UK businesses are increasingly aware of the need for disaster recovery (DR) – but simply testing DR plans more frequently misses the point. DR is not a stand-alone activity. Companies need to be constantly reviewing the strategy to ensure it keeps track with business change, whilst also exploring all options of DR models. Ubiquitous reliance upon IT is changing attitudes; organisations should be focusing on risk management, risk avoidance and preventing disasters to potentially alleviate the investment in DR.
Business as Usual
2011 was not the easiest year for businesses. The social unrest and riots seen in many of our major cities and the harsher than normal winter weather were both examples of events that caused significant operational disruption and commercial losses for businesses.
If this was not enough to focus attention, the increasing concern about potential terrorist activities during the Olympics are prompting organisations to further review their disaster recovery and business continuity planning (DR/BCP) strategies.
In fact, UK businesses are more confident in their DR strategies, according to the Acronis Global Disaster Recovery Index 2012, with confidence growing 17%. Yet this confidence looks somewhat misplaced: UK businesses lost an average £230,000 a year through system downtime according to Acronis, with some companies losing access to systems for up to ten days. And the UK slipped to 11th place in its league table, down from 10th place in 2011 – with Germany, the Netherlands, Japan and Hong Kong businesses topping the table.
Despite the growing awareness of risk, the reality is that UK disaster recovery budgets remained flat year on year in 2011, accounting for just 11% of IT spend. And there are huge questions to be asked about the value organisations are attaining from that spend.
Most organisations have some kind of DR strategy in place – with a cold, warm or hot stand by. Many have DR regulatory requirements to meet. But does the current DR infrastructure actually reflect the business risks? Will it enable the organisation to recover fast enough in the event of a disaster? According to Acronis 65% of companies reported they were testing disaster recovery plans more frequently than in the year before. But how many are proactively questioning the value being delivered?
DR models are evolving fast. Driven in part by the option to exploit cloud based data storage and systems, organisations are increasingly asking whether a stand-by site that is unused from one year to the next is really a justifiable investment. In contrast, real time replication, virtual server environments and Storage Area Networks make it far easier to run two locations in tandem. Both operate continuously to deliver business services, but one can automatically fail-over to the other in the event of a disaster.
This approach completely removes any concern that the DR system is no longer recoverable due to too many changes since the last test; that the backup could be corrupted or take too long to load; or that while invoking the DR plan may work fine, actually recovering back to business as usual will cause an array of problems. The result is not only a real time response to a potentially business threatening event but also the ability to manage maintenance without affecting system performance or requiring downtime.
It is, therefore, essential for organisations to undertake a robust risk assessment. How long can the business operate without systems running? What cost would the business incur – from lost sales to damaged reputation – in the event of a disaster? How long will it take to invoke the DR site and, critically, how long then to recover to business as usual?
There is also more to consider within the DR strategy than which model best suits the organisation. The location of a secondary site is critical; organisations need to consider the availability of communications, and ascertain the performance, security and experience of the provider.
And what about internal DR responsibility? Does the individual have the seniority required to gain the ear of the board and demonstrate the risk associated with system failure? And what happens when the person in charge of DR leaves? Is there a process in place to pass information over the next incumbent?
Is DR a priority or is it continually postponed in the face of imminent client projects with pressing deadlines? And what is the situation if a disaster occurs? The organisation has no financial come back against an employee.
One of the benefits of getting external advice is that many of these issues are overcome. An independent organisation’s risk analysis typically gains senior level commitment; whilst with a team working continually on the DR strategy there is no risk of lost information or of the strategy failure to evolve in line with business change.
Business reliance on IT has grown fundamentally in recent years. Today, few businesses can operate at all without email, Blackberry or EDMS systems. And with growing numbers of companies opting for VoIP, the phone system will also be compromised in the event of a disaster, leaving organisations completely vulnerable.
Many organisations, indeed, are making contingency plans to use social networks such as Twitter and Facebook to communicate with employees in the event of a major outage; yet, at the same time, the security team is increasingly pushing to constrain the use of such technologies to counter the growing trend towards business crippling viruses believed to derive from Facebook.
These issues highlight two key points. Firstly, DR/BCP cannot be considered in isolation: strategies must be continually evolved to ensure they reflect both business needs and evolving threats. Secondly, with the near ubiquitous reliance upon IT the emphasis should be focused as much on disaster prevention as disaster recovery.