Everyone knows that organizations run on IT, and that should the IT go down the organization is at risk of following it - right down the drain. There is no greater risk to an organization.
Or is there?
A recent survey of 100 British risk managers by insurance brokers Marsh & McLennan asked the respondents to list the "key risk issues" facing their companies today. These were companies with turnovers exceeding $600 million, so any risks they faced had the potential to cause significant damage. Perhaps surprisingly, the number one item was government policy and legislation. This was followed by competitors' actions, employer's liability for employees, and fourth on the list was business interruption and continuity. IT and computers came eighth on the list, and the current hot button in political circles, terrorism, came in an unlucky 13th.
Despite its apparent low ranking, when asked what areas of risk management (RM) were key to their organization, the number one - mentioned by almost three-quarters of the survey group - was business continuity management.
In other words, notwithstanding the fact that they were not seen as top-of-the-list risk factors, business continuity and, by implication, its brother-in-arms IT support, were the key area of RM activity. A high profile does not necessarily rely on perceived high risk.
How you actually approach disaster recovery and institute measures to ensure business continuity is another matter, and like all things in storage, there are opinions all over the place.
Risks and Likelihoods
Craig Tamlin, Australia/New Zealand country manager for Quantum, describes the "poor man's disaster recovery": make a copy of your backup tapes, keep one in the office for immediate needs, and put one off-site for protection against fire and so on. "This saves the hassle of going to the off-site to retrieve a tape if you need to check something. This system is useful when telecoms links are too expensive."
Richard Giddey, A/NZ country manager of Exabyte, agrees that "off-site storage is a good measure", quoting US legislation - with September 11, 2001 definitely in mind - that requires that off-site must be at least 100 kilometres away from a central business district.
On the other hand, Garry Barker, chairman of the local branch of the Storage Networking Industry Association (SNIA), relates the advice given to a manufacturing plant that asked how far away a secondary backup site should be. No more than five kilometres, he said, explaining that if your plant goes up, it does not matter much how far away your data is, it will not do you much good. So you might as well have it close at hand for faster retrieval following more mundane events.
Different data requires different solutions, he says, pointing out that there are two issues that need to be considered:
- Recovery time objective, which is how long you can afford to be down
- Recovery point objective, or how much data you can afford to lose.
"These questions will decide the technologies you choose," Barker says. "Look for redundancy, low fault tolerance, server clusters and systems that operate automatically rather than relying on people."
You should also consider what exactly has priority in a disaster recovery scenario.
"Large enterprises have instituted disaster recovery for top-end vital systems," Wyman says, quickly adding, however, that many have not done so for all systems. He says that many organizations consider that disaster recovery for all systems is too expensive, too complex, with too much infrastructure, and too difficult to manage on a daily basis for network administrators.
"Disaster recovery is an insurance policy for organizations, but everyone hates paying for insurance unless it can be simplified and made less expensive." Nonetheless, he insists that disaster recovery is "a core component of providing IT services to an organization", noting that "a server will fail more often than a building falls down or an earthquake hits Australia".
And that is the crux of the matter, particularly when considering an all-encompassing risk management approach to disaster recovery and business continuity. There are risks, and then there are likelihoods.
"You need to be selective," Wyman says. "In most organizations, IT selects what gets backed up. But they're not always aware of the business issues."
Barker agrees. "Not every industry has to have a secondary site, although finance certainly does. A lot of IT architects don't understand the business issues, and a lot of users don't understand IT." Thereby hangs the perennial issue of aligning IT and the business, whichever side of the fence you sit on.
Overall, though, you will need to appreciate that there is no one answer to all of the questions; even the questions are very different.
"Business continuity is about not going down," Barker says. "Disaster recovery is about getting back up. These are different technologies and issues. They need to be thought about as different things, and then brought together under a risk management regime."