Successfully resuming business operations after a significant business interruption or disaster requires a business continuity plan developed by an influential business executive, experts say. This contrasts with the reality at many organizations, where the IT executive who successfully developed the disaster recovery plan and/or the business continuity plan for IT is tapped for the broader initiative.
It is this leadership as much as the plan determining how much data an organization can afford to lose and for how long — known respectively as the recovery point objective (RPO) and recovery time objective (RTO) — that dictates how well and how fast an organization recovers.
“A lot of people make the mistake that business continuity is an IT function or that this is everybody’s responsibility,” said Richard Jones, an analyst at Burton Group Inc. who is working on a study of what makes companies succeed or fail at disaster recovery and business continuity.
“The successes have mostly centered around organizational structure and the people put in place to drive the process,” said Jones, service director for Midvale, Utah-based Burton’s data center strategies group. “Companies where business executives were not intimately involved — who basically said, ‘Let somebody else do it’ — the plan always just kind of fell apart.”
John Morency, an analyst at Stamford, Conn.-based Gartner Inc., said that, in theory, the business continuity (BC) person “always needs” to be in the business unit. What often happens is that the program manager charged with the IT business continuity plan is then tagged with the companywide plan. That can work on an emergency basis, but a significant portion of business continuity and recovery falls outside IT and requires a deep understanding of how the business works, Morency said.
“Eventually if the program is going to be sustained, the business continuity person has to report right into the CEO or the board or to a chief risk officer, if the company has one, but not to IT,” he said.
Standard RTOs, RPOs for business continuity plans
The most successful efforts at setting RTOs and RPOs also involve business leaders, including the board of directors. RTO and RPO requirements vary widely by company and industry. Jones, for example, found manufacturing firms where a data center outage of three days is not a big problem, because the facility can keep manufacturing. After that, the downtime starts to cost the company.
At the other end of the spectrum is financial services, where a single trader being down for one minute can cost a company $1 million to $2 million, Jones learned.
But companies make tradeoffs between RTOs/RPOs and cost. For example, rather than fund a system that would result in zero data loss, one bank Jones talked to has tellers keep their slips of paper; if the data center has an outage, tellers consult an application that tells them their last transaction and then they work late to re-enter the paper trail that didn’t make it through.
“The cost of doing that for the infrequency with which this happens was less than spending a bundle more money for mirrored data centers that were synchronously replicated to each other so you could have zero downtime,” Jones said.
Having a single RPO and RTO is unrealistic for most businesses, unless the CIO is charged with running a continuous organization, because of the high cost, Morency said. While there are no official benchmarks for RPOs and RTOs, Gartner uses a four-tier system (see chart), and many other places offer guidelines (see box).
Morency said most organizations segment data recovery by tiers, with Tier 1 and 2 including those applications and processes that are most critical to revenue generation. Recovery times for these tiers are at less than 24 hours; data recovery points are four hours or less. Organizations with these objectives will likely use some form of disk-to-disk replication, as tape recovery is too slow.
Business impact analysis: Financial costs the easy part
Calculating the cost of downtime that underlies RTOs and RPOs starts with a business impact analysis, which includes both hard and soft costs. Hard numbers are easy to get. A CFO can tell the company how much money it makes in a day and how much it will lose by not producing product, or what the run rate for salaries will be per day or what it will cost to replace equipment.
More difficult to tote up are the indirect business impacts, such as the cost of customer dissatisfaction or the variance in cost related to when the outage occurs.
“A lot of it is subjective, but you need to get a first swipe at trying to quantify indirect business impact,” Jones said.
The quantitative or even quasi-quantitative analysis is essential in brokering a viable RPO/RTO strategy. A classic error IT departments make is showing up and asking business owners how soon they need to be back up.
“The answer always comes back that ‘We have to be continuously or in an hour,’” Morency said.
http://go.techtarget.com/r/7775438/5598151
Linda Tucci, Senior News Writer
Source: Gartner Inc.
View Original Article
At the RSA conference in San Francisco, VP of Trustworthy Computing Scott Charney told the conference attendees that Microsoft was planning new security offerings to ease the management of identity and authentication information. He further added that Microsoft was working on a new server initiative as part of its Geneva Project. This new service will allow systems administrators to use small pieces of authentication data to authorize access to web services and materials.
If anyone has the right to be excited about cloud computing, it’s John Chambers. But on Wednesday Cisco Systems’ Chairman and CEO conceded that the computing industry’s move to sell pay-as-you-go computing cycles available as a service on the Internet was also “a security nightmare.”