|
by Philp
Jan Rothstein, FBCI
As appears in HP WORLD Magazine, October 2002
One could speculate that, ten years from now, people will look back at
2002 as the year when business continuity/disaster recovery shifted from
"nice to have, if you can afford it," to "we couldn’t
do business without it!"
One could only wish that it did not take the tragedies of September 11th
to make it so.
When the circumstances are so unreasonable that the core premises of the
disaster recovery plan are shattered – disaster recovery planners
and other key personnel lost, bridges closed between destroyed primary
sites and inaccessible recovery sites, telephone and cell service gone,
nothing left but dust and rubble – is that not what disaster recovery
is all about?
The Good Old Days
As an industry as well as an organizational endeavor, disaster recovery
has had a tumultuous – and at times, frustrating – history.
From its’ 1970's roots focused on EDP mainframes, to the beginnings
of holistic, enterprise-wide, business continuity management in the late
1990's, too many have given short shrift to what really counts: the ability
to keep business moving – while protecting people and preserving
assets – regardless of circumstances, no matter how outrageous.
That focus on keeping business moving has been steadily shifting, from
such obvious (if not daunting) tasks as effectively backing up data, recovering
data centers and rerouting telecommunications, to continuous availability
of entire business processes – with the technology infrastructure
taking a critical, but no longer exclusive role. "It’s no good
having systems without people," observes John Sharp, Chief Executive
Officer of The Business Continuity Institute (www.theBCI.org),
one of the two major professional certification bodies. "Since 9/11,
protecting those people from harm has become more important than preserving
their ability to do their job."
"What used to be a standard 72-hour
Recovery-Time Objective (RTO) is now typically 24 hours, even outside
of financial institutions, according to Belinda Wilson, H-P’s Global
Business Continuity Solutions Manager. "Now, we’re seeing that
RTOs may even become a thing of the past for many: no
downtime, planned or unplanned, is acceptable – just as getting a
message from a web site, "sorry, check back
later" is no longer acceptable." This trend toward continuous
availability is being further reinforced by growing legal and regulatory
mandates, not to mention changes in the insurance industry post-9/11,
observes Wilson.
However, when it comes to RTOs, "There’s
still a gap between what people are saying and what they are purchasing
for disaster recovery," asserts Hewlett-Packard’s Worldwide
Marketing Manager for Business Continuity and Recovery Services, George
Ferguson. "Traditionally, there’s been on the order of a ten-fold
price differential between hot-site recovery and high-end, distributed
clustering. Today, we have the capability to provide moderately-priced,
twelve-hour recovery, but the market is crying out for something between
disk mirroring – near-immediate recovery – and hot site recovery,
yet at a cost significantly closer to a hot site. H-P offerings today
are starting to bridge that gap."
Technology: The Problem
or the Solution?
As Walt Kelly once said in the Pogo comic strip, "We are confronted
with insurmountable opportunities." When it comes to the technology
of disaster recovery, Kelly could not have been more prescient.
Key components of any IT disaster recovery program include data backup
and recoverability. Since early mainframe days, backup capacities, bandwidth,
processing windows and restoration/recovery windows have barely kept up
with explosive growth in the volumes of mission-critical data. Moreover,
such seemingly promising technologies as electronic vaulting perpetually
have seemed to be one step behind business and technical requirements.
At long last, these technologies are starting to bear fruit. Electronic
vaulting has at long last surpassed a threshold where price/performance,
ease of use, capacity and throughput actually are realistic in enterprises
of any size – from small businesses to multinational enterprises.
Operational and disaster recovery tools and technologies like RAID and
televaulting are bubbling down from the most sensitive applications, reaching
practicality even at the desktop level.
Scalability of disaster recovery technology
and tools is key to Hewlett-Packard’s broad suite of technology offerings,
all based on common core technologies such as MC/ServiceGuard. "For
example, high-availability technology on HP/UX platforms support single-site/single-failover
up to ContinentalCluster. We have customers in the New York area failing
over to Europe."
