Companies cannot afford to be without key computer systems on which their businesses depend, yet 59% of firms that suffer a catastrophic disaster - fire, flood or earthquake - either never reopen or close within two years. Perhaps more significant is that companies that lose key computer systems for 10 days never recover financially, and 50% go out of business within five years.
Most recovery plans fail because they are largely developed in isolation because business units have a limited understanding of IT business continuity requirements. IT seems to be unable to convince business of the critical need for a unified continuity project.
Even more alarming is that most organisations have not even started work on business continuity and disaster recovery plans. Only 50% of large companies have a viable business continuity plan and 28% have only a disaster recovery plan. Of firms that do have a disaster recovery plan, only half are up-to-date and tested.
Companies need to appoint a business continuity planning "tsar" and business relationship manager who will formalise the process, integrating business, IT architecture, infrastructure planning, and building and IT operations.
However, for most companies, a more realistic approach will be to rely on IT for "pragmatic" survival in the event of a disaster. Under this model, more business managers will start to work with IT to develop business continuity plans.
Although IT should not take responsibility for business continuity, focusing on the following points will help to ensure that the most appropriate technology decisions are made:
- IT must be able to explain the options to business managers in business terms, highlighting the risk, insurance, and costs
- IT must show greater transparency in the cost of service and validate return on technology investment. It will need to establish and explain the levels of service and corresponding price points to business managers
- Over the next four years most large companies will consolidate their datacentres to either a single site (typically with a 72-hour recovery window) or for companies such as banks (recovery window of four to eight hours) two datacentres. IT managers must balance cost savings, technology usage, and business survival requirements
- IT needs to measure its performance from the user's perspective
- Make recovery easier by developing standard templates for recovery instead of starting from scratch each time. This is particularly important for firms with distributed infrastructure and applications
- Once an organisation has a disaster recovery/business continuity plan, it must be tested and reviewed regularly. IT needs to secure business support for testing since service may be lost or reduced during testing, and funding must be secured
- IT must continue to maintain responsibility for outsourced projects and ensure systems comply with the company's disaster recovery policies. The ability of third parties to provide adequate availability management and disaster recovery will be key
- Recovery plans must include gaining access to individuals with a critical role, such as password holders, networking specialists and administrators. Plans must prioritise reconnection to the system
- Although IT must rely on business managers to prioritise recovery procedures for critical business applications, it is important to develop plans for availability of basic business equipment, including computers, Lan, phones, e-mail, Web access
- As new and complex technologies are adopted, it is important that they are included in all plans since they may have a critical role to play in the way a company manages its recovery.
Rakesh Kumar is vice-president at Meta Group
Meta Group's report, Business Continuity and Disaster Recovery Planning is available to Computer Weekly readers at a 25% discount. Contact [email protected] com, tel: 01252-819494