Once you've put in the hard yards and implemented a disaster recovery and business continuity management infrastructure for your organisation, you may feel like you can rest on your laurels for a while. Unfortunately, this would not be conducive to an overall effective plan. In the final part of our Business Continuity Management Series, we will be looking at why it's important to keep exercising, maintaining and reviewing your plan.
The bottom line is that you can't be sure that your BC plan will work unless you actually test it. And even if your organisation and your managed BC provider pass the test with flying colours the first time, it's highly unlikely it will do so in six month's time. Our world changes incredibly quickly and organisations have to keep up. It's entirely possible that data that's incredibly important when you do all your planning is less important or no longer required in a matter of months. Just think of what would happen if your company sold or spun off a particular division.
Exercise And Not Just Technology
If your organisation has never done any DR/BC exercises it's a good idea to start small and work your way up. Taking down a server is a common but worthwhile scenario as your IT staff should be able to deal with it without issues. Then work you way up to even tougher scenarios:
- A malfunctioning network router brings down a large part of your whole network
- A software glitch causes a massive but intermittent network outage
- Your NAS/SAN infrastructure fails
- Malfunctioning air conditioning causes multiple critical servers to fail
Also think outside of technology. Consider a scenario where a potential epidemic/pandemic like SARS or H1N1 quarantines much of your workforce or a storm renders your building uninhabitable. The key is to try and make it as realistic as possible. Don't tell everyone there's going to be a drill sometime tomorrow, this week etc. If there are some really important meetings going on, perhaps block them out those times but otherwise try to catch as many people as possible by surprise.
The other side of the coin is that it's essential the plans and other documentation compromising a DR/BC program are accurate and up to date, i.e. maintained. While it may not seem immediately obvious, many of the issues that tests and exercises highlight will flow from changes to the way the business functions; whether it's changes in staff, physical sites or technology. Put this way, DR/BCP maintenance is quite simply a change management program and should be run the same way as any other change management program.
Earlier in our Business Continuity Management series, when we covered developing BC strategies and plans, we discussed how it was vital that the focus was on the organisation, not on IT. A BC program is designed to fit into the organisation, not vice versa. This has the advantage of helping establish the value of BC to the organisation but conversely, the BC plan needs to be regularly reviewed and updated to make certain it is consistent with the goals and objectives of your organisation. If you continually exercise, maintain and review you can be confident that in the event of a disaster your organisation's 'time to data' will be as short as possible.
To find out more about any of the objectives we have covered in our Business Continuity Management series, don't hesitate to contact one of our helpful team members who will assist you with any queries. For more information on Business Continuity, click here.
Our previous post in the Business Continuity series looked at how to effectively implement a Disaster Recovery Plan including recovery point and recovery time objectives. However, with ever decreasing recovery time objectives for today's business-critical system, many organisations find that outsourcing to a service provider offers a much more effective and economical DR/BC solution.
Outsourcing to a third party service provider gives businesses access to highly skilled technical staff and specialised infrastructure, among many other reliable and resilient benefits. So how do you choose the right managed DR/BC provider for your organisation? Here are some pointers to consider.
Follow A Process
If you're already using a managed service provider, the first question is to ask if it also provides business continuity services or has an established partner that does. The provider or the partner may well be able to layer BC services over the top of what you already have.
Even if the answer is yes, the next step is to work out how much DR/BC support is currently needed, how much you're likely to need in the future and how much it's costing you- i.e. benchmark your existing requirements. Summarising these requirements should give you a document that can be easily converted into a request for a proposal (RFP) for potential managed DR/BC firms. If your organisation has minimal DR/BC capability it may be worth engaging an external consultant to help at this stage.
Experience Is Important
Outsourcing to a service provider will give your organisation access to highly skilled technical staff. This is beneficial to your business in a number of ways. Not only will staff have had expert training, they will also bring many years of experience to their roles. This will include on going training and certifications to stay a breadth of the latest operating environments and technology combinations. They also have the time (that someone in-house may not) to meet the varying needs of many different customers and industries.
