According to the META Group, only 20% of Global 2000 organizations have business continuity plans in place that are effective enough to ensure a strong likelihood of survival—one without lasting adverse effects—in the event of a disaster or system failure.
The reality is that much of the critical data end users depend on is not being properly backed up, and it isn't quickly or easily recoverable. For those who have implemented business continuity plans—or think that they have—risk assessment, management, and testing are often trouble spots.
So, what should you do? How do you implement an effective business continuity plan (to be distinguished from a disaster-recovery plan)? Should all data be treated equally? What types of technologies should you implement, and when? And how do you get upper management buy-in when IT dollars are tight?
These are just a few of the questions the InfoStor special series, "Business Continuity Planning: The lifeline of forward-looking organizations," will address over the coming months. If you have a particular question about developing, imple-menting, or testing a business continuity plan at your organization, drop me an e-mail at firstname.lastname@example.org. One of our business continuity experts will gladly field your questions.
By Heidi Biggar
When InfoStor polled its readers about their business continuity preparedness, we were somewhat surprised to find that the majority of respondents said they had a plan in place and tested it regularly (i.e., at least once a year).
In fact, 72% of the survey respondents said their organizations had implemented a business continuity plan, and 77% of those respondents said they tested the plans at least once a year (see figure on p. 23). For the 28% that hadn't implemented a business continuity plan, lack of budget was the most often cited reason (30.1%), though 29.7% said they hadn't implemented a plan because they didn't see a need for one.
Almost 10% of the respondents said they couldn't get upper management to approve a business continuity plan, so they hadn't implemented one. Clearly, money is a primary obstacle to implementation.
Are these numbers representative of the population at large? Yes and no, says John Sloan, senior research analyst at Info-Tech Research Group, an IT research and professional services firm in Toronto. "They are certainly higher than I'd expect, but not a huge deviation from [what's been reported]." A 60% implementation rate is fairly standard, he says.
"Disaster planning, disaster recovery, and business continuity have certainly increased as priorities over the past few years," explains Sloan. "Those organizations that a year ago said they would implement a plan are in the process of implementing one now."
The looming question, however, isn't necessarily whether it is 60% or 70% of organizations that have implemented plans, but whether these numbers are inflated. Do most plans really qualify as "true" business continuity and disaster-recovery efforts? And, as a result, are common statistics a true picture of overall enterprise disaster preparedness? Probably not.
In fact, according to the InfoStor survey, more than half of the respondents (66%) said they were not adequately prepared for a disaster or system failure, even though 72% said they had a business continuity plan in place. About 31% thought they were very prepared, and a little more than 2% said they were unprepared.
What accounts for this discrepancy? Why isn't there a higher level of preparedness among respondents? It boils down to semantics and the type of plan that has been implemented, explains Sloan. Users—and vendors—often have very different interpretations of the terms "business continuity" and "disaster recovery" and the requirements of each.
According to Sloan, there is a clear distinction between the two types of plans. Business continuity is all about mitigation (i.e., doing an assessment of your data resources and determining which data you can and cannot live without), while disaster recovery is all about recovery after a disaster strikes, he explains.
People often mistakenly think they have put effective business continuity or disaster-recovery plans in place, when what they have done truly doesn't meet requirements, says Sloan. "When we ask our clients if they have a business continuity or disaster-recovery plan, they often say 'yes,' but when we ask to see the plan, they [have nothing to show] because they haven't actually written anything down."
Sloan says that many users also equate preparedness with backup and virus protection—a so-called poor man's approach to business continuity and disaster-recovery planning. While these efforts are fundamental components of a business continuity plan, they are not the same as starting with an assessment of your IT infrastructure and then prioritizing from there, he says.
Info-Tech is currently in the process of developing procedures and methodologies for business continuity and disaster-recovery planning, which are designed to assist mid-sized organizations in building and implementing effective plans.
According to the InfoStor survey, the clear majority (some 87%) of respondents said that internal IT staff handled such development issues, while the majority (51%) of purchase-related decisions were handled jointly by IT and upper management (see figure). Only 7% of respondents said that their plans were handled by third-party service providers.
Sloan recommends outsourcing the planning and development phases of business continuity to a third party because you're likely to get a more accurate assessment of your IT environment.
A recent EMC/Roper- ASW survey of 274 executives at major US corporations reveals an interesting—and potentially serious—gap between technology executives' views of disaster preparedness and those of business leaders.
According to the survey, while 52% of IT executives felt that their data is "very vulnerable" to a disaster, only 14% of business leaders felt the same way.
In this same study, only 9% of business leaders said they would need more than three days to resume normal business operations after a disaster struck, while 23% said recovery would stretch from three days to more than a week.
In the InfoStor survey, 38% of respondents said that their company's survival was at risk if an outage lasted more than three days, while 14% said 24 hours was the key turning point. (The InfoStor survey did not ask respondents to indicate their job level [e.g., business executive or IT manager]).
Nearly 50% of the InfoStor survey respondents reported an hourly cost of downtime of less than $50,000; however, 39% reported an hourly cost in excess of $100,000. And 4% said an outage would cost them more than $5 million per hour.
What these numbers suggest is that while organizations recognize some degree of vulnerability, they haven't necessarily done a thorough assessment of their true disaster preparedness—one that involves both IT and upper management—and don't really understand what these plans entail. The EMC/RoperASW survey further highlights a gap between IT and executive thinking on the topic, which might prevent appropriate budget dollars from being allocated to process development.
"Even with everything that has transpired over the past two years, there's still a perception that protecting data is an IT problem, not necessarily a business priority," says Carl Greiner, senior vice president at the META Group.
"September 11 shook the foundation and brought the issue to the table," says Info-Tech's Sloan. "It made us all aware of our vulnerability and put pressure on organizations to show that they have a plan."
As for particular threats to an organization, only 2% of respondents said that they implemented a plan because of the potential threat of terrorism, while 52% of respondents said they implemented a plan because of a business reliance on a mission-critical application (see figure). E-mail, Web serving, electronic document imaging, content management and digital asset management, and supply chain management were cited as key mission-critical applications.
InfoStor survey respondents used a variety of technologies to safeguard their data, including mirroring (57%), off-site tape (56%), duplicate tape (41%), off-site tape vaulting (34%), snapshots (32%), and asynchronous (22%) and synchronous (17%) remote replication. About 47% of organizations replicate data to off-site locations in a wide area, 42% within a metropolitan area, and 23% campus-wide. And 61% replicated or mirrored half or more of their mission-critical data to off-site facilities.
Coming up Over the next few months, InfoStor will look at a variety of topics as part of our ongoing special series, Business Continuity Planning: The lifeline of forward-looking organizations. Here's a sampling of what's ahead.
Pick-and-choose disaster recovery
Tips on putting together a business continuity plan that's right for your organization.
Data protection and business continuity
A look at some of the storage technologies (disk-based systems, tape, rapid recovery) that can help you meet DR/BC requirements.
Which is better: Logical or physical copies?
What are they? And when should you use them to protect your data assets?
Developing a storage portfolio
How do you establish a portfolio—one that reflects the needs and resources of your organization, and how do you match risks to .your infrastructure and to the application environment?
Mapping technologies to business needs
Now that you've done a complete data backup and protection assessment, how do you map your business needs to available technologies?