My e-ternity

Business Continuity FAQ

  1. What is driving the recent focus on Business Continuity and Disaster Recovery Solutions?

    2. The Business Continuity Industry has enjoyed the spotlight in recent years due to some prominent unfortunate events. Since 2003, businesses in Canada experienced several severe threats to their operations including:

    1. Power Outage Ontario - Summer 2003
    2. SARS - Summer 2003
    3. Peterborough Floods - Spring 2004
    4. MS Blaster Virus Attack - 2003
    5. Forest Fires in Western Canada - 2003
    6. Royal Bank System Outage - 2004

    In a 2003 Harris Interactive Poll entitled "Disaster Preparedness and Information Availability in Post 9/11 Corporate America," they found that most executives give their own company a C+ when it comes to their ability to quickly access business-critical information after a disaster.

    In that same Harris Poll, they found that most Fortune 1000 executives have already experienced network/IT system disruptions:

    • 56% reported one systematic email interruption in past year
    • 25% cited disruption in financial systems
    • 23% experienced disruption in ERP systems
    • 21% experienced disruption in order entry systems
    • 21% experienced disruption in supply chain communications

    In a similar study done by KPMG in 2003 of organizations in the US:

    1. Over 50% of companies have experienced the following threats:
      • Natural Disaster (50%)
      • Hardware Failure (66%)
      • Software Failure (58%)
      • Human Error (53%)
      • Power Outage (71%)
      • Communications Failure (55%)
    2. Over 74% of companies have a downtime tolerance/recovery time objective of less than 24 hours.

    The Toronto Star in October 2003 quoted Paul Sullivan, General Manager of Business Resiliency and Continuity Services for IBM Canada as saying that "studies show that less than 60% of Canadian businesses have a disaster recovery plan." With the recent events and media attention that this topic has received, these services are now in incredible demand.

  2. What's the difference between Business Continuity and Disaster Recovery?

    3. The term Disaster Recovery is often misused as a synonym with Business Continuity, but the two words actually refer to two different aspects of the planning process. Whereas Business Continuity refers more to the overall business processes, Disaster Recovery has a technology focus. The Disaster Recovery Journal one of the leading organizations on the topic defines Disaster Recovery as: "The technological aspect of business continuity planning. The advance planning and preparations that are necessary to minimize loss and ensure continuity of the critical business functions of an organization in the event of disaster."

  3. What is a Business Impact Analysis?

    4. Often, a customer is aware that they should have a Business Continuity Plan in place, but they are unsure where to begin. Before a proper plan can be charted, a customer must first understand their current environment and requirements for continuity of their operations. To determine this, a preliminary exercise called a Business Impact Analysis, or BIA, must be performed. SearchStorage, a leading source for online Business Continuity terminology, has defined the Business Impact Analysis as "an essential component of an organization's business continuity plan; it includes an exploratory component to reveal any vulnerabilities, and a planning component to develop strategies for minimizing risk. The result of such an analysis is a business impact analysis report, which describes the potential risks specific to the organization studied. One of the basic assumptions behind BIA is that every component of the organization is reliant upon the continued functioning of every other component, but that some are more crucial than others and require a greater allocation of funds in the wake of a disaster. For example, a business may be able to continue more or less normally if the cafeteria has to close, but would come to a complete halt if the information system crashes.

    A BIA is likely to identify costs linked to failures, such as loss of cash flow, replacement of equipment, salaries paid to catch up with a backlog of work, loss of profits, and so on. A BIA report quantifies the importance of business components and suggests appropriate fund allocation for measures to protect them. The possibilities of failures are likely to be assessed in terms of their impacts on safety, finances, marketing, legal compliance, and quality assurance."

  4. What's involved with Auditing and Testing?

    5. Sometimes a customer will already have a Business Continuity Plan in place, but has never had it professionally validated. For a fee, Business Continuity Consultants will analyse an existing plan and offer recommendations. Once a proper Business Continuity Plan exists, a customer should test on a frequent basis, often annually or semi-annually, and this usually requires third party assistance.