What We Have Here May
Be a Failure to Telecommunicate
BCI’s Sharp has noticed "... a growing effort to identify critical
telecommunications dependencies and to build network resilience. Most
companies are at least as dependent on telecom as on IT, yet, until recently,
telecom has not been given nearly as much attention." As telecom
providers have come under increasing financial scrutiny and pressure,
Sharp warns, "far more attention is needed in this area. Diverse
routing and multiple levels of alternate suppliers are becoming the norm
and are no longer a luxury."
Ferguson sees dropping telecom costs
as "... an opportunity, making disk mirroring much more viable. At
the same time, links into multiple POPs [Telecom carriers’ Points
Of Presence]" can make remote-site mirroring more robust" as
well as improving inherent network reliability. Ferguson envisions "The
evolving price dynamics of telecom vendors will drive new technology solutions
for business continuity over the next couple of years."
Coming Together –
Or Moving Apart?
Through most of the 1990's centralization of IT resources was quite fashionable.
Post-9/11, the pendulum has been accelerating in the opposite direction:
the impregnable mega-datacenter has fallen out of favor from a disaster
recovery perspective, in favor of geographically dispersed, mirrored or
fallback data centers. The all-your-eggs-in-one-sturdy-basket approach
has been supplanted by single-point failure-mode analysis.
Aided by increased affordability and capacity of telecom bandwidth, redundant
or cross-backup data centers spanning continents are becoming the de facto
standard for multinationals. What has changed most in this regard is that
disaster recoverability is increasingly being factored into the pre-implementation
benefit equations ahead of cost. Until recently, this has been the norm
only for financial institutions.
Even smaller businesses are seeing the virtues of redundant computing
platforms and locations. Where multi-day, often off-site recovery had
been the disaster recovery norm until recently, e-commerce, the web, and
globalization have forced virtually every size and type of business to
rethink 24x7x365 and five-nine’s availability. At the same time,
off-the-shelf tools and outsourcing providers are making it more practical
for systems architectures, technology infrastructures and operational
processes to be implemented for hot failover in businesses as small as
a handful of employees. The market opportunities for these smaller businesses
in implementing robust, fault-tolerant, operations – not just for
disaster recoverability, but as a strategic marketing advantages –
are often substantial. In fact, many businesses are, for the first time,
seeing relatively rapid payback from these infrastructure investments.
It is no coincidence that Hewlett-Packard’s
strategic positioning of Business Continuity Management has been evolving
in anticipation of these industry trends, offering powerful, integrated,
yet flexible strategies and options. "Customers don’t want to
look at the pieces – they want an integrated solution for business
continuity," notes Wilson. "H-P looks at business continuity
across the entire value chain as a cohesive, integrated solution, not
just as piecemeal IT disaster recovery." At the same time, H-P is
strengthening business continuity offerings by integrating complementary
offerings from Compaq.
Breaking The (Supply)
Chain
While offering robust operational and recovery capabilities, increased
dependence on outsourcing and xSPs has also complicated disaster recovery.
According to UK-based Charter Management Institute and The Business Continuity
Institute’s joint spring, 2002 survey, 68% of the UK companies surveyed
outsource mission-critical processes, resulting in more of a multidirectional
supply network than a chain. "With traditional supply chain management,
you would track threats and vulnerabilities backward through your supply
chain," observes BCI’s Sharp. What is disturbing to Sharp, "only
9% of those surveyed had insisted on disaster recovery as part of these
key contracts, whether in their initial contract or in Service level agreements."
Sharp foresees much more focus on this aspect of disaster recovery.
The customer side of this issue is
becoming just as important, according to Sharp. In that same survey, respondents
were asked, "what is driving business continuity and disaster recovery
in your organization?" Far and away the most significant response
was customers and potential customers. More than ever, disaster recovery
is being viewed as a marketing tool, which Sharp believes is a healthy
shift.