There are plenty of firms out there that know how to do managed DR/BC but it's important to ensure that those who are looking after your data are professionally trained. One way to find out is if their staff have professional accreditation from organisations such as DRI International, Business Continuity Institute (BCI) and the International Consortium for Organisational Resilience (ICOR).
If your company deals with change in it's IT systems and processes, you will benefit from third party experience when it comes to re-engineering disaster recovery and business continuity plans. This may include helping to define interdependencies and distinguishing recovery and testing priorities for different data applications. In turn, this will help when making the most of new advances in information technology. Ensure that the provider you chose offers the flexibility to accommodate any changes in your recovery needs as part of your ongoing contract.
Find out more about our Data Centres and other services that can benefit your business by visiting our website.
In the previous post in the Business Continuity Management series we outlined the importance of implementing a disaster recovery plan for your business. If you hadn't already implemented a disaster recovery plan now is the the time to take the leap. It's no secret that developing an effective disaster recovery plan for your business. Identifying business requirements, locating the data and mapping these findings against technology solutions can be difficult and time consuming but it's a crucial part of ensuring your business continuity, so let's get started.
DR is Only As Effective As Its Weakest Link
One of the primary challenges with disaster recovery is the number of links in the chain. Therefore it's vital to take an end-to-end perspective - DR is only as effective as its weakest link. You can't recover replicated data if servers and applications are not available and nothing gets done if the network or functions like name and directory services are still down.
Ensure Data Required by Critical Business Processes Is Safeguarded Against Loss
Another critical factor is the need to ensure the 'right' data is identified, safeguard against loss, and made available in an acceptable recovery timeframe. Put simply, that's data required by critical business processes and necessary for recovery. It's easier said than done, however, as data is growing at an incredible rate - doubling annually in some organisations.
While a large proportion of this growth comes from replicated data, large program files and the trend for document files to have graphics, sound clips and other data objects embedded (enhanced data), the rest is new data. That includes e-mails and transaction entries in databases that are constantly being created and stored by end-users and automated systems. Add to this calculation the converse that a large proportion of data stored on hard disk drives is never referenced again.
Prioritise Data That Changes Often Over The Rarely Changing Data
What this means is that it's a great idea to really understand what you're seeking to recover. Even in an era of cheap hard drives some sort of de-duplication technology is advised and then you need to prioritise the data that changes often over the data that changes rarely, if at all. The DR planning processes should also include a prioritisation of applications based on business critical, keeping in mind that what's business critical is not always obvious.
Recover Network Management Tools Before ERP Systems and Order Entry Applications
While ERP systems and order entry applications are definitely business critical, before those apps come back online applications such as voice mail, IP telephony, Blackberry Enterprise Server (or its equivalent), data backup servers, security and network monitoring and management tools all need to be in place. Just imagine trying to get your network up and running without your critical management tools!
Finally, when it comes to technology, while tape still has a place for archive, there really is no excuse for not going to disk-to-disk for DR. Preferably at a remote site but that's something we'll cover later in the series.
Find out why it's important to have disaster recovery protection in place in part five of our Business Continuity Management series, or for more information on business continuity visit our website.
In part four of our Business Continuity Management series, we focused on determining your business continuity management strategy. Now let's take a look at the importance of implementing a disaster recovery protection plan for your business.
Reflect for one moment on the implications of a complete data loss within your organisation. A data loss disaster could mean the end of information that is critical to your business practice including contact details, employee pay details, accounts payable/receivable, warehouse stock levels and that presentation you were in the office until 10pm working on.
According to frequently cited Meta Group Report IT Performance Engineering & Measurement Strategies: Quantifying Performance Loss; on average the costs incurred to businesses from server downtime and data loss are significant.
Costs Incurred Due to Server Downtime and Data Lost
The costs incurred from data loss and server downtime vary from industry to industry, but it's evident that they amount to significant business expense that's worth taking action against. You can review the annual costs incurred due to server downtime and data loss for major industries below:
- Energy $2.8 million
- Telecommunication $2.0 million
- Manufacturing $1.6 million
- Financial Institutions $1.4 million
- Information Technology $1.3 million
- Insurance $1.2 million
- Retail $1.1 million
- Pharmaceuticals $1.0 million
- Banking $996, 000
Human Error Accounts for a Large Proportion of All Data Loss
At the most fundamental level, the purpose of business continuity planning (BCP) is ensuring your data is secure and accessible. While a company would find it challenging to survive if it had shut down for a couple of weeks as hundreds of Brisbane businesses did; it will most likely go under if its core data is lost irretrievably. There are industry specific Australian legislative requirements around data retention that need to be compiled with and if your organisation has a US presence there's Sarbanes_Oxley, HIPAA and the Patriot Act.
