In an ideal world, every company would have a dedicated recovery center to ensure information availability 24/7/365. It is the ultimate defense against unforeseen circumstances impacting on critical business functions.
However, the cost of building and maintaining a dedicated center that remains empty for 99 per cent of the time is usually prohibitive, so companies often seek shared resources provided by third-party suppliers.
By early next year, there will be another issue to consider - at least in the financial services industry. New regulations in the U.K. are likely to place restrictions on the number of companies using shared resources and impose limitations on the distance between the primary site of business and the recovery center. How can a company make sense of the options on offer, and ensure that it is ready for the regulators?
Apart from guaranteed availability in the event of a disaster, there are a number of other advantages associated with having a dedicated facility:
- It could enable faster recovery than a shared facility because the infrastructure will already be configured to the company's specific needs. In the event of an invocation, work at the alternate site could commence as soon as staff arrived.
- Companies can choose exactly where to locate a recovery facility - if they use a third-party, they may have to choose from a limited number. This allows the recovery facility to be close enough to the primary site for staff to access on a daily basis if necessary.
- A dedicated center can be used for other purposes, such as training or as a temporary overflow.
- It may simply be a good use for an otherwise redundant building, which a company does not want to, or cannot, dispose of.
Yet the cost of maintaining such a facility can be too expensive for the average firm to justify. The set-up costs are just the initial outlay. There is also an array of ongoing costs to cope with - including rent, rates, service charges, permanent staff, etc. It's also essential to keep the IT infrastructure up-to-date at the recovery center to avoid any incompatibility issues in the event of an invocation. Therefore, when a technology upgrade is carried out at the primary site, the same upgrade has to be replicated at the recovery site.
There are also disadvantages in using a dedicated facility, which may not be considered by the company at the outset:
- There is a risk of losing the facility if and when the organization decides to cut costs across the board. Equally, following a merger, acquisition or even organic growth, the recovery facility may not have the capacity to accommodate the extra staff, and an additional center may have to be built.
- The location may be inconvenient if a company has more than one office. If a British company has branches in London, Manchester and Glasgow, it's not easy to decide where a dedicated recovery facility should be.
- Specialist staff are needed to run a facility in the event of needing to involve the facility, and it is often unfeasible to keep this type of personnel on a full-time salary. In practice, companies with a dedicated facility often find themselves with insufficient and inexperienced staff at the critical moment.
The Financial Services Authority (FSA) in the U.K., which regulates the finance and insurance sectors, is already working on new regulations to ensure that companies operating in these sectors have adequate business continuity plans in place. The FSA is likely to place certain restrictions on the use of shared resources, such as limiting the number of customers that can use a particular facility. This is a significant business issue, as some business continuity companies will not provide alternative arrangements in the event of two invocations in the same area, although this is not the case for all of them.
Such limitations may cause companies to consider a part dedicated-part shared resource arrangement, whereby the most mission-critical business functions might rely on dedicated recovery space, either at its own site or that of a third-party provider. The less critical business functions would then be allocated shared space. For example, an investment bank would want its trading floor up and running as soon as possible and would not want to take on the risk of a shared facility, but the human resources and marketing departments within the same bank would not necessitate dedicated space. This type of arrangement allows for more flexibility in terms of company growth and changing priorities and does not rule out a wholly dedicated solution further down the line.
U.K. companies should be grateful that the FSA is not taking the prescriptive approach taken by the U.S. authorities in the wake of the September 11 atrocities. Financial institutions that have already built dedicated centers within a certain distance of Wall Street will have to re-build further out. The FSA, on the other hand, has taken a risk management approach, and it is up to each company to ensure that their individual risks are covered.
Regulators in other industries in the U.K. are likely to jump on the business continuity bandwagon, and impose similar limitations on other industry sectors. The telecommunications sector is one possible candidate, given that virtually all businesses rely on a reliable communications infrastructure. This, combined with a general lack of confidence in this area and a negative financial outlook could easily lead to business continuity regulations being introduced.
In any case, increasing reliance upon accessing information held upon company systems in order to conduct business operations - whatever form these systems may take (mainframe, PC, laptop, mobile or PDA) - means that every company should be exploring options to ensure survival in the face of interruption. Keeping people and information connected - information availability - is the key to business survival: whether the route to ensuring this requires dedicated facilities or not, it certainly requires dedication!
Andrew Waterston is product development manager for SunGard (www.sungard.com).