Venyu Blog

I was recently reacquainted with one of my all-time favorite idioms and in the context of business continuity and disaster recovery (BC/DR) it took on an entirely new meaning.

According to this article in CIO, Stephen Hopkins, head of security practice for BT global services said that most disasters are small scale  — “death by a thousand cuts” — rather than a huge catastrophic event.

Hopkins goes on to say the most common threats are localized, such as losing telecommunications or losing power. But many people underestimate the window of disruption. It could be an hour, a week, or even months. For many people, their recovery vision is too short term, he says. And the vision might also not take into account all the implications of business continuity, which go well beyond getting the email system back up and running to include business, legal and regulatory requirements. Then there are brand management issues that can impact an organization well beyond the extent of the disaster itself.

In addition to citing Gartner Group predictions on the preparedness (or lack thereof) of articulated and fully realized business continuity management practices, including the revelation that by the end of 2012, fewer than 10% of enterprises will have received external certification for their BCM and IT disaster recovery programs, there is a similar lack of forward-looking vision associated with increasingly short response time objectives (RTO). Further, Gartner research shows that RTOs are shrinking: In a 2010 report, 63% of survey respondents said the RTOs for their mission-critical business processes were less than 24 hours.

“With such short RTOs,” the report says, “it is imperative that BCM plans are current and easily available during a crisis.” The problem is that, in some circumstances, 24 hours is not a short RTO, it’s a disaster in its own right. In some instances, a response within minutes, if not seconds, is a concrete requirement. What do you do then when the power goes off — or the earth quakes?

As an example of how to practically approach RTO, the article drills deep (pun intended) into the experience of a mining software and consulting company, Runge. Scott Henderson, its CIO, says disaster recovery is generally not well handled.  “It’s more than just a consultant’s analysis and, while IT is a central component in business continuity planning [BCP], particularly as we are all so reliant on IT as a corporate assert, it is not just an IT problem. Nobody knows when something will go wrong, so risk mitigation is what BCP is all about.”

Instead, Henderson maintains CIOs have to respond to disaster recovery planning using the classic insurance approach, in other words an ounce of prevention is worth a pound of cure; the price of making good after a disaster is a lot more than the cost of buying a system in the first place. “There is a difference between cost and price,” Henderson says.

Taking that one step further, Pritchett maintains disaster recovery needn’t be a cost center. “If you do it right, you can get performance benefits, improved facilities and services, and cost savings.”

Disaster recovery checkpoints from Runge CIO, Scott Henderson:

• Use multiple layers of protection
• Understand how people use it
• Business continuity is not just a process, procedure or structural thing — it involves people
• Don’t put your business continuity plan on the shelf. You need active management rather than an expensive paper weight
• What was right five years ago is not necessarily OK today — things change
• The IT department needs to be easy to do business with
• Reference all areas, physical and software — it might not just be a system crash, it could be a building collapse — be aware of security in all circumstances.

In short, implement a proactive business continuity/disaster recovery solution that preserves uptime, your peace-of-mind and cauterizes your infrastructure long before the bleeding from those thousand cuts ever begins.