Common Standards
As an industry and a professional practice, disaster recovery has historically
been disjointed – the inconsistency in usage of the terms business
continuity and disaster recovery are a perfect example. Traditionally,
"disaster recovery" has referred to the rebuilding and restoration
of IT and telecommunications; "business continuity" to recovery
of non-technology business operations. More recently, "business continuity
management" is coming into use as the overarching term. This discontinuity
is being addressed by The Business Continuity Institute and other professional
organizations.
Posits BCI’s Sharp, "each
major customer demands ‘disaster recovery’ based on a different
set of standards and measurement criteria. Supporting those inconsistent
standards introduces unacceptable risks and unrealizable expectations.
Auditability and accountability suffer from these inconsistencies, seriously
weakening the disaster recovery program."
Lies, Damn Lies, and...
One of the curious aspects of the disaster recovery industry has long
been the wealth of unsubstantiated statistics combined with a scarcity
of meaningful case studies. Many enterprises have attempted to use statistics
and case studies to justify disaster recovery investment. It seems that
those who could provide the most meaningful statistics – who have
experienced significant disruptions – are often the last to share
their experiences, especially when those statistics may be, to say the
least, embarrassing, if not an outright invitation to litigation. Of course,
the ones who have learned the most – by their failure to recover
– probably are no longer employed, and therefore hardest to locate.
This situation has begun to improve. Organizations like BCI have been
steadily building databases and documenting case studies; at the same
time, dependence on statistics for disaster recovery justification is
fading. For today’s enterprise, it is less a question if an event
will occur than what will happen when it does occur.
The tragedy of 9/11 has contributed to the diminished the importance of
event probabilities in business continuity – who really cares any
more if the probability of a profound disruption is 0.001% or 0.0001%?
A shift to impact-based instead of probability-based impact assessment
and planning has been accelerating. As a result, the impact assessment
phase of disaster recovery has become less complex in some ways.
Ferguson, agrees, but adds, "Primarily large and financial companies
are justifying increases in business continuity spending from impact-based
assessments, but smaller and non-financial companies are just starting
to move in this direction."
What’s Out There?
The disaster recovery industry has changed dramatically over the past
decade, and more is in store. Substantial, continuing consolidation of
key industry providers in the recovery site and software arena has reduced
choices for some. Hewlett-Packard has continually offered consistent quality
and service offerings in Business Recover Services through most of this
period, building respect among a disaster recovery community who have
seen so many other providers come and go – just look at the spate
of offerings over the past year touting companies claiming to have "invented"
business continuity and disaster recovery!
H-P’s Ferguson sees H-P "... emerging as a very strong #3 vendor
in this industry – with the enormous industry consolidation going
on in North America and Europe. With the Compaq merger, business continuity
within H-P has just doubled in size. While H-P has brought in a good set
of recovery centers worldwide plus great strengths in consulting, pre-merger
Compaq has been a strong force in disaster recovery for very high-end
servers. At the low end, Compaq’s Recover-All offering for insurance
and asset replacement (originally from DEC) is very attractive."
According to Ferguson, "most people would be quite surprised how
substantial H-P’s business continuity offerings are. H-P (including
pre-merger Compaq) have handled over 5,000 disaster declarations since
1984. We have a presence in 36 countries, with over 12,000 customers worldwide."
Ferguson reflects that, "For the most part, H-P’s business continuity
focus in the past had been on our own platforms. Certainly with the Compaq
merger, we’ve had a much larger set of platforms to offer. But we
have long understood that customers have a wide range of platforms, and
so H-P has been making major, strategic investments in multi-platform
recovery environments such as Sun, IBM, and Dell."
Since 9/11 it seems everyone and their brother is selling something to
do with disaster recovery – a development which actually seems to
be working in favor of Hewlett-Packard and other established players.
