Tales of the unexpected

The recent violence in Lebanon is a tragic example of how quickly disaster can strike at the heart of not just civilian, but also business life. CEO Middle East guides you through how architecting a disaster recovery blueprint can enable your business to minimise downtime and rapidly recover crucial applications and data when a catastrophe occurs

  • E-Mail
By  Rich Armour, Dell Published  September 7, 2006

|~||~||~|These days it is not merely enough to build great applications. Companies of all sizes and their CEOs have come to realise that essential components for success and longevity include high availability and easy recoverability for business-critical systems. This realisation has led to a focus on business continuity planning, which can help chief executives identify critical processes and technologies, maintain and recover functionality after a planned or unplanned event, and balance the risks and costs of disaster recovery. The sudden outbreak of violence in Lebanon, costing the economy close to US $400 million a day (AED 1.4 billion), goes to show just how quickly this can happen. While most organisations are aware of the need to classify and tier data and applications, the following ten rules for disaster recovery planning go beyond the basics to help companies draft their own blueprints for effective business continuity and disaster recovery decisions. Rule 1: Articulate the need in financial terms It is no secret that business decisions should drive business continuity planning. The lack of an effective business continuity and disaster recovery plan can expose businesses to considerable financial risks. Aside from lost income, interrupted service can damage a company’s name. Plus, the disruption of service in regulated industries, such as finance and healthcare, increases the risk of legal liability. It is essential that CEOs dedicate and determine a monetary value to business continuity planning efforts to help ensure co-operation from other board members in the organisation. Additionally, companies should track financial progress as they move through the implementation of the business continuity plan. After all, the benefits of business continuity planning do not arrive en masse the day the organisation flips the switch on its new strategy. Many disaster recovery benefits are associated with incremental steps to reduce the lead-time to recovery and as organisations implement technologies and processes, this lead-time begins to decrease. In the end, by viewing the business continuity strategy in monetary terms and tracking financial progress over time, companies can align business continuity efforts with smart business decisions. Rule 2: Use hard data to create a risk profile Invite insurance companies to bring hard data to construct a risk profile that helps develop your business continuity plan. Insurance companies possess claims data that can tell businesses what the risks are in a given geographic area. In addition, they naturally want to help clients reduce risk. The use of hard claims data from insurance companies can offer valuable and sometimes surprising information. For example, one US manufacturer worked out that its primary risk would be a catastrophic tornado but instead learned from its insurance company that the primary threat to data centres in that region was likely to be fire. Rule 3: Identify critical resources All data is not created equally, and the same holds true for applications. An effective business continuity planning process requires companies to undergo a rigorous analysis of business processes and functions and to identify the critical resources that require redundancy, backup, and recovery. Before companies can discuss the IT resources necessary to maintain business-critical processes, they must assess the impact of losing systems — paying particular attention to interdependencies that exist among systems. For example, a business-critical system may rely on input from another system that is not deemed critical in and of itself. It is crucial that the chief executive leads the discussion of critical processes before the IT side can define the technologies necessary to enable business continuity. A three-tier strategy is recommended for classifying data and applications. For example, Class 1 systems may support business-critical processes, involving any service that directly interacts with the customer. By contrast, Class 2 systems may correlate to business-essential processes for which a 48-hour outage could begin to have a negative business impact. Class 3 systems may enable business-support processes, for which a temporary loss of service could be deemed non-critical. By classifying and defining processes, applications, and data along business-critical markers, companies and CEOs can help ensure that the appropriate investment is made to recover crucial systems first. Rule 4: Think beyond the data centre Many disaster recovery efforts are focused on keeping the data centre up and running, however effective business continuity planning should reach beyond applications, data, and infrastructure considerations. For example, it does no good to have the data centre up and running if no provisions have been made to support people performing vital business functions. Of course, applications must be available, data must be accessible, and the network must be working, but focusing on the data centre at the expense