1. What exactly should a company have as part of their DR/BC plan?
Business Continuity is the activity performed by an organization to ensure that critical business functions will be available to customers, suppliers, regulators, and other entities that must have access to those functions. The foundation of Business Continuity are the standards, program development, and supporting policies; guidelines, and procedures needed to ensure a firm to continue without stoppage, irrespective of the adverse circumstances or events. This differs from Disaster Recovery (DR) which is a small subset of Business Continuity.

As a part of the DR/BC plan, a company needs to have a secondary site which is typically housed in an external Data Centre. There are three types of DR scenarios possible and each of them comes at a certain cost. These are mainly classified as hot, warm and cold sites.

  • Hot Site – A hot site is a duplicate of the original site of the organization, with full computer systems as well as near-complete backups of user data. Real time synchronization between the two sites may be used to completely mirror the data environment of the original site using wide area network links and specialized software. Following a disruption to the original site, the hot site exists so that the organization can relocate to normal operations with minimal losses. Ideally, a hot site will be up and running within a matter of hours or even less. Personnel may still have to be moved to the hot site so it is possible that the hot site may be operational from a data processing perspective before staff has relocated. The capacity of the hot site may or may not match the capacity of the original site depending on the organization's requirements. This type of backup site is the most expensive to operate. Hot sites are popular with organizations that operate real time processes running 24/7 such as financial institutions, government agencies and e-commerce providers. E.g.: A bank typically has a hot site where data and information has to be replicated in real time.
  • Cold Site – A cold site is the most inexpensive type of backup site for an organization to operate. It does not include backed up copies of data and information from the original location of the organization, nor does it include hardware already set up. The lack of hardware contributes to the minimal startup costs of the cold site, but requires additional time following the disaster to have the operation running at a capacity close to that prior to the disaster.
  • Warm Site – A warm site is, quite logically, a compromise between hot and cold. These sites will have hardware and connectivity already established, though on a smaller scale than the original production site or even a hot site. Warm sites will have backups on hand, but they may not be complete and may be between several days and a week old. An example would be backup tapes sent to the warm site by courier.

Choosing the type of DR site depends on an organisation’s cost vs. benefit strategy. Hot sites are traditionally more expensive than cold sites since much of the equipment the company needs has already been purchased and thus the operational costs are higher. However if the same organisation loses a substantial amount of revenue for each day they are inactive then it may be worth the cost. Another advantage of a hot site is that it can be used for operations prior to a disaster happening. Organisations define the importance of data based on the criticality of the application and this is determined by the Business Impact Analysis (BIA). The BIA results in the differentiation between critical (urgent) and non-critical (non-urgent) organization functions/ activities. A function may be considered critical if the implications to stakeholders of the damage to the organization are regarded as unacceptable. Perceptions of the acceptability of disruption may be modified by the cost of establishing and maintaining appropriate business or technical recovery solutions.

Mission critical applications to the business typically require a hot site while applications which are not so critical only need a warm or cold site.

2. Is having a disaster recovery/business continuity plan an essential in today’s business environment?
At eHDF we see DR/BC as top priorities for organisations in this particular region. IT managers and CIOs allocate separate budgets due to the increasing pressure to maintain smooth business functioning for an enterprise. There are different types of incidents that may qualify as disasters and that may strike at different magnitudes. Subject to region-specific threats, preparation for disasters needs to be accordingly carried out. It is essential to plan accordingly for the potential likelihood of a disaster situation.

Understanding how to tie together diverse IT components to guarantee uninterrupted operations is crucial to a sound technology management operational plan. While time consuming, these are critical processes to ensure an organization’s ability to recover from unplanned events with minimal or no disruption of services and operations.

3. How does a company begin to look for and implement a DR/BC plan?
The initial step will involve a Risk Analysis which involves analyzing the current environment to determine what threats may exist that could cause a disaster. These could be physical location, access security, corporate policy and practices, etc.

The next step is a Business Impact Analysis (BIA) in which a business must ask, who, what, where, why, how and when in relation to the business’s contingency planning. The BIA helps in understanding and prioritizing the risks that you need to mitigate.

There are two essential factors to be considered while calculating downtime, which are RPO (recovery point objective) and RTO (recovery time objective).

  • Recovery Point Objective (RPO) - the acceptable latency of data that will be recovered
  • Recovery Time Objective (RTO) - the acceptable amount of time to restore the function

The Recovery Point Objective must ensure that the Maximum Tolerable Data Loss for each activity is not exceeded. The Recovery Time Objective must ensure that the Maximum Tolerable Period of Disruption (MTPD) for each activity is not exceeded.

As a part of the BIA, RTO and RPO values are assigned for each critical function.

After the Risk Assessment and BIA, the organization can begin designing a disaster recovery solution that matches the business requirements.

4. Is it better to have back-up on site or as a third party service?
Third party back-up sites are growing in popularity as they offer several benefits:

  • Reduced Downtime – A DR site minimizes downtime and keeps business up and running in the event of a disaster.
  • Reduced Risks - Managing a company’s IT infrastructure in-house costs more and carries greater risk than using a third party service provider.
  • Core Business Focus – With third party services, staff can focus on strategic activities rather than non-core activities of the business.
  • Quality of Service - Guaranteed SLAs from a service provider ensure quality of service.
  • 24x7 Operations - Round-the-clock managed operations and support from a service provider ensure near-zero downtime.

5. At what stage of growth should a company look at implementing a DR/BC plan?
The point at which IT calculates that threats to the business, the likelihood of them happening, and the ultimate impact - outweigh the potential investment, a business should implement a DR/BC plan. In the planning process the following questions should be asked:

  • How would a prolonged loss of data, outage or service interruption affect my business?
  • What business processes and data are most critical to the existence of my company?
  • What is the financial impact to my business due to a short-term or long- term outage?
  • How much data is my company willing and prepared to lose?
  • What is the optimal balance in terms of time vs. cost?

6. Can you outline five essential steps to creating a comprehensive DR/BC plan?
1. Risk Assessment
2. Business Impact Analysis (RTO – RPO inputs)
3. DR and BC Planning
4. DR Solution Design and Architecture
5. Testing of Plans