Finding the right disaster recovery balance

Find teh answer to a pressing question for SMBs

Reader's Question: Our business would not have got off the ground if we had spent time worrying about what could go wrong. We don't want to lose what we have but also don't want to spend time and money on preparing for some unlikely future catastrophe. What is a sensible approach?

Base your expenditure on the profit you are protecting

Ann WoodGeneral manager ICT, BT Business

You are right to identify that there is a balance between the cost of protecting yourself against every conceivable eventuality and the risk of not protecting yourself at all.

The key to achieving this balance is to consider the disasters your business is most likely to face and then what you would need in place to keep trading in each scenario. What data or systems could you not do without? How would your customers contact you if the usual channels were not available? Remember, we are not just talking major catastrophe - a burst pipe can close a business down if it is above your server.

You do not have to implement everything at once, and there are a few steps which are now so cheap and easy to take that there is no reason not to get started. Online data back-up is a good example. For less than £10 a month, it offers a level of protection for your data which would be prohibitively expensive to host yourself.

To some extent, expenditure on resilience is an insurance policy against unlikely but potentially costly disasters - much like home contents insurance. So you can decide how much you are prepared to spend based on how much profit you are protecting.

But there are also ways of changing the way you operate which will benefit you day-to-day.

Enabling key people to work effectively from home using broadband technology, for example, will give you the usual efficiency benefits of flexible working, and could also be the one thing which enables you to keep trading if your head office is suddenly out of action.

Prioritise according to risk and probability of occurrence

Mike LucasRegional technology manager, Compuware

The mistake many businesses make is that they do not prioritise. First, you need to identify what technology is critical to your organisation. Then identify possible risks, assign probabilities of occurrence and then develop and prioritise countermeasures. If you use the ITIL framework, you can put your disaster recovery plan within an overall service context and it may highlight blind spots in your assessment.

When implementing your plan, you need to consider four recovery elements - data recovery, application recovery, infrastructure recovery and possible single points of failure such as staff and their knowledge. To minimise the risk of staff knowledge as a point of failure, you should base your systems on industry standards and beware of in-house development and software from small suppliers.

Finally, test regularly to ensure that any changes you have made have not undermined your recovery capability.

Keep everyone informed of your disaster recovery plans

Trevor LucasManaging director,TAL Computer Services

The sensible approach will depend on a number of factors, such as the industry you are in, where you are based in the country and how your business operates.

Some industries must have a disaster recovery plan in place in order to attain accreditation or membership of a governing body. Even without this motivator, it is good practice to have a plan that you can fall back on in the event of a disaster.

It is easy to assume that disaster planning is all about IT. In practice, this is only a small part of the overall problem. If your business mainly processes orders received on paper and you run a manual stock-management system, then spending time on what happens with the computers is probably not cost-effective. So, start with how your business operates and work through what the effect would be of losing certain parts of it.

During a disaster, you will still want to manage cash, so make sure you have information available to access bank accounts. If you are processing materials, it is important you can reassure your suppliers that they will get paid for what they supply after a disaster.

As far as technology is concerned, you should be taking tapes off the main site on a regular basis. These will be needed when you, or your supplier, restores the system. If your business cannot tolerate the delay while a system is rebuilt, then you need to consider online replication of data. This can be done by taking a snapshot of the system on a regular basis or as a hit-standby that users automatically failover to.

Remember, whatever plan you develop, others should be told about it and it must be reviewed and tested regularly.

Cost depends on the length of time you can be down for

Mike Hudd Technical director, Netcel

For now, you do not need to analyse and plan for endless scenarios and estimate their likelihood, but instead ask yourself a few key questions as to what would happen following an IT disaster:

  • How quickly must you resume the provision of services you are contracted to provide?
  • How long can you afford to pay staff (and overheads) if you have no income?
  • Would your customers wait for you to recover?

These questions are all time-related. The complexity of your disaster recovery solution needs to be directly related to the length of time you can afford your business to be down. Too long and you will be out of business.

You need to audit your business to understand what services you provide, then analyse what information/ infrastructure you require to provide each service and how long each service can be unavailable. You now know the minimum you need to plan for to keep yourself in business.

Next identify what steps and procedures would be required to replace each service. Involve your IT department and look at commercially available recovery solutions as well as all wider issues.

You can then prepare a disaster recovery plan with a number of core scenarios, such as fire, theft, flood, hardware failure, virus attack and so on, and work out which services are affected by each scenario. Disaster recovery plans cost time and money, but this is something you cannot afford to ignore.

Low-cost replication apps can give breathing space

Nigel Tozer Business technologist, Computer Associates UK

The best advice is to consider how long your business could survive without access to its data - then you need to look at solutions that will meet these recovery objectives, which you can balance against the cost of acquiring them.

As well as traditional back-up and disaster recovery options, there are low-cost replication products that can give you welcome breathing space while you try to fix your main servers. You also need to think about avoiding potential threats by making sure that you have good security against viruses and spyware that could compromise your data.

Choosing the right products will automate all of these and none of them should take up much of your time: you can even get them from one supplier on a single agreement.

What will take time is ensuring that you have a basic plan for server, communications or site loss, that your media is properly labelled, that you manage its off-site storage effectively and that you schedule a test restore regularly. Each test restore you miss is like an extra bullet in a game of Russian roulette.


BT Business,




TAL Computer Services

Read more on IT risk management