With the outlook for the world economy continuing to look bleak, many organisations are predictably taking a hard look at their IT expenditures to identify projects that can be cut or deferred. The reality, however, is that business needs for available data and regulatory compliance obligations do not decline in step with an economic downturn.
"Focused on short-term pressures to make budget cuts, it often escapes companies that disaster preparedness needs may actually be greater during times of economic duress," says William DiMartini, senior vice president of consulting services at US-based SunGard Availability Services.
"For example, many organisations are reducing costs by consolidating equipment, but because of compliance and a plethora of other requirements, data must still be retained - even with a cap on spending."
The bottom-line consequences of failing to maintain an effective business continuity plan are indicated in a study undertaken by Suncorp in the UK, which found that just a third of small- to medium-sized enterprises (SMEs) are now taking active steps to ensure their business will continue to operate normally in the event of a disruption.
From those surveyed, 40 per cent said a computer hardware failure or malicious attack on their systems would be detrimental to their business, while only 10 per cent said they would be able to function as normal.
In the US, an annual study on business continuity and disaster preparedness by AT&T found that in 2008 one in five businesses do not have a business continuity plan in place. Arguably of even greater concern is that for the third year in a row the study found that nearly 30 per cent of US businesses do not consider business continuity planning a priority.
AT&T canvassed the views of IT executives from companies throughout the US that have at least $US25 million ($39 million) in annual revenue, and found that two thirds predict hacking will be the biggest threat in the next five years. The next most frequently cited threats are internal: accidents (56 per cent); sabotage (47 per cent); and remote workers (44 per cent). Further, while six out of 10 companies have made some type of business change in the past year, only 28 per cent updated their business continuity plans.
The risks they run are acute, and graphically highlighted in the 2007 Best's Underwriting Guide by AM Best, which revealed that only 6 per cent of companies that suffer catastrophic data loss survive, while 43 per cent never reopen and 51 per cent close within two years of the disaster.
According to DiMartini - a veteran of more than 20 years in disaster planning and recovery - when reviewing corporate IT programs there are three core issues integral to optimal preparedness: What are the risks? Which programs must be maintained and how can they be most effectively maintained? And what is the impact of technology changes on disaster plans?
MAKE RISK ASSESSMENTS A PRIORITY
"As organisations are challenged to scrutinise how to spend their dollars, conducting availability risk assessments to identify vulnerabilities can provide excellent guides on how to determine budget priorities," DiMartini says.
However, he says it is essential to measure and assess three major areas: information security - covering policy, procedure and regulatory response; information management - examining program controls, flow of information and continuity of services; and information architecture - looking at network and facility design, environmental infrastructure and system design.
KEEP ESSENTIAL PROGRAMS GOING
Typically, during an economic downturn, internal IT resources become stretched. This leads to companies looking for outside support to fill gaps to get essential work done and still save money. One key area in which third party providers can have positive input is maintaining and testing disaster recovery plans.
Importantly, disaster recovery plans need to be viewed as ongoing programs - not projects that can be put on a shelf for a year.
Another area that often faces cutbacks in tight budgetary times is recovery environments. However, when companies are pressured to scale back an IT recovery site it often leads to the recovery installation not matching the current production environment.
The result is that critical applications can no longer be supported at recovery sites. To address the issue, companies can leverage third party-managed services that host secondary applications at a third party site and protect data with disaster recovery solutions.
KEEP ABREAST OF CHANGING TECHNOLOGY
As is well known, many organisations are now moving to virtualisation technologies to generate IT cost savings by consolidating servers and storage.
But moving to such environments with untested plans to recover data should an unplanned outage occur can turn a problem into a disaster that impacts on an entire company.
"Data managed by virtualised systems still needs to be accessible," DiMartini warns.
"Business continuity plans need to be updated to account for virtual environments to assure information availability."
- Mark Phillips