SearchStorageChannel.com: People often use "business continuity" and "disaster recovery" interchangeably. How are they different?
They are often used interchangeably; I think that's because they go hand in hand. You can't have one without the other. Disaster recovery is about what you do in the aftermath of a disaster. Business continuity is about what you do to make sure your business can still run. And those are separate, but related, types of processes. To use a concrete example: If there is an earthquake in California and your building is damaged, what do you do in the immediate aftermath? Do you have to work in an alternate location? Do you make sure your employees are safe? Did it happen during the day? Did it happen on the weekend? Those are the types of disaster responses to think about, and a lot of those things are typically done by governmental agencies: police department, fire department or the National Guard. But in terms of your business, what do you want to do? The next question you have to ask is, "What do we need to do to keep our business running?" In the case of an earthquake, you might say, "We're going to ship our operations to another location." Or "We don't have another location; we're a small business so we're going to see if we can rent a facility in a nearby town." Or "Our employees can work from home." Of course, they would have to have homes to work from until the facility is repaired. Those are the business continuity things to consider in the aftermath. SearchStorageChannel.com: Many businesses are putting disaster recovery and business continuity on the top of their IT priority lists. Why is that?
It's become higher on the list, although I'm not confident it's being funded at the level that it needs to be. There's still a bit of a disconnect, because companies are recognizing the importance of it more and more, but then they are stepping back and asking, "How can we afford to do this?" A lot of companies are saying, "We're going to have to bite the bullet and pay for this," and some are a little on the fence.
Obviously, IT is integral to every company these days. Everybody uses email; everybody uses electronic documents of some sort. It's no longer an option to say that IT is just a side thing and if the computer system goes down we can run without it. Most businesses these days are dead in the water if their systems aren't running. Hurricane Katrina was a huge eye-opener for many people because it's not just that the building might catch on fire, but the building might be completely demolished. We might have to leave the area without anything -- without paper documents, or any documentation. Katrina helped people to understand the nature of disaster recovery and business continuity, in terms of being able to look at a much bigger picture and say, "Oh, it really is that large of a topic."
There have been a lot of advances in technology that make it easier to do some basic planning and mitigation strategies. For example, a lot of people are using network storage devices of some kind. And there are a lot of technologies available where you can save data to a third party, across the Internet, using encryption. Your data can be encrypted on the other end, and somebody else can store it for you. That right there is a huge piece of the puzzle in terms of data safety. A lot of the technology is becoming more and more available and a lot less expensive.
But data safety is one piece -- the very first piece -- of disaster recovery and business continuity. The second part is, How do I get my business running now? How do I replace systems, networks and configurations, etc.? The data safety piece has been fairly well-addressed. Even small to medium-sized businesses have the option of backing up their data across the Internet to a data vault of some sort. I think that more and more companies are saying, "That's good." Unfortunately, I think some of them think that's all that is required.
In my book and when I'm consulting with clients, I ask them to step back and think about this: You can't log on to your computer. You can't walk into the building. You're at home, and all you have is a cell phone. What do you do? You have to make people think along those lines; that's really what businesses are facing when their systems go down. It might be helpful to know that your data is stored at ABC data vault, but now what? How will your business run? If you have 50 to 100 employees in three buildings, what do you do?
SearchStorageChannel.com: What role do service providers play in business continuity?
I think it depends on what the service provider provides. Business continuity really has to do with understanding how the business operates and what it needs to do to come back online after a disaster. Depending on the nature of their business, service providers can really step in and help the company by providing along those different timelines. There's a critical recovery time frame, from when you are having normal operations to when some disruptive event occurs and your systems are unavailable. The first thing you do is begin system recovery. When you complete system recovery -- or recovering your data -- then you have to recover your business operations. At each step, depending on what the service provider does, they can step in and say, "Here's a piece of this service that we can provide." Some service providers are going to say, "I fit into this particular thing. When a disaster hits, call us because this is what we do. Then we will hand you off to the next provider that does the next piece."
SearchStorageChannel.com: What is business impact analysis all about?
It is about looking at how any kind of disruptive event impacts the company. In my book, I talk about what the upstream and downstream losses are, because sometimes we get a little myopic and we look at our company and we forget to think about things like -- and Katrina is a good example of this -- how business is impacted if we lose services such as electricity and water. The building may not have been flooded, but it has no power. There's truly nothing you can do at that point, except suspend operations or transfer business to another location. But many small businesses don't have that option. It's important in the planning stage to ask, What would we do? The answer might simply be to suspend operations until we can figure out exactly the nature of the problem and how we are going to address it. If the planning is done in the IT department, the human impact is sometimes forgotten. That's why I talk about bringing in key players from the entire organization -- that always includes someone from human resources, operations, legal and finance. As an IT person, you can't possibly know all of the implications, and it's a much better use of your time to ask the HR person, "If this building gets knocked down tomorrow, what do we do about the human impact?" And let them manage it. Look at the business from the standpoint of what the very critical things are, the essential things, what would be necessary to have and what would be nice. When you can break them down into those top three or four priorities, than you can understand the costs of these things going away -- what the costs of the building being inaccessible are, for example. Some might say, "I can't possibly quantify that." In some cases you can, and in some cases you can't. But if you can't quantify it, you and your team can usually have a strong sense about what would and would not be essential. Even if you can't put a dollar amount on some of these impacts, you can at least identify what the mission-critical functions are. Then assess the maximum tolerable time these things can be unavailable before the business folds. When you look at it in that holistic sense, then you can really decide what you should focus your time, energy and money on, in terms of disaster recovery, business continuity and finance. SearchStorageChannel.com: Do you see a role for service providers in business impact analysis?
