Business continuity plan needs the right leader, metrics to succeed

A successful business continuity plan requires business leadership, whose role includes setting the metrics that will drive disaster recovery spending.

Resuming business operations after a significant business interruption or disaster requires a business continuity

plan developed by an influential business executive, experts say. This contrasts with the reality at many organizations, where the IT executive who successfully developed the disaster recovery plan and/or the business continuity plan for IT is tapped for the broader initiative.

It is this business leadership, as much as the plan determining how much data an organization can afford to lose and for how long -- known respectively as the recovery point objective (RPO) and recovery time objective (RTO) -- that dictates how well and how fast an organization recovers.

"A lot of people make the mistake that business continuity is an IT function or that this is everybody's responsibility," said Richard Jones, an analyst at Burton Group Inc. who is working on a study of what makes companies succeed or fail at disaster recovery and business continuity.

"The successes have mostly centered around organizational structure and the people put in place to drive the process," said Jones, service director for Midvale, Utah-based Burton's data center strategies group. "Companies where business executives were not intimately involved -- who basically said, 'Let somebody else do it' -- the plan always just kind of fell apart."

John Morency, an analyst at Stamford, Conn.-based Gartner Inc., said that, in theory, the business continuity (BC) person "always needs" to be in the business unit. What often happens is that the program manager charged with the IT business continuity plan is then tagged with the companywide plan. That can work on an emergency basis, but a significant portion of business continuity and recovery falls outside IT and requires a deep understanding of how the business works, Morency said.

"Eventually if the program is going to be sustained, the business continuity person has to report right into the CEO or the board or to a chief risk officer, if the company has one, but not to IT," he said.

Standard RTOs, RPOs for business continuity plans

The most successful efforts at setting RTOs and RPOs also require participation from business leaders, including the board of directors. RTO and RPO requirements vary widely by company and industry. Jones, for example, found manufacturing firms where a data center outage of three days is not a big problem, because the facility can keep manufacturing. After that, the downtime starts to cost the company.

At the other end of the spectrum is financial services, where a single trader being down for one minute can cost a company $1 million to $2 million, Jones learned.

But companies make tradeoffs between RTOs/RPOs and cost. For example, rather than fund a system that would result in zero data loss, one bank Jones talked to has tellers keep their slips of paper; if the data center has an outage, tellers consult an application that tells them their last transaction then work late to re-enter the paper trail that didn't make it through.

"The cost of doing that for the infrequency with which this happens was less than spending a bundle more money for mirrored data centers that were synchronously replicated to each other so you could have zero downtime," Jones said.

Having a single RPO and RTO is unrealistic for most businesses, unless the CIO is charged with running a continuous organization, because of the high cost, Morency said. While there are no official benchmarks for RPOs and RTOs, Gartner uses a four-tier system (see chart), and many other places offer guidelines (see box).

Morency said most organizations segment data recovery by tiers, with Tier 1 and 2 including those applications and processes that are most critical to revenue generation. Recovery times for these tiers are at less than 24 hours; data recovery points are four hours or less. Organizations with these objectives will likely use some form of disk-to-disk replication, as tape recovery is too slow.

Business impact analysis: Financial costs the easy part

Calculating the cost of downtime that underlies RTOs and RPOs starts with a business impact analysis, which includes both hard and soft costs. Hard numbers are easy to get. A CFO can tell the company how much money it makes in a day and how much it will lose by not producing product, or what the run rate for salaries will be per day or what it will cost to replace equipment.

More difficult to tote up are the indirect business impacts, such as the cost of customer dissatisfaction or the variance in cost related to when the outage occurs.

"A lot of it is subjective, but you need to get a first swipe at trying to quantify indirect business impact," Jones said.

The quantitative or even quasi-quantitative analysis is essential in brokering a viable RPO/RTO strategy. A classic error IT departments make is showing up and asking business owners how soon they need to be back up.

"The answer always comes back that 'We have to be continuously or in an hour,'" Morency said.

Business process, application and data recovery tiers
Recovery tier
Business process focus
Service levels
Tier 1
Customer/partner-facing; functions critical to revenue production
24/7 scheduled; 99.9% availability (<45 min./month); RTO = 2-8 hours; RPO = 0 hours
Tier 2
Less-critical revenue-producing functions; supply chain
24/6¾ 99.5% availability (<3.5 hours/mo.); RTO = Eight-24 hours; RPO = Four hours
Tier 3
Company back-office functions
18/7 scheduled; 99% availability (<5.5 hours/month); RTO = one to three days; RPO = one day
Tier 4
Departmental functions
24/6½ scheduled; 98% availability (<13.5 hours/month); RTO = greater than three days; RPO = one day

Source: Gartner Inc.

Let us know what you think about the story; email Linda Tucci, Senior News Writer.

Dig deeper on Enterprise business continuity management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCompliance

SearchHealthIT

SearchCloudComputing

SearchMobileComputing

SearchDataCenter

Close