In part 3 of our Business Continuity Management Series, we looked at the importance of conducting a Business Impact Analysis. Once you know how much it's going to cost the organisation if everything goes down, you can then start to assess your level of risk and develop a strategy accordingly. Determining your exposure is key. A consumer facing company which takes orders and sells physical items has far greater exposure than a professional services company whose product is basically in its employees' heads.
What Could Go Wrong?
Once the organisation's exposure had been established, the next step is quite simply to brainstorm. What could go wrong? Flood, fire, a major communications cable being cut, a major event locking the city down or a key supplier failure are all eminently foreseeable disasters.
Actual bombings are rare in Australia, but hoax bombs happen and still cause disruption. Another way of looking at this is by taking the 'all hazards approach' which focuses on outcomes; i.e. loss of infrastructure, loss of IT systems, reduced availability of staff or any combination of the above.
Such threats or hazards are known as business continuity incidents and the BCM strategy or strategies flow from each of those threats. Indeed, business continuity strategy can be presented as a flow chart - if this happens then what? Some business units, or their managers, may propose continuity strategies that are quite different from the rest of the organisation.
In some cases the cost may be high and business value low so budgets should relate to a particular business unit's significance to the organisation. A simple risk management/business value matrix can help inform these strategy decisions.
Get Everyone Involved
Designing an optimal business continuity strategy for a particular organisation can be done in a variety of ways - more brainstorming, workshops, focus groups, position papers or other techniques. It's a good idea to get everyone involved at all levels of the organisation as there is often a disconnect between how management thinks something works and how something actually works on the ground. Put simply, the 'strategy' is the key point in the business continuity lifecycle.
For many years the focal point of business continuity management strategies has been technology solutions and the biggest problem currently for the business continuity management team is being spoilt for choice. But it's important not to be blinded by technology; it's only as good as the plans, procedures and processes behind it.
Read more about how to conduct your Business Impact Analysis in part 3 of our blog series and for further solutions to you BCM plan, visit out website.
Process, Standards, Questionnaires and Buy-In
The BCM Institute's Wiki suggests the first thing to do is to understand the BIA process and then begin to collect data, however, there is on important immediate step that is required. If you're the IT manager, or even the CIO, you need to get buy-in from the board, the CEO and the rest of the C-Suite.
You're going to be asking line managers and business unit managers some searching questions about how they run their businesses and you need to know you've got the full backing of the board before you start the process.
Once you've got the management team on board, the next step is to prepare a questionnaire. These do not need to be done from scratch - various companies produce tools to build questionnaires. The best tools are compliant with, and help you comply with the ISO 27001 / ISO 22301 / BS 25999 business continuity standards.
Identify Critical Business Functions
What you're seeking to establish with the BIA questionnaire is which activities support Critical Business Functions (CBF). However, don't forget to consider the organisation as a whole with details such as:
- The records and documents you need everyday
- The resources and equipment you need to operate
- The access you need to your premises
- The skills and knowledge your staff have that you need to run your business
- External stakeholders you rely on or who rely on you
- The legal obligations you are required to meet
- The impact of ceasing to perform critical business activities
- How long your business can survive without performing these activities
- What are the daily activities conducted in each area of my business?
- What are the long-term or ongoing activities performed by each area of my business?
- What are the potential losses if these business activities could not be provided?
- How long could each business activity be unavailable for (either completely or partially)
- Do these activities depend on any outside services or products?
- How important are the activities to my business? For example, on a scale of 1 to 5 (1 being the most important and 5 being the least important), where would each activity falls in relation to the rest of the business?
- Who owns that function?
- What is the impact of an outage to each activity / process across the organisation?
- What are the timescales where an outage begins to do serious damage to the organisation?
