Reader's Question: Our business would not have got off the
ground if we had spent time worrying about what could go wrong. We
don't want to lose what we have but also don't want to spend time
and money on preparing for some unlikely future catastrophe. What
is a sensible approach?
Base your expenditure on the profit you are
protecting
Ann WoodGeneral manager ICT, BT Business
You are right to identify that there is a balance between the cost
of protecting yourself against every conceivable eventuality and
the risk of not protecting yourself at all.
The key to achieving this balance is to consider the disasters your
business is most likely to face and then what you would need in
place to keep trading in each scenario. What data or systems could
you not do without? How would your customers contact you if the
usual channels were not available? Remember, we are not just
talking major catastrophe - a burst pipe can close a business down
if it is above your server.
You do not have to implement everything at once, and there are a
few steps which are now so cheap and easy to take that there is no
reason not to get started. Online data back-up is a good example.
For less than £10 a month, it offers a level of protection for your
data which would be prohibitively expensive to host yourself.
To some extent, expenditure on resilience is an insurance policy
against unlikely but potentially costly disasters - much like home
contents insurance. So you can decide how much you are prepared to
spend based on how much profit you are protecting.
But there are also ways of changing the way you operate which will
benefit you day-to-day.
Enabling key people to work effectively from home using broadband
technology, for example, will give you the usual efficiency
benefits of flexible working, and could also be the one thing which
enables you to keep trading if your head office is suddenly out of
action.
Prioritise according to risk and probability of
occurrence
Mike LucasRegional technology manager,
Compuware
The mistake many businesses make is that they do not prioritise.
First, you need to identify what technology is critical to your
organisation. Then identify possible risks, assign probabilities of
occurrence and then develop and prioritise countermeasures. If you
use the ITIL framework, you can put your disaster recovery plan
within an overall service context and it may highlight blind spots
in your assessment.
When implementing your plan, you need to consider four recovery
elements - data recovery, application recovery, infrastructure
recovery and possible single points of failure such as staff and
their knowledge. To minimise the risk of staff knowledge as a point
of failure, you should base your systems on industry standards and
beware of in-house development and software from small
suppliers.
Finally, test regularly to ensure that any changes you have made
have not undermined your recovery capability.
Keep everyone informed of your disaster recovery
plans
Trevor LucasManaging director,TAL Computer Services
The sensible approach will depend on a number of factors, such as
the industry you are in, where you are based in the country and how
your business operates.
Some industries must have a disaster recovery plan in place in
order to attain accreditation or membership of a governing body.
Even without this motivator, it is good practice to have a plan
that you can fall back on in the event of a disaster.
It is easy to assume that disaster planning is all about IT. In
practice, this is only a small part of the overall problem. If your
business mainly processes orders received on paper and you run a
manual stock-management system, then spending time on what happens
with the computers is probably not cost-effective. So, start with
how your business operates and work through what the effect would
be of losing certain parts of it.
During a disaster, you will still want to manage cash, so make sure
you have information available to access bank accounts. If you are
processing materials, it is important you can reassure your
suppliers that they will get paid for what they supply after a
disaster.
As far as technology is concerned, you should be taking tapes off
the main site on a regular basis. These will be needed when you, or
your supplier, restores the system. If your business cannot
tolerate the delay while a system is rebuilt, then you need to
consider online replication of data. This can be done by taking a
snapshot of the system on a regular basis or as a hit-standby that
users automatically failover to.
Remember, whatever plan you develop, others should be told about it
and it must be reviewed and tested regularly.
Cost depends on the length of time you can be down
for
Mike Hudd Technical director, Netcel
For now, you do not need to analyse and plan for endless scenarios
and estimate their likelihood, but instead ask yourself a few key
questions as to what would happen following an IT disaster:
- How quickly must you resume the provision of services you are
contracted to provide?
- How long can you afford to pay staff (and overheads) if you
have no income?
- Would your customers wait for you to recover?
These questions are all time-related. The complexity of your
disaster recovery solution needs to be directly related to the
length of time you can afford your business to be down. Too long
and you will be out of business.
You need to audit your business to understand what services you
provide, then analyse what information/ infrastructure you require
to provide each service and how long each service can be
unavailable. You now know the minimum you need to plan for to keep
yourself in business.
Next identify what steps and procedures would be required to
replace each service. Involve your IT department and look at
commercially available recovery solutions as well as all wider
issues.
You can then prepare a disaster recovery plan with a number of core
scenarios, such as fire, theft, flood, hardware failure, virus
attack and so on, and work out which services are affected by each
scenario. Disaster recovery plans cost time and money, but this is
something you cannot afford to ignore.
Low-cost replication apps can give breathing
space
Nigel Tozer Business technologist, Computer Associates
UK
The best advice is to consider how long your business could survive
without access to its data - then you need to look at solutions
that will meet these recovery objectives, which you can balance
against the cost of acquiring them.
As well as traditional back-up and disaster recovery options, there
are low-cost replication products that can give you welcome
breathing space while you try to fix your main servers. You also
need to think about avoiding potential threats by making sure that
you have good security against viruses and spyware that could
compromise your data.
Choosing the right products will automate all of these and none of
them should take up much of your time: you can even get them from
one supplier on a single agreement.
What will take time is ensuring that you have a basic plan for
server, communications or site loss, that your media is properly
labelled, that you manage its off-site storage effectively and that
you schedule a test restore regularly. Each test restore you miss
is like an extra bullet in a game of Russian roulette.
THE EXPERTS
BT Business,
www.bt.com/btbusiness
Compuware, www.compuware.co.uk
Microsoft, www.microsoft.com/uk
Netcel, www.netcel.com
TAL Computer
Services www.talcs.co.uk