Business continuity part 3: Making the unbreakable

22 Jan 2004

A wonderfully comprehensive and jargon-free phrase sums up today’s thinking on business continuity: ‘The Unbreakable Organisation’, for which credit duly has to go to data storage industry leader EMC. Resilience is what is required throughout every aspect of an organisation; the ability to move seamlessly to alternative service delivery in the event of any difficulty and to spring back into action after a disaster.

In fact the traditional term ‘disaster recovery’ is something of a misnomer, since a disaster for the organisation is exactly what is averted when an external event triggers a well executed plan. The only trouble is that plans that were valid yesterday or last year may no longer work, so that contingency plans need to be re-evaluated and solutions re-designed. “Today’s challenges are much more complex than preserving and restoring data,” says Gregg Therkalsen, EMC vice president of Business Continuity Solutions. “For example an organisation may typically be running a variety of different systems, each integrated and feeding each other, but that means five, ten or more separate pools of information that have to be reconciled if they have to be restored. But those systems often have wildly inconsistent recovery methods and that poses real difficulties in designing a comprehensive solution.”

He points to the 24×365 requirements of the internet and extended global supply chains and logistics with multiple partners as well as the constantly changing needs of technology and the business. “By far the commonest events that business continuity has to deal with are day-to-day occurrences like device failure or human error. Systems have to cope with these and also the rare events that are potential disasters. What this certainly means is that we have to bring business continuity systems to a new level and that means the highest possible degree of automation.”

Duplicating data off-site has been standard for generations and we have learned to disperse data and failover systems geographically. Now that the networking costs of distance have come down, such solutions are more affordable and becoming much more common. EMC, which had many customers involved, cites the 11 September tragedy and some of the hard lessons of disaster recovery afterwards, not least that restoring from tape back-up is impossible when there is no transport movement and a whole region is disrupted for days on end.

The company is now a firm proponent of the doctrine, shared by most data storage vendors and ICT consultants, that the fundamental lesson is that both the data replication and recovery processes should be automated. When duty staff are stressed, key decision makers absent or unavailable – characteristics of emergency situations – then additional risks of “…..human error and elongation of the recovery process grow exponentially”. In this context, EMC asserts recovery based on tape backup is no longer the answer. As a disk storage vendor, that might be predictable but the argument that tape-based systems are not hands-free and require physical transport off-site do seem irrefutable at the moment.

So the new business continuity thinking for tomorrow is based on four main elements: Consolidate data storage on a platform with no single point of failure; Duplicate data assets so that a smooth transition can be made within a specified time interval; Disperse to a remote location to cope with a regionalised disaster situation; Automate, which suggests a centrally managed data storage infrastructure with automatic business continuity and related processes.

Once again, the emphasis in practical terms is on ICT management because that is where almost all of the technical solutions belong. But business continuity is an enterprise-wide responsibility which has to be based on strategy and policies from the top. To be effective, it requires leadership, decisions and resources. It is part of a continuum of risk management corporate responsibilities, also including security, for which ultimate responsibility rests with the board. “Apart from the business drivers, which are serious enough, there is an ever-increasing range of legislation and industry regulation which affect the legal responsibilities of directors – and introduce liabilities,” says Bob Semple, PriceWaterhouseCoopers partner and expert in risk management solutions.

“There is the 40-year old Companies Act duty to “safeguard the assets of the company” which could certainly be held to include its business data. Soon we will have the Companies (Auditing and Accounting) Bill implemented and the requirement for a Directors’ Compliance Statement in respect of relevant obligations of any enactment that might materially affect the company’s financial position.” This will go quite deep, he points out, requiring directors to report on the company’s policies for compliance, financial and other procedures for ensuring compliance and its arrangements for implementing and reviewing the effectiveness of its policies and procedures.

“Boards will soon have to choose between the ‘fig leaf’ response to the new regime, doing just the bare minimum to be seen to comply,” says Bob Semple, “or they can view it as an opportunity to add to their competitive armoury. For any service company or potential supply chain partner, for example, there is certainly major value in pointing to ‘our fully tested business continuity plans’. Compliance can be converted from burden to resource by extending it to cover full risk assessment – meaning anything that can affect the achievement of the organisation’s objectives.”

In the end of the day it all comes down to staying in business because you have actually planned to stay in business – whatever happens.

By Leslie Faughnan