After all, disaster recovery means a lot of different things to many different
audiences and these new, unproven players, if nothing else, are helping
to build awareness. After years of moderate industry growth, the dramatic
increases since 9/11 have strained some of those professional and service
organizations at the core of the industry who were not prepared. In the
end, customers are going to look to established providers like Hewlett-Packard
who can consistently deliver the goods and services – not just in
anticipation of calamities, but especially when it all hits the fan.
The choice of in-house vs. outsourced recovery sites and other services
remains as complex as ever. Despite industry consolidation, the depth
of offerings – and vendors’ ability to tailor and support them
– has grown vastly richer. The level of hand-holding and customization
has never been so great.
The recovery vendor’s role in the past was typically to provide the
computer room and equipment, and secondarily to provide the telecom and
support structure to make it work. In contrast, today’s effective
recovery vendor is as likely to be in a position to build proactive, complex,
fault-tolerant, multi-location networks and integrated vaulting solutions,
whether on a shared subscription basis or custom-tailored to an individual
client. "There’s a greater focus since 9/11 on ‘assured
recovery’ – some people are concerned with the shared recovery
site subscription models commonly offered by Sungard, IBM and H-P, and
are looking at dedicated recovery facilities and other options,"
says Ferguson.
According to Ferguson, "increasingly, companies who choose to handle
IT continuity requirements internally also have a greater appreciation
for building continuity into building design, renovation, and construction,
as well as ensuring that successive generations of computing platforms
can be well-housed in a manner to assure availability." H-P and other
providers are well-positioned to fill the need for robust infrastructure.
Professional services in the disaster recovery field have evolved as well,
for a number of reasons. Until recently, the field has appeared to be
dominated by big players like the major accounting and consulting practices,
along with the consulting divisions of the recovery site and software
providers. Yet, in terms of total consultants and practitioners, individuals
and small practices or sole practitioners have been handling a sizeable
percentage of the contracted work. Like their larger competitors, many
of these practitioners either handle disaster recovery projects as dedicated
practices, or offer services which fall on the borderline between disaster
recovery and other, related disciplines. As a result, it has been difficult
to pin down industry data.
Increasingly, professional certification has become essential to the disaster
recovery practitioner, and has helped to gauge professional service providers.
Considering, of course, that certification does not necessarily guarantee
capability for specific projects (after all, there are many subdisciplines
within business continuity and disaster recovery), it is nevertheless
becoming accepted as a minimum appropriate level for disaster recovery
practitioners. The two leading certification organizations, Disaster Recovery
Institute International (www.dr.org) and The Business Continuity Institute
(www.theBCI.org) are growing rapidly in membership and recognition. These
two organizations have jointly developed ten Core Units of Competence
for business continuity.
Along with growth in vendor offerings
and certification, the disaster recovery industry has finally started
building a broad base of published resources. The Rothstein Catalog On
Disaster Recovery (www.DisasterRecoveryBooks.com) has become the industry’s
principal publisher and source for books and software.
What’s Next?
Through the 1990s, business continuity had grown up a lot since its 1970's
beginnings – all the way to adolescence. Like that gangly adolescent,
business continuity is rapidly approaching maturity. The confluence of
such trends as 24x7 e-commerce, vendor maturity, professional practices,
plummeting network and storage costs, and growing technological sophistication
is now stirring up the pot, and, over the next couple of years, that adolescent
should finally reach adulthood.
Philip Jan Rothstein,
FBCI is President of Rothstein Associates Inc., a management consultancy
and publisher (The Rothstein Catalog On Disaster Recovery) focused on
business continuity, disaster recovery, and service level management (Brookfield,
CT). He was elected a Fellow by the Business Continuity Institute in 1994
in recognition of his contributions to the industry. He has written or
edited over 40 books and 250 articles. pjr@rothstein.com.
Copyright (c)2003, Rothstein Associates Inc. All Rights
Reserved.
|
