Feature

From Document Manager Magazine Vol 13 No 01 - Jan/Feb 2005

Risk management is not just about ensuring business continuity in the event of a major catastrophe, but the creation of strategies that underpin and

Risk management is not just about ensuring business continuity in the event of a major catastrophe, but the creation of strategies that underpin and help to formulate best practice across the enterprise. It's AN UNDERTAKING THAT callS for enormous commitment, as editor Brian Wall reports

New financial compliance regulations, increasing employee rights, and the management and protection of information are now core components of every business strategy. The risks are significant - and personal. Ensuring business continuity and disaster recovery is a serious business. It is all about protecting the company's reputation while supporting the needs of employees, shareholders, customers and suppliers.
Dave Haslam, UK marketing director, Hitachi Data Systems, feels the alarm bells that are being constantly sounded about the apparently low level of implementation of proper procedures and systems within UK businesses do not always reflect the true picture. "News that only 50 per cent of the Global 2000 enterprises have fully tested disaster recovery plans does not negate the fact that these companies already have systems in place," he says.
"What this statistic serves to illustrate is that, while the technology exists to mitigate the risk of data loss, and regulatory compliance has influenced the adoption of best practice, what the industry still requires is educating on actually using the knowledge and technology at its fingertips. To not do so is comparable to fitting your home with a sophisticated smoke alarm and sprinkler system and then never testing the battery. The storage industry needs to work to change this attitude."

INTEGRATED STRATEGY
To be effective and successful long term, business continuity-disaster recovery must be part of the very nature of doing business, driven by a senior management figure - “the risk director”, as Graeme Howe, event director, Business Continuity Expo and Technology for Compliance, describes the role.
"Undoubtedly, many organisations are investing significant money and resources in risk management,” he acknowledges. Yet, he adds, while individual activity may be laudable, "a dispersed, disparate approach to separate business continuity issues will never create the consolidated, consistent business continuity strategy required to be successful in the developing climate of risk awareness. It is time to give risk management a place on the board."
In fairness, risk management is gradually climbing the corporate agenda, but many UK organisations, from blue chips to SMEs, still retain a haphazard, departmental-based approach to business continuity that is not only wasting money, but actually damaging business value.
"Strategies cannot be developed in isolation, if spending is to be aligned with business direction," Howe argues.
"A consolidated approach ensures consistency and, critically, informs the decision-making process when new business opportunities arise. How can an organisation today embark upon any new initiative - from market expansion to promotion - without considering the risk and business implications? And how can an organisation assess these implications without a consolidated cross-functional risk management strategy with board level authorisation?"
These are questions echoed by many key vendors in the marketplace whose role it is to develop and deliver the right solutions - solutions that integrate tightly with a central, co-ordinated business continuity strategy that fully identifies and embraces cross-organisational risk.

GRUDGING ACKNOWLEDGEMENT
Robin Gaddum of IBM says major events such as Y2K and the Twin Towers attacks, along with the proliferation of recent legislation (including the Data Protection Act and Sarbanes-Oxley), have left organisations in no doubt about the need to implement business continuity and disaster recovery plans. "However, businesses still struggle with the justification to make this level of investment. All too often there's a grudging acknowledgment that something should be done because companies have experienced an incident themselves or feel compelled by the new regulations," says Gaddum, UK practice leader for IBM business continuity and recovery services. "It's a kind of bunker mentality.
"What we are providing at IBM is 'Business Resilience', a next-step progression to communicate that initiatives can be handled proactively, rather than simply reactively, and deliver real benefits. Storage is absolutely central to this approach.
"One critical area of focus is Recovery Time Objective (RTO), the time by which systems must be backed up and running to support business processes and keep any damage to an acceptable level. Another big challenge is presented by data growth rates, which now exceed the rate at which tape restore technology is increasing. IBM has recently launched Data on Demand, which ensures there are copies of a company's data at different locations, so they are out of the disaster footprint, but using less bandwidth for lower running costs."

