It’s on a “need to know” basis, and I need to know!
It is a universal truth that business continuity in some form should be considered by every company. What is critical to the continuance of your business? Clearly, the most important element without which a company could not function is people. But what do you need next? Is it the IT systems, networks, Internet access, email or data?
It is my opinion that access to data is becoming a 24/7 necessity. Imagine the branch of a bank that suffers a fire. The vaults where hard cash is stored are reduced to cinders. However, this is of no lasting consequence to customers, revenues, credibility and stock value, as long as the data regarding this hard cash is secure and available. This is an extreme example, but it demonstrates how information can be the most valuable asset, after people, that a company can own.
Traditional disaster recovery methods are intended to protect data. What companies really need today, though, is to keep their businesses running no matter what. To achieve that goal, they need to think in terms of information availability.
It Won't Happen to Me
A surprisingly large number of companies either have no recovery plan or an extremely rudimentary plan that consists of tape backups stored offsite (frequently in someone's handbag or briefcase). Of those that do have plans, one industry survey found that only 60 percent have ever tested them to make sure they'll work. Companies are still under the impression that disasters won't happen to them. They might not, if you define disasters as floods, fires or grand-scale destructive incidents.
Today however, advances in technology have allowed clients to have systems back up in hours - effectively shortening a company's recovery window. Shortening the recovery window expands the definition of disaster. A power failure or hardware fault may well befall a data server; in fact SunGard's figures show that nearly 40 percent of invocations of a business continuity plan are due to power failures and hardware faults (invocation figures for 2001 before September 11).
In the current market, where customer promiscuity is high and any fault could result in the loss of an account, separating employees or customers from the information they need for any length of time could be defined as a "disaster." Therefore businesses are moving to protect the flow of information through their organization.
How Soon Do You Want It?
SunGard suggests that firms firstly run a business impact analysis (BIA) to define the plan. It questions the company to find out what is needed first in the event of an interruption. How soon do you need applications functional again? If your building is unavailable but your data is available, where are you going to go to retrieve it?
When a company begins its business continuity plan, the team must decide on the recovery time objective (RTO) and the recovery point objective (RPO) for every application in the business.
It may be that the business continuity team decides that some functions can have a long RTO - for example, a marketing department may not be critical to the short-term continuance of the business and could be "on hold" for a week without damage to the company's reputation. However, access to incoming email and telephone calls may be necessary immediately for the customer services team so that the customers remain reassured that this particular supplier is still functioning, and business can continue.
The trend which we are noticing is the constant reduction in RPOs, where it is becoming ever more critical to have constant access to data. Firms are requesting offsite, automatic failsafe systems that never go down, for applications that are key to day-to-day business operations.
An example of this is a call center representative who takes a request from a customer in the morning and logs it onto the system. At lunchtime, the database servers go down. There is a business continuity plan and they are recovered. However, later that day the customer calls back to confirm his order - and because the data was only backed up the previous evening, the details of the conversation are lost, the customer is frustrated, and buys from another firm which has retained his details. Multiply this by thousands of calls in a motor insurance firm, for example, and you are looking at potentially thousands of pounds of loss.
A BIA leads to a business continuity and information availability plan which is unique for every business. Solutions will depend on the importance and criticality of the information and the type of business involved.
Firstly, plans need to be in place to support the employees if their work area is unavailable. There are a number of ways to deal with this - a firm may decide to lease and manage a redundant facility "just in case." It may find it more cost-effective to contract with a third-party provider with proven expertise, secure, redundant, nearby facilities and fully equipped workstations for staff.
When it comes to the IT applications and systems, the required RTO and RPO for each piece of the network will be planned for in its business continuity solutions. A personnel database, for example, could have on-site back-up with tapes, while the actual data or communications servers on-site could be protected with UPSs and a dual power supply.
For more critical applications such as the CRM database a real-time mirroring server system in a separate location may be necessary. This means that in the case of a power outage the call center staff can still access the real-time data. Web sites may need to be load-balanced, with geographically separate servers ensuring constant availability for customers wishing to book online.
Do-it-yourself, Outsource... or Both?
Outside planning professionals can be invaluable in evaluating requirements and determining the most effective information availability solutions. Planning professionals can assess the big picture from an objective perspective; help develop detailed plans that address information, infrastructure and people requirements; and most important, help test the plans regularly to make sure they work. They can also anticipate future needs, and update plans and systems as technology and business requirements change.
In the 24/7 world it is imperative that businesses understand and act on the differences between more traditional disaster recovery and information availability. That's why information-driven organizations need to think beyond tape backups and onsite backup servers to high availability and continuous availability technologies coupled with alternative work facilities that can ensure rapidly restored or uninterrupted business operations.
Information availability can be simply defined as keeping people and information connected. To achieve information availability across the enterprise, companies have to address three critical components: people, information and the infrastructure that connects them. After all, information without people isn't very useful, and neither are people without information.
Keith Tilley is responsible for SunGard Availability Services' (www.sungard.com/availability) business across Europe, including day-to-day profit and loss accounts and all aspects of sales, marketing and delivery as well as development.