The realities of business continuity

It's not just about backup anymore. It's about a confluence of data protection, disaster recovery, and business continuity.

By Heidi Biggar

Like it or not, the realities of the world in which we live dictate new approaches to business continuity that go well beyond backup and include a web of interconnecting business processes and technologies.

As Peter Gerr, a senior analyst with the Enterprise Strategy Group (ESG) consulting firm, explains: "I look at data protection, disaster recovery, and business continuity today as intersecting circles, where data protection is the center circle and business continuity and disaster recovery are outer circles."

Put another way, business continuity and disaster recovery may have more relevance to some companies than others, but the need for data protection is generally universal. "Not everyone has to do disaster recovery or have a business continuity plan in place, but everybody certainly has to protect his/her data in one or more ways," says Gerr.

Similarly, not all companies or industries are subject to the same outside influences and forces. However, analysts have identified some common factors that are driving or inhibiting disaster-recovery management and business continuity.

According to Gartner, an IT research and consulting firm, increasing business reliance on IT, various regulations, and the cost of downtime, among other things, are driving disaster-recovery management, while factors such as apathy, lack of upper management support, budgetary issues, staffing constraints, and IT complexity are inhibiting it (see figure).

Click here to enlarge image

In particular, Gartner says that IT's criticality to the business and increasing regulations (e.g., HIPAA, Sarbanes-Oxley, etc.) are primary drivers today. On the flip side, Gartner says that while getting upper management approval on compliance-related processes or technologies is still an inhibiting factor to disaster-recovery management, it is less a factor than it was a year or more ago.

"Although there are still many constraints to disaster-recovery management, these have lessened since September 11 and the regional power outages of 2003," said Donna Scott, Gartner vice president and distinguished analyst, at Gartner's PlanetStorage conference in June. "Executive management is more aware of the need for business continuity management and is more likely to approve and authorize investments."

In general, analysts say that the attitude toward and the attention given to business continuity and disaster-recovery preparedness have changed significantly over the past three years. Likewise, the attention given to regulatory compliance has also changed as IT administrators and executive management become familiar with the specific requirements of various regulations and the potential impact of non-compliance.

According to the ESG's Gerr, the HIPAA stakes are high, drawing penalties of upwards of $250,000 or 10 years in prison per incident for non-compliance. For other industries, fines weighed for delays in retrieving documents (e.g., e-mail messages) related to particular lawsuits can have significant and long-lasting business effects and, therefore, should be factored into an organization's business continuity planning process.

This increased focus on regulatory compliance is expected to affect enterprise business continuity planning from a business process, document management, and storage management perspective, depending on the industry. For some, this spells more investment in business processes; for others, it directly correlates to the percentage of IT dollars spent on underlying storage infrastructure.

Industry analysts expect some industries to be more affected by regulatory requirements than others. For example, ESG's Gerr expects HIPAA to have a much greater impact on business continuity planning from a storage perspective than, say, Sarbanes-Oxley, which will affect business continuity planning but from a higher process or content management level.

"I've always maintained that Sarbanes-Oxley is a 'non-starter' in terms of driving storage growth," says Gerr. "But it is going to have an impact on security and controls and will likely change a lot of businesses processes. HIPAA, on the other hand, will drive storage growth for a variety of reasons—in particular, the nature of the information being stored [i.e., the size and quantity of files that need to be retained]."

For these reasons and others, Gerr says companies should evaluate their data-protection and business continuity requirements from a regulations standpoint on a case-by-case basis.

(For more information about HIPAA, its impact on data protection and business continuity planning, and the storage technologies that can help you comply with regulations, see "Data protection, business continuity, and compliance," on p. 30 of this Special Section on business continuity.)

Regulations aside, analysts recommend that users weigh their business continuity plans against a variety of factors, including the size of their budgets, their tolerance for risk, their recovery time objects and/or recovery point objectives, and the criticality of the applications and data they are trying to protect, among other things, and then map these needs to specific technologies.

In the Special Section on business continuity, InfoStor takes a look at some of the storage-specific technologies that exist today and that are on the horizon that will help organizations protect the various types of data within their organizations and help them evolve their way of thinking about data protection from one that is focused solely on backup to one that factors in business implications, application interdependencies, and regulatory requirements, among other factors.

With this objective in mind, David Freund, a senior analyst at Illuminata, takes a fresh look at backup and its changing role in data protection. He identifies three categories of products: incremental solutions, which are designed to enhanced existing backup methods; fundamental solutions, which use techniques such as mirroring, replication, and journaling to provide extra copies of data in the event of a disaster; and hybrid, or combination, solutions.

ESG senior analyst Tony Asaro, meanwhile, explores the comparatively unchartered territory of emerging technologies. He looks at techniques such as stretching clusters, backup-to-disk with remote replication and de-duplication, remote mirroring, and virtual machines and provides insight on the pros and cons of each.

This article was originally published on August 01, 2004