Submitted by: Paul Moore MBCI
I remember a great quote by Sir John Harvey Jones, he said
The nicest thing about not planning is that failure comes as a complete surprise rather than being preceded by a period of worry and depression
This is still the approach many customers take when it comes to Disaster Recovery and Business Continuity. However, with high profile events over the last few years, along with new legislation, many customers are driving forward with projects to protect their business should an unplanned interruption occur.
As computing power gets ever more powerful and costs keep falling, in addition to the high availability of broadband network services, the time has never been better for customers to consider tackling this critical issue; but where do they start?
Do you want a Hot Site, Warm Recovery, Cold Space? Do you want Disaster Recovery or Business Continuity? Do you want A Mobile, Static or Business Recovery Centre? What do want you cover? How quickly do you need it? (once you ve decided what it is!). Etc, etc, etc ..
No wonder the customer is confused and ends up putting the exercise off. I spoke to a customer recently who had been subscribing to a Disaster Recover service for many years, only to find that when he needed the service it failed to work! This was because they had been focusing on a Disaster Recovery service, and not Business Continuity.
So what is the difference?
Disaster Recovery services tend to focus on the provision replacement resources. These are often provided on a shared subscription basis by specialist suppliers (hardware, network connections, office space, computer rooms, voice etc.). Business Continuity is exactly what is says on the tin; Business Continuity. In other words it provides continuity of business following an unplanned interruption. But there are many areas that need to be explored before a full Business Continuity Plan can be developed and tested.
The common steps that need to be taken are shown below.
Threat Assessment The very first step on any successful Business Continuity Plan is the Threat Assessment. If you don t know what you are trying to protect yourself against how can you possibly protect yourself?
Many customers find this exercise invaluable as it also highlights risks to their business that could be reduced, or in some cases removed all together: Therefore, prevention forms a very important part of the pre-planning phase. Any areas needing improvement should also be highlighted at this stage.
Many customers identify the more obvious threats such as bombs, air crashes etc, but many ignore the less obvious, such as non-physical disasters or environmental side effects such as bomb warnings, adverse weather conditions or loss of access to the building caused by a localised incident. How many customers are aware of what risk their neighbouring business pose? Do they house combustible or toxic materials? Would they attract attention of extremist groups? Could a localised incident prevent you from accessing your facility? If so, for how long?
Business Impact Review This is when it really gets down to the true impact on the business. One of the problems of constructing a successful Business Continuity Plan is balance: What do I want, and when do I want it? It is quite simple really, the quicker you want it the more is costs! To balance this, the customer has to review the real impact on his business of an outage (loss of revenue, loss of customers, impact on share price, legal requirements, cash flow protection etc.). Even if the impact is so severe the customer will find it very difficult to re-deploy their entire workforce to a recovery facility within very short timescales. Several emergency events in London have highlighted the impact on public transport and the road system (these were so severe that some customers found that they could not get their staff to a recovery facility!). Therefore it is essential that recovery options are priorities for short, medium and long term.
Resource Requirements Now we know what we want, and when we want it, it is possible to start looking at the Disaster Recover element of Business Continuity. Remember I mentioned short, medium and long term recovery? Well, this is where Hot, Warm and Cold come into the picture.
Hot Recovery is normally available in minutes. This service would utilise a complete live replacement service, at an alternative facility, with a suitable network connection in place. This would enable customers to transfer operations to the recovery system with minimum (sometimes zero) impact to the business. The obvious disadvantage of this is the cost.
Warm Recovery Although Hot Recovery is gaining in popularity, Warm Recovery is still by far the most common solution deployed. Warm services are usually based on a shared subscription (shared risk) basis, and are available within hours of invocation. Typically it would take up to 24 hours to have the systems up and running to support the business. Warm can be provided in several ways; ship-to-site, where the equipment is loaded onto the back of a van, delivered and installed on the customers site (obviously there has to be a site to deliver it to!). If the compute room was impacted by the outage the service could be delivered in a Mobile Recovery Facility (a computer room in a lorry). And if the site is not accessible at all a remote Recovery centre could be utilised.
Cold Solutions Although less common, cold space (empty office and computer facilities) can still be attractive for the medium term. Enabling customers to recover 50% to 80% of their operation via Hot or Warm options, and relocating within a few days or weeks to a suitable location.
Business Recovery Centres – Business Recovery Centres are located around the world and can help the customer streamline resumption of normal office-related business processes following a disaster. These facilities include up to a thousand desks equipped with PCs, phones, and computer rooms. They also offer meeting/board rooms, canteen and recreational facilities and even secretarial support, along with full telephone switch and communications capabilities including PABX/ACD, ISDN,ADSL, SDSL, MPLS and other networking connections.
Now it s just a simple matter of writing the plan and testing the recovery! And of course, looking at standards such as BS 25999; but that will have to wait until my next papers.
About the Author: Paul Moore is highly experienced Business Continuity professional accredited to the Business Continuity Institute at MBCI level; he has also recently been awarded the Lead Auditor’s Certificate from the BSI for the Business Continuity Management standard BS 25999.