While its important to identify CBF's, don't forget to document what's been identified: critical functions, critical applications and critical processes.
As part of your business impact analysis, you should also assign recovery time objectives to each activity to help determine your basic recovery requirements. Conversely, it's impossible to have infrastructure up all the time so ensure you define what can be regarded as tolerable downtime across the organisation.
Interdependencies and Resources
One of the more complicated tasks is determining all the various inter and intra-dependencies within the organisation whether it is software, hardware, processes or people. Records are critical for any business so you need to identify which ones will be vital for recovery.
Ascertain the organisation's continuity resources internal and external and provide them information to determine or recommend recovery strategies. Then you can establish the human, technology and telephony resources that will be required over time to maintain business activities at an acceptable level and within the maximum tolerable period of disruption.
Business risks change all the time and as they evolve, so will the potential impacts. As a result, a BIA is not set in stone. You'll need to update your risk management plan in the future and at the same time you will also need to conduct a new business impact analysis.
Find out how to formulate a Business Continuity Checklist in part 2 of our blog series. Find out how Enterprise Data can help your organisation with Business Continuity Management.
In our previous post from the Business Continuity Management series, we discussed why having a Business Continuity framework in place is so important in keeping your core systems running no matter what. Once a business decides to formulate a business continuity plan, it will quickly find out there is a lot involved. Just as pilots have a checklist to run through before they even shut the doors of the aircraft, businesses need a checklist to help them make sure they are prepared for an unexpected disaster or event.
Many checklists are available on the Internet ranging from the Business Continuity Checklist that the Western Australian government has put together for SMEs through to AT&T’s example aimed at large enterprises. All of them work on the same principle; planning is divided up into several sections and working through the checklist steps will help your business methodically through a process.
Allocate preparedness planning to staff members
The first step is to simply ask what we would need to do if we had to respond to an unexpected catastrophic event. Right from the start, a person, or a group of people, need to take responsibility for preparedness planning. While IT will be a vital part of this group, Legal, HR, OH&S and other departments are also important.
The group needs to consider some critical questions including:
- What processes are mission critical?
- Who are the employees that are mission critical?
- What and where are the mission critical technology components?
- What service level will be aimed for?
- What are the regulatory issues?
- What is the cost of downtime versus mitigation?
Assess data that needs protecting
The next major step is to assess data and technology needs in the event of a complete failure. Look at the existing disaster recovery plan, assuming there is one. Has it been maintained? Does it work? How vulnerable is the organisation's infrastructure to natural and man-made disasters? Perform risk assessments on as many scenarios as possible and test your plans to see if they work.
Communicate your plan
Once a business continuity plan is in place, it needs to be communicated to employees, partners and other major stakeholders. Develop a contact plan detailing exactly who needs to be contacted and ensure mission-critical employees understand their role in the plan and also that they have backups.
Lastly, build into the plan coordination with external organisations such as the relevant tiers of government, building management and other business organisations.
Once an organisation has worked its way through this process, it’s well on the way to developing a business continuity management plan.
Everyone is familiar with the concept of disaster recovery (DR) but as business becomes increasingly globalised and moves at an ever-increasing pace, DR is no longer enough. In this 8-part blog series, we will be focusing on the importance of business continuity management (BCM), a framework that will quite simply keep your core systems running no matter what.
Large enterprises have been building resilient infrastructure with high-availability for decades. These distributed data centres are duplicated at different locations and data can be transferred from one site to another almost instantaneously. Though such infrastructure is part of the overall solution, BCM has moved past high availability IT, and is now all about keeping an enterprise running during disruptions.
While the cost of the technology has come down markedly in recent years, building such infrastructure is prohibitively expensive for all but the largest companies. The advent of Cloud storage is changing this situation rapidly by offering companies outsourced BCM infrastructure at a greatly reduced cost whilst increasing the level of data protection and the speed of recovery.
Although disaster recovery is all about backup, which is the responsibility of the IT department, BCM is a business-wide strategy based on as near to real time replicated data as is possible or affordable. It’s an enterprise wide approach that treats IT as a stakeholder, albeit an important one, rather than expecting it to be wholly responsible. BCM not only solves what is often a technology problem, but is actually essential to the business as outages can lead to significant damage to brand, reputation, business value and employee productivity.