of essential business processes and infrastructure components, companies run the risk of turning robust data centre functionality into little more than a paper tiger. Rule 5: Eliminate or mitigate single points of failure A single point of failure occurs when there is no redundancy to compensate for a missing application, data, or infrastructure component. It may be an application or a database server, a lone backup generator in a data centre, for example. Moreover, several single points of failure typically exist within an enterprise infrastructure. Consequently, companies should perform a specific and detailed single-point-of-failure analysis across the entire infrastructure. Doing so may reveal that a key component was missed when a data centre, or another form of disaster recovery system, was built. In the end, performing a single-point-of-failure analysis may help prevent an organisation from having to entirely reconstitute business capabilities when a relatively minor component fails. Rule 6: Assume that everything will fail Often, when enterprises build a disaster recovery plan, they do so with the expectation that landlines, mobile phones, and the network will be available. Or they take for granted that the roads to the data centre will be accessible — assuming the data centre itself is still standing and the employees are capable of getting there. The best-laid plans for business continuity include the consideration that every key piece of internal and external infrastructure may fail, become unavailable for extended periods, or may even be destroyed. The correct operating assumption is that every vital piece of infrastructure is capable of failing, and all of them may go down at the same time. For that reason, the recovery plan itself should be stored on CD. Copies of the CD should be distributed across multiple teams. At least one copy must reside in each data centre, another copy kept in the IT operations centre and one with the CEO. This way, if a disaster cripples phone services, internet availability, or transport infrastructure, an enterprise still has the capability to begin recovery. Rule 7: Recognise potential vendor weaknesses Critical vendors can significantly affect an enterprise’s capacity for disaster recovery. When putting together a business continuity plan, companies must evaluate their vendor’s own disaster recovery capabilities to understand how their vendor’s potential weaknesses may hinder their recovery efforts. For example, businesses that need to rapidly reconstitute systems that have been destroyed or damaged must ensure that their systems provider is able to respond quickly to get company business back online. Any unnecessary downtime is lost revenue and lost profits — and the clock is always ticking. Organisations dealing with vendors that don’t have the ability to scale operations quickly in response to a regional disaster may face a significant bottleneck in hardware procurement that compromises disaster recovery capabilities. Rule 8: Keep disaster recovery capability up-to-date Disaster recovery capability can quickly become outdated. It must be maintained by a strong set of procedures and processes so it becomes part of an everyday implementation culture. Ensure it is as near to the top of the boardroom agenda as possible. As each new project or application is initiated, companies need to perform a priority analysis. If, for instance, a new application is deemed to support a Class 1 business process, then the application must be engineered with the appropriate recoverability and that capability must be maintained. As changes are made to applications, databases, and data centres, disaster recovery capabilities should also be updated. Rule 9: Perform tests on a regular basis Companies should never assume that their disaster recovery capability is actually working and operating effectively. Recovery processes should be tested on a quarterly basis. Aside from validating that recovery capabilities exist, quarterly tests help keep the business continuity plan in front of infrastructure and application teams, which helps encourage future development with business continuity in mind. Quarterly tests represent an important part of the effort to make disaster recovery part of the everyday, everytime project, and everyday implementation culture from the chief executive officer down the company hierarchy. Rule 10: Align recovery efforts with business objectives Effective disaster recovery and business continuity planning depends on a CEOs and his or her company’s ability to identify critical processes and technologies, the ability to maintain and recover functionality after a planned or unplanned event, and balancing the risks with the costs of continuity efforts. In turn, this effectiveness requires an alignment of business continuity planning with articulated business goals. To align business objectives with continuity efforts, companies must develop a risk profile based on hard data. Furthermore, the business side of the organisation should guide the development of the risk profile. By basing disaster recovery and business continuity efforts on business objectives and by refining these practices over time, organisations can develop a plan that not only pays dividends in the event of an unfortunate event, but also helps organisations realise efficiencies in their day-to-day operations.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code