If it seems that the world has become a more dangerous place for sensitive organizational data over the past five years, that's probably because it has. As natural disasters, terrorism, disease and social unrest have threatened to affect staffing in various parts of the globe, the business continuity plans of many organizations have had to become heavy on the disaster recovery side.
Such safeguards become critical when companies extend their data infrastructures overseas. Catastrophic events such as the 2001 terrorist attacks in the U.S. have forced IT managers to make disaster recovery a priority. At Advance Transformer, a U.S.-based lighting manufacturer, and a division of Philips Electronics North America, the attacks were a wake-up call, says CIO Julius Tomei.
"The federal government shut down airports and closed borders, which imparted to us, like all companies, the importance of disaster recovery," he says.
Tomei isn't alone. In a November 2005 survey, Gartner found that North American IT managers are more than redoubling their data backup and replication processes, in large part because of natural disasters such as last year's Hurricane Katrina in the U.S. Other global threats to business operations, such as the December 2004 Asian tsunami and the SARS epidemic in 2003, got the attention of disaster recovery planners as well.
In 1999, Advance, which has engineering and manufacturing facilities in the U.S., Mexico, Southeast Asia, the Netherlands and Brazil, contracted Hewlett-Packard to provide business continuity services, including disaster recovery. HP set up a data recovery center, currently located in Pennsylvania, that replicates the hardware and software in Advance's Rosemont data center, creating a "low-level layer of our environment," says Tomei.
Twice annually, Advance tests its disaster recovery infrastructure and processes by running its Unix applications in the HP service center. For ongoing data backup, Tomei works with IT staffers at outlying global locations to determine which data should be transferred to the central data center and how often.
Who owns business continuity?
When an organization's IT infrastructure extends across national borders, business continuity plans grow more complex. Staff management, local regulations and the location of data centers all come into play in a global company's business continuity plan.
First and foremost, management must decide how to coordinate a business continuity plan infrastructure -- not just hardware and software, but also employees who might be affected by disasters. IT assets and data may be geographically scattered, but someone still has to be in charge of the plan, and that person shouldn't be the CIO, says Dan Bailey, senior manager at Protiviti, a U.S.-based consulting firm.
"Thinking about disaster recovery on the level of a CIO is certainly appropriate. But if disaster recovery in its own right is strictly an IT function, you're only recovering all of IT. You're not recovering HR, accounting and other departmental applications," says Bailey. "From a global perspective, for overall crisis management and business recovery, all the potential impact is on the business side."
For that reason, managers in financial or operations departments can be more effective leaders, because those are the areas of business that get affected by data disruptions. "[Business continuity plan] ownership is very ineffective from IT," Bailey says.
At The AES Corp., a US$9.5 billion global energy firm, IT managers are implementing companywide business-continuity standards to ensure that power generation and distribution facilities located in far-flung places such as Cameroon, Pakistan and Panama stay up and running during a crisis.