Storage concerns don't end when you sell a disk or tape drive -- your clients will want to know their data is safe in an emergency. Offering disaster recovery (DR) and business continuity planning (BCP) services can be a good way to add services revenue to your reseller business, and it could just save your customers from bankruptcy after a natural disaster or terrorist attack destroys their servers.
The failure rate of companies that are caught unprepared by a disaster is in the 60% to 94% range, depending on the study, according to Jeffrey G. Williams, founder and CEO of Binomial International Inc., a business continuity planning consultancy in Ogdensburg, N.Y. Business continuity planning is so important that Williams' advice to owners of companies hit by a disaster for which they have no recovery plan is to just take the insurance money and find a new job.
Depending on your client's industry, regulations may even require a DR plan; for instance, the Health Insurance Portability and Accountability Act (HIPAA) mandates that healthcare providers have a DR plan.
Many companies now require their partners -- whether upstream or downstream -- to provide documentation of their business continuity planning, Williams said. And, increasingly, clients that fail to meet contractual obligations with a partner won't be able to use server glitches as an excuse, said Oli Thordarson, CEO at Alvaka Networks Inc., a managed service provider (MSP) in Irving, Calif. For example, one of his clients is a tile manufacturer that sells to The Home Depot, which fines them heavily if they don't acknowledge orders quickly enough -- within a matter of hours, Thordarson said. That client invested in a system it could quickly get up and running with minimal loss of data, because even a few hours of outage or lost orders could cost it tens of thousands of dollars.
Like any other business decision, DR planning involves a price-performance tradeoff. The two metrics most commonly used are recovery time objective (RTO) and recovery point objective (RPO). RTO refers to how quickly the system is back up, and RPO refers to how recent the restored data is -- or to put it differently, how much data is lost forever.
It's important to make sure non-IT people are part of the DR planning discussions, consultants said, especially when gauging the cost to the company of the system being down. Talk to as many managers as possible, and make sure they can tell you the cost to them of losing data or access to the server. (Read more about how to determine an optimum recovery time objective and some RPO strategies.)
When you start the business continuity planning discussion with your client, you should work with the client's managers to calculate the optimal amount to invest in RTO and RPO. Although the two variables are independent of one another, they are commonly affected by similar factors. For instance, the tile manufacturer's contract with The Home Depot required it to have both a short RTO, so it could start responding to orders quickly, and an aggressive RPO, so it could minimize the number of orders it loses from before the crash.
Systems that provide better RPO and RTO cost more. To calculate how much money your client should spend on RPO and RTO, compare the cost of a given system with the costs associated with losing a certain amount of data (for RPO) or uptime (for RTO). You should also look at the company's history to estimate the chances of a given disruption happening, Thordarson said. The cost of the potential loss should be higher than the cost of the system implemented to prevent it.
For instance, if a weekly tape backup costs your client $60,000 a year, but the cost to the company of a week's worth of data is only $10,000, and a server crash occurs only twice a year, the disaster recovery system may not be worthwhile -- your client would be spending more on the solution than the problem would cost.
A good rule of thumb is for a company to spend about 3% of its IT budget on business continuity planning, Williams said. Of course, some locations are at higher risk for natural disasters or terrorist attacks, and you should take those factors into consideration, he said.
The DR plan your client implements may also be different for different systems, Thordarson said. For instance, a hospital may have one system for patient-side care and another for 10-year archives. In an emergency, the patient-side care system needs to be up quickly so that doctors can look up critical data such as what medicines a patient is allergic to. A digitized x-ray of the client's broken foot taken a decade ago, however, can be unavailable for a few hours without putting patients at risk.
Even if your primary responsibility is in getting your client's data backed up, there's much more to data recovery. To create a comprehensive DR plan, you need to look at your client's specific risks and plan a way to get the whole business -- not just the data center -- back on its feet. In the next installment of this Hot Spot Tutorial, we'll show you how to handle business continuity planning for different contingencies and make sure your client's plan gets executed successfully when it's needed.
This was first published in November 2008