to have knowledge of the DR team's plans for getting back to a position of stability after a major failure could lead the BC team into complacency – after all, they would then know that should the problem arise, it can be recovered from. However, the DR team must have full, unfettered access to the BC team's plans, so that they can understand the whole picture.

The BC team is also responsible for identifying what problems and disasters could happen. They have sole responsibility for auditing the current environment and reporting on the areas where they see possible issues arising. The BC team then has to provide the full plans for what would be needed to stop this from becoming a major issue – and presenting this to the business for consideration. This includes the cost of stopping the issue from becoming a problem, whether this is through the use of redundant systems, data mirroring or whatever.

The DR team is responsible for carrying out risk analysis based on the BC team's reports. By its very nature, the BC team has to look at what the solution will be to the issue – no matter what the cost. The DR team has to look at what the cost to the business would be if the issue was allowed to happen. This has to include the probable hit not only to revenues from loss of trading but also the cost to the corporate brand and profile – which will require the help of the lines of business to come up with a reasonable idea of the overall cost.

The business can then make a simple comparison – if it costs €1m to stop the issue from becoming a major problem but recovering from the problem would only cost €100k, then the business can afford for 10 occurrences of the issue to happen. However, if it costs €100k to stop the issue which would cause a recovery cost of €1m, then the solution is better than the cure.

The issue that then comes to everyone's mind is that this duplicates effort and results in high costs. It shouldn't – and in actuality, all that this approach engenders is a formalising of what should be happening anyway.

We see few companies concentrating on suitable risk analysis for the issues they could come across and we see too many who are willing to 'take the risk' that a major, business-crippling occurrence won't happen to them.

However, in a world that is becoming less predictable, whether this be down to natural phenomena, acts of terrorism, hacker-based vandalism or competitive attacks, a solid approach to the issue is required.

At the end of the day, the same criteria should apply with BC/DR as with security – you are looking for the right level for your own needs. As with security - where you need to be able to understand what would be required to provide a fully secure, impregnable environment - with BC/DR you must understand what is involved with providing a fully available, 24x365 technical environment.

Then you need to be able to assess the risks and deal with those that are unacceptable and have contingencies in place for picking up the pieces after those risks that you deem acceptable have occurred.

Quocirca believes that a split team approach allows this to be done in an optimum manner, providing the means to a full BC/DR corporate policy that will rapidly pay for itself – not only in maintaining a capability to trade but also in ensuring that expense is minimised in attempting to deal with issues that would have minimal impact on the business.

Quocirca will be producing a full report based on the mobility research referred to in this article. Please email info@quocirca.com to register your interest in receiving a copy once it is available. More details of the EVUA may be found at www.evua.org.uk.

**Quocirca is a leading, user-facing analyst house known for its focus on the 'big picture'. For a full summary of its activities see www.quocirca.com, or reach the company's founding directors by emailing quocirca@silicon.com.

Also in this series: Through the Through the fog... Wireless email at work dilemmas Through the fog... Storage as a service Through the fog... Buying an application server Through the fog... Corporate content management Through the fog... Automated speech recognition Through the fog... Public Key Infrastructure Through the fog... Vendor-channel relationships Through the fog... What future photo messaging?

For Quocirca's 'What's the fuss about...?' series for silicon.com, see this page

And for their earlier 'Surviving the Recession' series, see this page.