Absolutely. Again, it depends on what specifically the service provider does, but they can really help IT people to look at the business. Sometimes having a third party from outside the company can be very helpful in terms of guiding people and saying, "Here are the things you really need to look at." It becomes, obviously, a business opportunity for the service provider. My recommendation is that the service provider goes in with the intention of collaborating with the business, to say, "Look, this is the expertise we bring to the table, and here's how we can help you." With an honest dialogue, most IT people would be quite relieved to have somebody with that expertise come in and help them. SearchStorageChannel.com: Who are the most important people for service providers to talk to within a company when pitching disaster recovery/business continuity services?
I think it can be tricky. If you can, start with existing relationships. If appropriate, suggest to the IT people that you partner up and provide a business analysis report to present to the decision makers higher up in the organization. Most of the time a service provider won't be talking to the CIO; but if they can collaborate with IT, they can usually come up with a concise report to present. There's a lot of data to be gathered. A service professional might be in a good position to help the IT person make a clear, concise assessment. And it might be a good opportunity to figure out where the value-added opportunities are. SearchStorageChannel.com: What is essential to consider when assessing a business for disaster recovery and business continuity? What types of questions should be asked?
The real essential elements come down to the data safety, business operations and costs. IT people love to say, "Here's the perfect solution," which also happens to cost $2 million. Look at data security and compliance issues. Try to build these things into your organization, and not just for disaster recovery, but because it can help the company in other areas, such as compliance. For example, HIPAA requires businesses to take certain steps with regard to information and data security. You can double your mileage by asking how these types of requirements might also help you with business continuity and disaster recovery planning. HIPAA requires that a business to do things by law. You can double your mileage. Ask the questions like, "How can I protect data, protect business processes (or at least replicate them) and how can I build this into the business?" Service providers can step in with solutions that get a lot more bang for the buck. Look at it from a holistic viewpoint -- how can we build this into the way we do business? It becomes an integrated look at the business. SearchStorageChannel.com: What area of disaster recovery/business continuity represents the best potential for service providers to focus resources on?
I would say the first area is clearly data protection. It's odd, because there are solutions available, but many companies aren't utilizing them. I'm always surprised when I go into a business and see how little data backup they have. For example, I went into one business, and they had an enormous database. When I asked the IT people how they were backing it up, they gave me a long explanation that boiled down to "We do it piecemeal and hope nothing happens." Service providers can go in and give IT managers a bit of a reality check. These folks thought they were backing up their data. There's probably an enormous opportunity to simply look at the data safety/data recovery aspect. The cost of network storage and remote backup/storage and recovery services has continued to decrease over the past several years. Small companies often think it's too expensive, and in the past, they may have been right. Now, however, prices have come down, and companies need to look at the potential cost of losing data versus the ongoing cost of data storage and recovery services. This can be a huge opportunity for service providers to come in with a clearly defined, affordable data security plan (secure backup, storage, recovery services). If they can educate the IT manager or decision maker about the risks and costs of data loss compared to the cost of the plan, they may be able to build a relationship with small and medium-sized businesses that they might otherwise overlook. Finding ways to recommend and implement incremental improvements is also wise, especially when dealing with IT organizations that are clearly strapped for cash. Going back to the HIPAA example, if a service provider can recommend a solution that adds to the company's HIPAA efforts and provides data security, storage, backup and recovery services, that's a better value proposition for the company, and they're more likely to look at your proposals more seriously. SearchStorageChannel.com: Is there anything that we haven't covered that you want to bring up?
I'm often stunned that businesses are running without these basic protections. Almost everyone agrees we need car insurance and health insurance. But they don't see this as an insurance policy. A lot of people don't understand the impact -- after a major data loss, 43% of businesses won't reopen, 51% will close within two years and only 6% survive long-term. These are very stark numbers. What makes the difference? Data security. Is it secure someplace else, and can you get to it? And do you have a plan for moving forward? A lot of companies turn disaster recovery and business continuity planning into the quest for the Holy Grail, but it really doesn't have to be that complex. It can be as simple as having the key people sitting down for a couple of hours and brainstorming over the question, "What will we do in case of emergency?" Having that basic framework is a good starting point. They are at least in better shape than they would be if they did nothing at all. One last thing: If a service provider is going to try to sell disaster recovery and business continuity, they had better have their own house in order. Before they go out and sell the solution, they should implement it for their own business. It's a good opportunity to learn the process and fine-tune it at home, before going into a client's site.