  5. What are Work Area Recovery Services?

    6. In the event of a true disaster, where access to a customer's physical site is not possible due to fire, flood, power outage, evacuation, etc., employees need to relocate to continue with their duties. For some employees, it may be convenient to work from home, but others require actual office space. In this case, Solutions Providers such as Sungard and IBM Global Services will provide Work Area Recovery Services, a solution that provides an alternate facility complete with workstations, equipment, office resources, voice and data connectivity, and technical expertise so that the customer can continue to work. This is usually charged on a per seat basis.

  6. What are Quick Ship Services?

    7. In the event of a computer system outage, a customer is required to get these systems back online as quickly as possible so that the business can resume operations. One alternative is a Quick-Ship program where a Solutions Provider such as Sungard will replace the damaged equipment with a pre-determined emergency configuration, to be delivered to a designated recovery site within a specific time frame, typically 24-48 hours. Once the equipment arrives, the customer can begin the implementation of the new technology and recover the systems.

  7. What are Mobile Recovery Services?

    8. If a customer's primary site is compromised, another recovery alternative is to have a backup facility delivered. Some Solutions Providers such as Sungard offer Mobile Recovery Services which bring the entire recovery effort in a mobile trailer to the client's preferred location. They will supply and deliver the technology, data centre and office space, and infrastructure including systems and technical expertise.

  8. Why would I require Data Storage Consulting Services?

    9. Data Storage can be a complex and intimidating concept. Data can be stored on a variety of media for a number of different purposes. Generally speaking, a customer's primary data is stored on disk drives that are either enclosed in an application server or in a separate disk storage device. The technology changes very quickly and the management of the infrastructure can be overwhelming. For this reason, many companies offer storage consulting services to simplify the process and to provide expertise that many customers lack.

  9. What are some different types of Storage Consulting Services?
    1. Storage Infrastructure Assessments
      • A pre-sales chargeable service that provides a snapshot of a customer's existing infrastructure and identifies areas that need to be addressed.
    2. Storage Implementation Services
      • Once a solution has been designed and purchased, these services are required to implement the solution.
    3. Data Migration Services
      • Once a new storage infrastructure is in place, the data must be moved from the old infrastructure to the new one, and this can be a complex process.
    4. Storage Management Services
      • Once a storage infrastructure is in place, management can be tricky, especially if there are many different devices from many different vendors. These services provide the customer with best practices and proper tools to accomplish this.
    5. Data Classification Services
      • To implement a proper long-term strategy, data must be classified according to its value to the organization. This is often a difficult task for customers to perform themselves, and these services assist with this process.
    6. Data Replication Services
      • For true redundancy, a customer's data must be replicated to more than one location in case the primary location is compromised. This process is complex as it involves many different hardware, software, and network technologies and thus usually requires consulting services.
  10. Why would I require Remote Data Backup Services?

    11. Customers typically perform data backups from disk to tape every day so that in the event of a system failure, a customer's corporate data is still intact on the tape medium. Best practices dictate that these tapes should be stored offsite in case a disaster destroys not only the primary infrastructure, but the tapes as well. For this reason, Solutions Providers such as Iron Mountain will provide a service that involves the daily pickup of these tapes from the customer's premises and delivery to an offsite, secure warehouse storage facility. In the event of an outage, Iron Mountain will deliver the appropriate tapes back to the customer in a timely fashion and the customer can begin to restore the data from tape back onto their disk systems.

    To take this concept one step further, other Solutions Providers such as Asigra provide an online remote data backup solution that bypasses the requirement for the customer to perform their own tape backups. In this solution, a customer's data will get replicated online automatically to a remote location where the data is backed up, stored, and protected.

  11. How do I mitigate the risk of Wide Area Network Failure?

    12. A Wide Area Network (WAN) is a wired computer network that provides data communications to a large number of users usually spread over a large geographic area. When data or voice is being transmitted across a WAN, the transmission is at risk due to the vulnerability of the network link itself. Therefore, a redundant connection must exist to ensure that there is no interruption to the service.

