Building Better Business Continuity

Photo: Raffi Alexander

Frank J. Gillman, Chief Technology Officer at Allen, Matkins, Leck, Gamble, Mallory & Natsis

Say the words "disaster recovery" to the average IT executive and be prepared for immediate assurances that the business can ultimately restore operations in the event of a catastrophe. Horrific events such as Hurricane Katrina and the Sept. 11th attacks have rightly focused attention on how companies can recover from a serious loss of service or materials. Larger businesses have documented and planned how to resume operations on a limited basis, and equipped key staff members with the necessary codes and authorizations needed to recover data. Smaller companies have increased their investments in backup technology and off-site data storage services to provide an extra measure of insurance.

Yet, in reality, most disaster recovery plans ignore the more likely scenarios that can significantly disrupt business operations. A faulty sprinkler in the server room, a toxic spill in the building that forces evacuation or employee sabotage of critical data can mirror the impact of a Katrina-scale calamity. Your organization's plans should focus as much, if not more, on dealing with these more routine events. Rather than limit yourself to thoughts of recovery from a natural disaster, take a broader look at the issue by defining your company's overall goals for business continuity. Here are a few tips to get you started:

Define Your Scope. How long can your organization function, both structurally and financially, during a significant loss of service? Companies with large cash-reserves or previously distributed goods can withstand longer downtimes. Professional service companies that operate a cash-based business will see an immediate impact on their profits as each hour goes by. Your business continuity investments and options should be proportionally higher if you have a very short window of risk tolerance.

Testing 1-2-3. The best-laid plans can fail if they're not tested on a regular basis. Organizations should test their business continuity plans every six months to ensure that the process is working as desired.

Create Communication Contingencies. How will workers be informed of the company's status during an emergency? If your systems are off-line, options such as internal voicemail broadcasts, e-mail or Web page alerts may be unavailable.

Back Up Your Backups. Relying on one outside service to protect your business simply moves the single point of vulnerability from inside to outside your organization. It's important to have a multitiered approach to protecting your data. Hire at least two independent companies — one at least 100 miles from your primary place of business — to house your data. If you store tapes off-site, make sure that you consider tape encryption to fully protect key company information.

Consider Continuous Backup. Advances in storage technology are making it possible to collect complete sets of company data. Yet, in today's 24/7 global economy, it's getting harder to find maintenance windows for data backup. Several companies now offer continuous backup systems that, after an initial data population, only back up data that has changed, and does it in real time. This process ensures that the data set is always current and virtually eliminates maintenance windows for backups.

Developing an effective business continuity plan requires the active participation of multiple executives and department heads, a difficult task to be sure, but critical to defining your organization's goals. Whatever solution or solutions you ultimately implement, the plan must meet those metrics, or it will certainly fail when a crisis occurs. That's the worst time to find out that better planning and proper testing would have ensured the plan's success.