What's Your Disaster Recovery Plan?
USB devices can be turned into ticking time bombs.
No matter what your industry, it’s a sure bet your company depends on information technology to automate, manage and analyze your strategy and operations. Whether you run an e-commerce company, a brokerage firm, a law firm or a publishing company, your ability to conduct your business is directly tied to the availability of your systems and your ability to access important data.
The problem is that IT infrastructures can be interrupted by many causes. There are natural disasters such as tornados, hurricanes, earthquakes and floods. Power outages and virus attacks also can interrupt the flow of information and pose serious threats to the success of your business.
Even the downtime caused by scheduled maintenance, such as installing patches to software, can cost your company a lot of money.
Some businesses meet that risk by investing in a disaster recovery solution. However, some experts warn that disaster recovery isn't enough.
Without a business continuity plan to accompany it, a disaster recovery plan "isn’t worth talking about, because these days a lot of companies that have an outage never recover from it," said David Michel, chief information officer of Burr & Forman, a law firm in Birmingham, Ala.
A disaster recovery plan entails the policies and procedures to get a business back up and running after planned or unplanned downtime. A business continuity plan is designed to keep your company up and runningduringdowntime.
Michel, using his own field as an example, talked about the return on investment in a business continuity plan. "In legal, it’s pretty easy to justify an ROI for business continuity — and the same would apply to retail sales and other companies — because here we have attorneys and paralegals who are billing by the hour, so if there’s any downtime the company is losing money.
"It’s the same thing if a store is closed" because of downtime, he said. "You can’t sell anything."
Rebecca Wettemann, a vice president at the technology-advisory service Nucleus Research, said the challenge in trying to justify any security investment is that it’s not seen as a priority to the business until an interruption happens.
"It is important to strike the balance between 'The sky is falling' and there’s real business impact to downtime," she said.
CIOs have to recognize that just because a system is running doesn’t necessarily mean it’s functioning for users, "which is where we see companies looking at disaster recovery not just as a risk management tool but as application-performance management," Wettemann said.
She added that the impact of planned and unplanned downtime varies widely by industry.
"Obviously downtime for a brokerage firm has much greater impact than for a manufacturer," she said. "There are financial people who are buying insurance for different risks on the business and there actuarial tables to help them to define that risk. It’s valuable for CIOs to sit down with those folks to understand what the value of an expected loss would be for their industries — because what you’re really doing with disaster recovery is buying insurance."
CIOs should understand the effects of both planned and unplanned downtime before they speak to their company's financial people about disaster recovery, she said.
"CIOs should be talking about the impact to the business," she said. "They should be talking about the number of events on the planned downtime side, the cost of each event, and the time they expect systems to be down once a month without disaster recovery. For example, say: 'We’re going to have 12 hours of planned downtime, and the cost of that 12 hours will be X either in terms of productivity, lost transactions or whatever the impact to the business will be. Disaster recovery will reduce that by X percentage.'"
Wettemann said companies that have disaster recovery policies and procedures can more quickly address issues concerning planned downtime and can enable users to access applications while upgrades are taking place.
Michel said it's pretty easy for companies today to institute a disaster recovery plan and a business continuity plan.
"There are a lot of different products that have native facets of business continuity built in, where you’re not paying any additional for them and you can use them as conduits to having a more robust system, should that be required," he said.
Michel agreed that CIOs should talk in terms on what the business understands: money.
"Talk about how much downtime costs your company, rather than the technology," he said.