Business continuity is no longer just an issue for IT the department as regulators both in the US and Europe are getting tougher on operational risk.
For example, the forthcoming Basel II (an international framework) will require banks to develop plans that protect their IT systems and other business assets by putting aside a certain amount of capital according to their individual financial risk. The Financial Services Authority (FSA) will also be publishing business continuity guidelines for the UK's financial companies in 2004.
While neither of these guidelines is mandatory, investors will require that financial services firms meet regulatory suggestions and companies outside the finance sector will not escape the regulators.
The increase in commercial regulation now means that in many cases both private and public sector organisations must start thinking about their business continuity provision. In many cases not even the most simple issue of effective backup will have been addressed but firms will be increasingly asked to demonstrate not simply that tape backups are being made every day, but also that this data is recoverable.
Despite this, many directors continue to run their business as if they were driving a car without an MOT - they assume because they have no knowledge of whether the backups are completing correctly or not, that they don't have to do anything about it. However, it's up to the IT manager and other operations staff to communicate any backup failures to management, or they risk not satisfying regulatory requirements.
If backups consistently fail, the situation has to be addressed, and this responsibility needs to be shared across the enterprise. Ultimately, however, directors are accountable for the future continuity of the business and must satisfy themselves that backups are completing correctly.
Backups are particularly crucial in light of the Data Protection Act, which affects all businesses in the UK. Also, different industries have different regulatory and legislative requirements as to the number of years for which they have to keep data. Court cases can and have been lost if, for example, emails containing vital evidence are unrecoverable. As more and more information is solely stored electronically, backups are becoming truly critical.
As all industries rely more heavily on technology, issues such as these are no longer the preserve of the finance sector. Hospitals are now managing electronic patient records; schools and colleges rely on IT to manage course results; even sales forces rely on IT to report on actual and projected sales in order for boardroom decisions to be taken on the future of the business. All of these business sectors and job functions rely on electronically stored records, risking regulatory fines, business losses and damage to reputations if the correct information cannot be accessed on demand. At the most basic level therefore they need to ensure their backups are in order at all times.
Time is money
When a company suffers an interruption, be it from a hardware failure, a power outage or a natural disaster, the amount of time before this interruption is deemed 'disastrous' is decreasing as businesses become more and more reliant on electronic data. In business continuity planning terms this is referred to as the RTO (Recovery Time Objective) and measures how quickly a company needs its data restored. If a company needs to restore a file, it may need the data in a matter of minutes, not within half a day or a couple of days, as used to be the case.
Companies need to be confident that they can restore data from tapes within an appropriate timescale, and in a practical fashion. Increasingly time is money if the business can't access critical data. Very often in the event of a disaster there are quite specific requirements as regards the data files that are needed immediately, whilst other files can be recovered in more moderate timeframes. This is why solutions such as SunGard's Vaulting Services allows companies both to prioritise backup processes and to search on a file-by-file basis to restore essential items individually, as well as restoring entire systems, if necessary.
Back to regulation - every company should be able to answer the question "What is your data retention policy?". All organisations should have a policy and procedures in place for retaining, archiving and deleting information that will protect the business against potential litigation. For example, the Hutton inquiry has recently raised issues on email retention and release into the public domain. If a company is ever sued, litigation firms can ask for backup tapes to be made available to find data required for the case. A comprehensive and well-managed data retention policy eases the burden on the business in such circumstances.
As all businesses in the UK become increasingly reliant on IT to do business both in terms of business process and communication, so the backup potholes become evident as industries attempt to introduce regulation. However, many don't have what most business continuity professionals would consider the basics in place. What is assumed to be a simple backup process can land a company in hot water if it's later discovered there was a failure. Making that discovery is essentially trying to 'shut the stable door after the horse has bolted' and it will be too late for many companies which may get sued by customers or fined by regulatory bodies for failing to comply.
The simple answer is to look at what the regulations and guidelines are and implement a backup strategy that includes stringent policies and procedures. It is not a complex process if done correctly and can avoid a lot of commercial pain if it's sorted out now and not left in the hope 'it will never happen to me'. The very nature of disaster is its unpredictability.
Peter Hough is Vaulting Services Manager at SunGard Availability Services.