Customers in Australia tend to be understanding, especially in the case of major natural disasters such as the Brisbane floods. Nevertheless, if a business is unable to operate for an extended period of time, its very survival is at stake.
During the Brisbane floods, 25% of businesses closed due to inundation or loss of power. On average those businesses were closed for eight days and 45% of businesses took more than two weeks to return to normal operations. The Chamber of Commerce and Industry Queensland (CCIQ) surveyed its members after the Brisbane floods and the total loss of earnings to date by survey respondents was $58.2 million.
Keeping in mind that those figures aren't taking into account productivity or asset losses, it’s easy to see why BCM is important.
How important is business continuity to your organisation?
If you’re looking for a business continuity solution, visit our website for more information.
With recent global events such as earthquakes, floods and other natural disasters, corporate and government priorities are quickly changing to being better prepared. It’s no longer a matter of ‘what if’ something happens, but more ‘when it happens, what do we do?’ This means organisations will need to take governance, risk and compliance (GRC) and Business Continuity Management (BCM) to a higher level, which EDC terms as "Business Resilience”.
A recent survey was undertaken by the Victorian Government with analysis conducted by Enterprise Data Corporation (EDC) to benchmark the current state of business resilience and business continuity within government departments against global good practices.
The results indicated that the increased demand for power, combined with a spiraling increase in natural disasters, has made business resilience one of the top 10 risks faced by company boards and government executive management.
The survey also revealed that:
- Across 35 countries and 15 industry sectors indicated that more than 90% of the global organisations demonstrated an increase of events causing business disruptions.
- 58% of respondents in Australia stated that where Business Continuity Plans / Programs (BCP) have been developed, the plan is organisational wide.
- 35% of Australian respondents also stated that the organisation has a clearly articulated and current Crisis Management Plan.
- 66% of respondents indicated that organisation wide BCM activities are well supported by senior management and are established priorities for the organisation.
- For the most recent business interruption, recovery objectives were completely met by 48% of respondents and service levels were completely maintained by 47% of respondents.
For more information about the survey results and analysis, please download the Business Resilience Whitepaper.
Your data centre plays a crucial role in the smooth running of your business operations. Having data centres located in a safe distance away with ample power and efficiency is the foundation of all future data centre due diligence.
A reference checklist to reduce your risk when choosing a data centre is below:
- Is the data centre located outside the CBD radius of risk? The site must be more than 15km outside known danger zones (i.e. high density tall buildings, known danger zones and airports) to avoid common outages and congestion.
- Is the data centre reliant on CBD network grid? The site must not rely on the CBD network grid but still have clear line of sight to major locations for communications links.
- Does the data centre have access to multiple transportation corridors in the event of disaster affecting public transport? The site should be away from risk of traffic congestion or police barricades affecting nearby buildings and potential terrorist threats.
- Can the data centre provide on-site car parking for the duration of any disaster or disruption? The site must have easy access to ample car parking should there be a regional disaster with security car parking for staff working 24x7 for production or recovery.
- Is the data centre located on high ground to remove risk of flooding?The site must be on different geological foundations to the CBD ensuring no geological common fault lines to remove the risk of single points of failure that may be geologically induced.
- How long can the data centre site run with no external power to the building? The site must offer dual redundancy for UPS systems and back-up generators with N+1 configuration, to ensure ongoing power availability.
- Does the data centre provide 24x7 dual security? The site must provide 24x7 physical and automated security. Access to all areas must be controlled and monitored through the latest computer controlled security system.
- Does the data centre provide sufficient capacity for data, voice and people for extended outages? The site must have sufficient work place areas to accommodate voice, data and people simultaneously during extended outages.
- Is the data centre able to accommodate your future needs? The site must have ample power and cooling capacity for future expansion.
- Is the data centre Australian based? The site must be located within Australia, and 100% Australian owned and operated.
EDC’s data centres in Sydney and Melbourne are safely located outside the 15km CBD Radius of Risk. They are designed with ample space and power, and to ensure your business is operational 24x7. Learn more about EDC data centres