    WAN failover increases network availability by automatically switching over to a secondary Internet link when the primary link failure is detected. This solution can be complex and must be addressed for a proper Business Continuity solution to exist.

  12. What is Voice over Internet Protocol and how can it help me with a Business Continuity Solution?

    Also called VoIP, this term refers to hardware and software that enables people to use the Internet as the transmission medium for telephone calls.

    When deployed in a Business Continuity solution, this technology provides an added layer of availability for voice communications. Since VoIP communications are Internet based, the main phone system can be located in any geographical location, as long as all of the users have access to the Internet. In this case, users can locate their phone system in a secure facility such as an offsite third party data centre, which would not be affected if a customer's primary location were to be compromised. Furthermore, many of the Canadian telecommunications companies such as Bell and TELUS are providing this solution, complete with aggressive Service Level Agreements for guaranteed availability, as a subscription based service so that the customer purchases no actual hardware or software. In this case, the responsibility of keeping voice communications online is transferred from the customer to the telecommunications company.

  13. Where is the Business Continuity industry going?

    14. Focus on Information Availability vs. Recovery
    The shift is clearly moving away from a company implementing capabilities to allow for fast recoveries in the event of a crisis towards solutions that will enable them to seamlessly continue on with business. The same Harris Poll showed that nearly nine in ten (88%) would like to see their company address all aspects of information availability, whereas just 12% prefer an emphasis on data recovery only.

    Improved Data Management
    The management of a customer's information environment is becoming more and more critical. Some of the trends include:

    1. Data will continue to grow at an extraordinary rate - an estimated 50+% per year
    2. Data archiving requirements will skyrocket as an estimated 90% of data stored is rarely accessed, making disk an inefficient and costly choice with low utilization

    Information LifeCycle Management (ILM)
    Information LifeCycle Management is defined as a strategy for aligning a customer's IT infrastructure with the needs of their business based on information's changing value. Through ILM, a customer gets the most value from their information, at the lowest Total Cost of Ownership, at every point in its lifecycle.

    In other words, adopting an ILM Strategy provides cost savings for a customer because it allows them to store their data on the most cost-effective medium based on its value and likelihood of access. This involves implementing different tiers of storage such as Primary disk storage (for data that will be frequently accessed), Secondary disk storage (for less frequently accessed data, or primary archive data), and offsite Tape storage (for all archived data that is less likely to be accessed).

    With respect to Business Continuity, this concept is important because it provides the customer with a cost-effective strategy to ensure the protection and survival of their most critical information.

    Data Virtualization
    Data virtualization is an increasing trend in the IT industry that is designed to improve the manageability of data and to reduce a customer's physical IT infrastructure. Data Virtualization describes the capability to automate the storage of data so that the importance of its actual location becomes irrelevant. There are a number of vendors that are starting to offer various virtualization solutions, but customers are still relatively unaware of most of the significant benefits that are available with this technology. By achieving this, virtualization provides the ability to:

    1. Consolidate a large number of small individual servers on to one larger server, easing manageability and more efficiently using system resources.
    2. Simulate the availability of hardware that may not be present in sufficient amount-or at all!
    3. Uses the available physical resources as a shared pool to emulate missing physical resources.
    4. Keep software applications available online close to 100% of the time by moving those applications to temporary servers to allow for activities such as maintenance that would normally require the server to be down.

    With respect to Business Continuity, this provides a significant opportunity in that:

    1. Systems can now achieve close to 100% uptime because of the shared resources
    2. Creating an emergency failover site can now be achieved at a fraction of the cost of traditional solutions due to the reduced hardware requirements.

