Organisations that fail to prepare are preparing to fail, says Kyle Davies, Practice Lead - Integrated Technology Architecture at CDW.
No-one can predict the future, but we can do our best to prepare for potentially disruptive events.
That, effectively, is the art of business continuity and disaster recovery planning – putting in place a set of solutions to deal with a broad range of circumstances that could have a significant impact on day-to-day operations.
This is vital in the digital era, where most organisations are reliant on information technology. If those systems are compromised, there can be severe repercussions such as downtime, customer dissatisfaction, lost revenue and reputational damage.
Yet despite its importance, organisations often make some fundamental mistakes when it comes to business continuity and disaster recovery planning. Here, we outline six of the most common failures that can significantly impact performance.
1. Lumping Business Continuity and Disaster Recovery in Together
In reality, business continuity and disaster recovery are separate issues – even though they are linked. Business continuity is about forward planning and keeping things up and running during a disruptive event; it is the process of getting the business back to full functionality after a crisis and implementing the steps needed in the interim to maintain operational capability. Disaster recovery, on the other hand, is about having a response to a particular incident once it has happened, then moving forward to a swift recovery. This could, for example, be responding to a natural disaster such as a flood, which results in a data loss. While business continuity and disaster recovery are related, they often get viewed as one and the same, when actually they require a separate set of considerations, skills and solutions.
Disaster recovery for IT from a bird’s eye view is about the underlying infrastructure, backup and offsite replication, and the IT service recovery processes. Business continuity is aimed at the validation and testing, risk management, policies and strategies that enable the business to continue to function.
When dealing with a disaster and/or invoking business continuity it is critical to identify stakeholders and the relevant communication plans. Ensuring this is in place allows for efficient decision-making. Communication during an issue often gets overlooked – who is actually responsible for being the “single voice” internally, to customers, to partners, etc. It is important to know that ahead of time and ensure that everyone else does too. Note that multiple communication methods should be used, as there is no point sending emails if your email platform is down or remote access is not permitted.
Another key decision when planning for business continuity and disaster recovery is knowing where to stop. A day of downtime when everyone else is having a day of downtime may not be a problem. Understanding real and reputational impact points is key as ‘£X’ revenue loss per day does not equal ‘£X’ loss depending on industry. The % probability of risk multiplied by the actual loss if it were to happen equals the amount of potential spend that could be used to protect against the scenario.
2. It’s Easy to Under-Estimate Reliance on Digital Services
Organisations change considerably over time, often resulting in the adoption of a more significant number of software-driven services both internally and to end-users. This creates an increasing reliance on digital infrastructure – whether that be computers, phones, networks, on-premise or cloud data provision or security bundles. However, business continuity and disaster recovery planning often fail to keep up with the pace of change, and that can result in some unwelcome surprises when things go wrong. It is therefore important to continually review planning in response to the ever-changing nature of business needs.
During a time of business continuity, it is common to see organisations overlook and ignore the shadow IT services that users may implement to deliver their day-to-day tasks. Where this provides short term gains, it becomes a challenge to gain control or overlay governance once businesses fall back into a business as usual state.
Most business can survive far longer without systems than they think they can. Having these conversations in scenario-based debate should be used to formulate an effective plan.
3. Information Silos Lead to Inefficient ResponseWho is responsible for overseeing business continuity and disaster recovery planning? That depends on the size of the organisation. Commonly, though, it is the Chief Information Officer or Chief Technology Officer, with implementation driven by the Head of Operations. However, siloed thinking is the enemy of practical application, with business continuity and disaster recovery efforts often hampered by poor communication and a lack of joined-up thinking. An effective response to unexpected events requires uniformity of action across all departments.
This is where IT can make the mistake of making assumptions around business requirements; for example, the percentage of users needing access to an application or service, or the percentage of users that need to be able to work remotely to allow the continuity of customer-facing services.
4. Failure to Perform Adequate Testing Makes Planning Redundant
There’s no point planning for business continuity and disaster recovery if you are not sure that those plans actually work. That’s why testing is crucial, yet it often gets overlooked as the responsibility of day-to-day operations take priority. There’s no getting away from it - testing takes time and effort and it can be intrusive to the business, but it is crucial to success. Ultimately, ensuring a robust and rigorous testing programme requires top-down buy-in from the board of directors, and it needs strong hands-on leadership to see it through.
If you have not tested it then it is a theory, not a solution.
5. The Power of Partnership Provides the Best Means to Deliver Success
No organisation can plan for business continuity and disaster recovery in isolation. It requires the power of partnership with a specialist provider that can offer an agnostic view of all the solutions on the market. These days, such a solution might involve a mix of techniques such as replication, remote access solutions, clustering, mirroring, virtualisation, failover sites, and co-location and hosting centres. Organisations must work in tandem with a trusted advisor to make the most of the broad range of technologies on offer. Technology is only the enabler in this situation, and understanding processes and business requirements is critical.
6. Monitoring is Your Friend
Outages usually aren’t fires, floods or pandemics, but instead are multiple small issues cascading. Complexity is hard and monitoring is your friend, as ignoring alerts simply because they’re not currently causing any issues can be your downfall. What you need to monitor/respond to an issue shouldn’t be part of a potential failure mode or fault domain of the system you’re protecting. External monitoring, OOB, separate authentication, etc. are all crucial when something has totalled both of your “independent” datacentres.
Thank you for reading this blog. As a final comment please look into building BCDR into every change, every release, and every plan. It’s not a once-a-year review of the folder that you occasionally dust off and run through.
Kyle Davies, Practice Lead - Integrated Technology Architecture at CDW.
For any enquiries contact: firstname.lastname@example.org | 020 7791 6000