Prepare for disaster

Today companies are constantly faced with presures from the highly competitive business environment. Responsibilities to customers, shareholders, staff and auditors only increase these demands. In order to survive, companies must balance these pressures and ensure continual, effective operation during normal and unexpected circumstances.

Many senior managers now consider business continuity to be of key strategic importance, according to Nick Smith, sales manager at SafeGuardiT. He believes three key factors are driving this new awareness.

"An increasing proportion of mission-critical and customer-facing business activities are now underpinned by IT, which leads to a growing dependence. There is increased pressure from regulatory bodies for companies that operate in regulated industries (such as financial services) to put in place proven disaster recovery contingency plans."

The media's current fascination with the danger of the loss of IT services through the year 2000 bug is also lowering the profile of other risk factors, believes Smith.

He adds that there are three basic requirements to ensure the continuity of a company's business. "The first is a reliable strategy, which ensures standby facilities are available for staff, data and IT systems. A fully tested survival plan ensuring that any disruptions can be quickly overcome is the second. Lastly, standby facilities such as alternative IT systems, premises and secure backup for data are essential."

Alan Heath, director of Siltek BCP (Shadow Solutions), explains that companies typically attempt five types of so called disaster recovery strategies. "The first one is to do nothing. Many companies see this as a perfectly acceptable answer. First-line defences are taken to protect the systems from human intervention and appropriate forms of insurance are taken out."

Heath points out that it is unacceptable to rely on this, because it only gives you money and does not keep the business running.

The fortress, where all IT resources are concentrated in one well-defined location, is another option. These usually have full redundancy in their computer hardware, good environmental controls and tight physical security. "While not cheap," says Heath, "this approach offers significant savings over the multi-centre approach."

Another alternative is that two companies with similar computer configurations can agree to provide each other's backup. Each company's essential applications must represent less than a 50% load on either computer. However, this results in surplus capacity on both systems or means that the backup computer can only offer a degraded level of service to both companies.

The fourth option is that a company can choose to have its own backup facilities. Although this is very costly, according to Heath, the risks are very low and provide "a second computer centre".

The fifth choice is to use a service provider to do the backup for you. This can be divided into three areas - cold, hot or portable.

When implementing cold backup, all environmentals are in place except the computer itself. For an annual fee the customer can, during a disaster, set up his own equipment for a limited time. This is probably the cheapest way of obtaining a second computer centre, but takes a long time to equip. If the hardware was destroyed, says Heath, procurement and installation will cause further delays.

Hot backup refers to a centre that is usually up and running. Backup copies of all required files and programs are kept here for speedy restore. It is the responsibility of the service provider to grow with the customer's needs.

"Portable refers to the delivery of kit to alternative client premises. This is suitable for smaller kit and can be delivered by air or truck," says Heath.

Heath recommends that organisations initiate business resumption plans (BRPs), a document that takes a company though each action and procedure when a disaster occurs.

He says that his company uses the Achilles report as a prerequisite when creating a BRP. This report examines a company's IT systems and how they are used. "It identifies the applications that are critical to the operation of the business and determines the maximum time they can remain unavailable without unacceptable financial impact. Based on this, we then recommend actions to minimise the risk of losing these critical applications, and a strategy to ensure they can be reinsated within the critical time."

Commenting on the benfits of a BRP, Heath says: "Any competently produced BRP provides clearly defined procedures and task allocations for transfer of critical operations to an alternative site when a disaster occurs, and for eventual return to normal function.

"There is no longer the risk of making critical decisions under stressful conditions. Senior management does not have to be present to authorise critical actions. It also provides the means of containing the financial and other effects of a disaster within predefined limits."

As a disaster can occur at any time, without warning, a company's disaster recovery strategy must be constantly ready for action.

SafeGuardiT's Smith highlights the standby computer facilities provided by his company. "All our facilities are used exclusively for the purpose of disaster recovery and for the regular rehearsal by customers of their disaster recovery plans and procedures."

Customers can notify Guardian via a 24-hour response line when they have suffered a disaster and wish to invoke the service. Standby services can be provided across a broad range of platforms including Bull, Data General, Hewlett-Packard, IBM, ICL, MDIS, Oce, Prime, Siemens Pyramid, Sequent, Silicon Graphics, Sun Microsystems, Tandem, Xerox and PC LAN. These services are delivered through a range of static, relocatable and mobile options, notes Smith.

Smith believes the way companies approach disaster recovery will change because of their increased dependence on systems. "Companies don't use paper for backup anymore, they do it electronically."

The mix of various systems in one company is also playing a role. "Very often, there is more than one type of machine and technology, and it becomes easier and cheaper to outsource the service," he says.

Heath also believes the marketplace is finally sitting up and taking note of disaster recovery. "Events like the Pretoria Munitoria fire make people realise how important it is. Managers are realising they are liable for the consequences of a disaster."

Being prepared for disaster: 10 questions to ask yourself

• Have you assessed the effect of an interruption of operations on your business?

• Have you accurately identified the critical areas of your business?

• Do you have a contingency plan drawn up and audited by a business contingency consultant?

• Are you confident of its viability?

• Is the plan frequently tested?

• Was it tested under simulated conditions?

• Does your plan guarantee full recovery within a timeframe agreed to be acceptable to the business whatever the cause of failure?

• Have you done everything that makes sense finacially to reduce the risk of a disaster?

• Have you visited your recovery centre or nominated site?

• Are the relevant staff aware of the procedures to be followed in a disaster scenario?

(Source: Guardian)