    Migration to Blade Server Technology
    Traditional servers are separate physical devices that sit together in a computer data centre to form an integrated system. Typically, each software application resides on its own dedicated server, complete with dedicated disk drives, cooling fans, network cables, power, etc. Following a similar trend with virtualization technologies, server vendors such as IBM, Hewlett-Packard, and Dell have recently introduced blade servers, which allow many physical servers to be housed in a single chassis or device. This technology allows more than one server to utilize the common infrastructure components mentioned above to reduce costs and overhead. This technology is a perfect complement to data storage technology and the consolidation concept consistent with virtualization.

    Data Backups to Disk vs. Tape
    Data is initially stored on disk. Traditionally, a customer would perform daily backups of their data from disk to tape so that the tape media can be stored securely offsite so that in the event of a disaster, it can be retrieved and restored intact. During these data backup sessions, the customer systems are offline and employees cannot access the business applications. Although tape has traditionally been a less expensive medium than disk, some limitations of tape include the significant time it takes to store the data onto tape, retrieve the data for a restore back to disk, and the suspect reliability of tape in general. Very simply, data that is stored on disk is more secure, and disk-to-disk transfers are extremely fast compared to disk to tape (and vice versa). Due to the constantly declining cost of disk storage, the trend has finally started to reverse. More and more customers are now considering archiving their data to disk and eliminating the need for tape storage altogether.

    From a Business Continuity perspective, the benefit to the customer is:

    1. Increased availability of their online systems as the requirement for systems to be offline during a data backup session has decreased.
    2. Data replication to a remote site is achievable online, decreasing the time and complexity of previous offsite methods.
    3. Recovery of data is exponentially faster due to the disk-to-disk restore procedure vs. disk-to tape restores, dramatically decreasing the downtime for customers in the event of a disaster.

    Government Regulatory Themes
    In recent years, government regulations have taken an increased role in the way business is managed. In the aftermath of recent scandals such as Worldcom and Enron, legislation has been introduced to force companies to be more accountable for their information and for them to be able to produce archived records quickly and accurately.

    Personal Information Protection and Electronic
    Documents Act (PIPEDA)

    This act, an extension of the Privacy Act, extends to the Canadian private sector, and demands that:

    1. Organizations must obtain consent from individuals, including employees, to collect, use or disclose personal information.
    2. Disclose why information is being collected, only collect what is required, only retain as long as necessary to fulfill initial task.

    With respect to data storage, this act has increased the requirement for effective long-term storage methodologies.

    Sarbanes-Oxley Act
    The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation enacted in response to the high-profile Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. The act is administered by the Securities and Exchange Commission (SEC), which sets deadlines for compliance and publishes rules on requirements. Although this is US legislation, any Canadian company doing business in the US is subject to the same terms and conditions.

    Sarbanes-Oxley is not a set of business practices and does not specify how a business should store records; rather, it defines which records are to be stored and for how long. The legislation not only affects the financial side of corporations, but also affects the IT departments whose job it is to store a corporation's electronic records.

    The Sarbanes-Oxley Act contains three rules that affect the management of electronic records.

    1. The first rule states that anyone who knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object shall be fined under this title, imprisoned not more than 20 years, or both.
    2. The second rule states that the retention period for the storage or these records should be no less than five years.
    3. The third rule outlines to the type of business records that need to be stored, including all business records and communications, including electronic communications.

    As is stated above, the consequences for non-compliance are fines, imprisonment, or both. IT departments are increasingly faced with the challenge of creating and maintaining a corporate records archive in a cost-effective fashion that satisfies the requirements put forth by the legislation. This legislation alone has put pressure on organizations to not only store these records properly, but to ensure that they have redundant archives.

    Widespread Adoption of VoIP Solutions
    According to IDC's most recent forecast, worldwide sales of VoIP telephony equipment will see substantial growth between 2004 and 2007, increasing by 48% in 2004 and topping $4.9 billion by year's end. Equipment sales will continue to grow by more than 50% in 2005 and 2006, to reach $11.4 billion in 2006, and $15.1 billion in 2007.