INCREASING PRESSURES
Business continuity and disaster recoverability should certainly be at the top of the agenda on a wider scale, agrees Erik Moller, manager Enterprise Storage, StorageWorks Division EMEA, Hewlett-Packard (International). "At HP, we highlight three areas for improving business continuity and availability for storage, namely: moving from data protection to business protection; data replication and site failover; and highly resilient storage networking architectures.”
"Data protection is typically synonymous with backup and restore, but moving to business protection is taking that a step farther. To keep a modern company going, data has to be always available; only being able to restore a backup is no longer a good enough protection. Many companies are also investigating how to implement data replication," Moller adds. "With the recent price reductions in broadband and wide area connections, this is now a valid option for many businesses.
"Regarding highly resilient storage networking architectures, as companies have moved to network storage, it's common that they now have one or more SAN per site. The next move is to connect these SANs together to provide data sharing over long distance and resiliency across sites."

EXPLOSION IN STORAGE NEEDS
Meeting the new data protection and retention imperatives has certainly brought an explosion in storage requirements within any organisation's IT infrastructure. "This, in turn, means there is, within the business, an increased amount of 'critical' data, something that has become the lifeblood of most organisations," says Ian Masters, sales director, Sunbelt System Software.
"Businesses therefore need to set the highest priority around protecting such information, with suitable procedures put in place. New data replication technology means that, whether you are an SME or multi-national corporate customer, you can afford to ensure that data is protected against site disasters and always instantly available.
"A disaster recovery plan is essential to any company's long-term success. Even if it never has to use that plan, the process of putting it together will, by its very nature, increase the security of its assets and improve overall business efficiency. Most of all, the preparation of a disaster recovery plan will clarify what data is important and necessitate an understanding of how the business works, from a decision-making standpoint."

REPUTATIONS AT RISK
According to Dave Gingell, VP Marketing EMEA, EMC Software, EMC Corporation, many organisations are risking both their reputation and their greatest assets by failing to deploy an adequate business continuity plan. "This could ultimately result in the closure of organisations as many struggle to get their business back on track. By deploying a business continuity solution that aligns the value of data, recovery objectives, service level agreements and budgetary constraints, organisations can mitigate the risk of a disaster impacting their business.
"However, to ensure a business continuity strategy exists, it must be part of the company culture, and therefore acknowledged and driven at the executive management level. These most senior managers need to understand the impact that failure to implement tight business continuity processes have on their organisation's ability to recover from a critical occurrence. As such, an appreciation of the knock-on effect on corporate reputation, revenue and agility needs to be educated into senior management.”
From EMC Legato's perspective, a further area of consideration when looking at business continuity is the importance of application protection and recovery. "Too often organisations think solely about their information, but ignore the fact that without applications the data is redundant," points out Gingell. "Organisations may be able to restore data in minutes, but might fail to have their applications up and running for days. By failing to back up applications, organisations are exposing themselves to significant operational impacts, such as poor customer service levels and lost revenues. When developing a business continuity strategy, it is vital that applications, as well as information, are protected and recoverable."

CHANGE CONTROL
Meanwhile, research carried out by VERITAS suggests disaster recovery plans are failing to keep pace with IT change. Almost 60% of global companies are applying patches on at least a monthly basis, while just 14% are reviewing their Disaster Recovery (DR) plans with the same frequency. In the UK, 32% of companies questioned only review their plans annually and 28% less frequently than that, if at all.
"The issue of change control is an interesting one," comments Chris Boorman, VP marketing EMEA, VERITAS, "particularly in light of the substantial increase in patches that we've been seeing lately, and spiralling concerns about viruses and accidental or malicious employee behaviour. While patch updates will rarely trigger the need for a change in DR strategy, IT departments should certainly be reviewing their DR plans more frequently than once a year.
"I'm also concerned that nearly a quarter of organisations don't check the effectiveness of their patch installations. If these checks aren't completed, then systems crashes have to be expected. If data protection, back-up and recovery systems aren't in place, organisations will lose valuable data or even stop operating completely in extreme instances. Hopefully, this research will serve as a timely warning to companies that may be unnecessarily exposing themselves to the threat of downtime."
On the flipside however, the research suggests that an active role in DR planning is, in fact, being taken at board level. According to the survey, although DR decision-making still rests most commonly with the departmental IT manager (52%), 21% of EMEA organisations now assign DR responsibility to the board, versus only 11% in 2003. Some 36% now involve CIO/CTO and IT directors, in contrast to just 22% in 2003.
 

Feature