    What are the main benefits of a Business Continuity training/exercise program?
    There are two main benefits of exercising your business continuity/disaster recovery plan: (1) to train individuals in the organization and (2) to improve the organization's ability to respond using the plan. For individuals, exercising enables them to practice their roles and gain experience in those roles. For the organization, exercising improves the company's ability to manage incidents and emergencies. In both cases, the benefits are derived not just from the exercise but from evaluating the exercise, recognizing problems, and making recommendations to improve the results.
    Management should be clear that exercises are NOT tests. The intent is not to establish a pass or fail. An exercise should be viewed as the normal work required to refine and to tune business continuity and emergency plans. An exercise has value only when it leads to improvement.
    Exercises should be conducted periodically, at least be yearly, or, if business is rapidly changing, at least twice a year.

    How does one present risks in a concise manner to Senior Executives?
    The key is to present risk as a business decision requiring action. You will probably do more harm than good in attempting to frighten a budget out of senior management by pointing to all the dire consequences associated with a particular risk. Instead, using knowledge, experience, published statistics and even some guesswork, provide management with an assessment of the magnitude of the risk and a menu of options for solving the problem. The menu should include the cost and "residual risk" of each mitigation strategy. Residual risk is simply the risk left over once you've implemented your solution.
    It is up to management to determine exactly how much risk the company can afford to accept. It may very well be the case that senior management is comfortable with a $100,000 exposure. The analysis provides value because it reduces the problem to the type of business decision that management is used to making every day. Business is a series of trade-offs, and presenting risk in terms of those trade-offs demystifies decisions and results in a cost-effective set of controls.

    What can we do to get our employees to follow our Business Continuity Plan?
    Keep everything simple. Focus on highlighting the bare essentials. We can not stress enough that plans need to be simple and easy to follow. How many people actually read the detailed instructions and disclaimers that come with many of the products we buy today? These things are designed to try and cover all known possibilities. Remember, for all intents and purposes, possibilities are endless. We want to focus instead on simple probability. Focus on what is critical to safety, security and continued operations. Use simple policy statements to identify what is important to do and not do. Use simple, easy to follow instructions for procedures. In an emergency or crisis clarity and speed are most important. Promote involvement. Practice what we preach. Lead by example. Work toward cooperation and agreement wherever and whenever possible. Promote teamwork… 'Together Everyone Accomplishes More'. Promote training. Promote practice and improvement. Success here is more about skill with people than impressing others with how much we know. Leadership and skill with people will not only produce better and more lasting results, it will save time and money.

    In this day and age of instant news (i.e. the Internet and e-mail) how can a company get its message out in the wake of a disaster? What is the best way to combat rumors and speculation?
    Number one, be prepared before it happens. Have you performed drills? Have you practiced enough? Have you done a mock scenario of a worst-case scenario? By far, the best way to deal with a crisis is to be prepared for it. That means deciding who your spokesperson is, whether it be your President, CEO, Senior Vice President of Communications, or whomever. Then you have to prepare that person with lots of practice by firing hard questions at him or her. That's the best way to be ready at any moment's notice. Every company should be prepared for their worst-case scenario, whether that be an explosion, a flood, or in the case of a pharmaceutical company, a recall. The good news is that they're very predictable questions, so it's possible to be prepared with the right answers if and when the worst occurs.

    How do you define crisis and what is the role of crisis communication?
    A crisis is an event, revelation, allegation or set of circumstances that threatens the integrity, reputation, or survival of an individual or organization. It challenges the public's sense of safety, values or appropriateness. The actual or potential damage to the organization is considerable and the organization cannot, on its own, put an immediate end to it.
    Remember, if an allegation has been made from a credible source, or appears in a credible media outlet, it does not have to be true in order to be damaging. A serious allegation must be treated with as much importance as if it were true, because it has the potential to be believed.
    Crisis Communications is the process of managing the strategy, messages, timing and distribution channels necessary to communicate effectively with the media, employees, core constituencies, clients, customers and stake holders. The focus of the crisis communications function is to facilitate the rapid de-escalation of the crisis through timely and effective communications methods.