Business continuity plan needs the right leader, metrics to succeed

By Linda Tucci, Senior News Writer 16 Jun 2009 | SearchCIO.com

IT news and analysis for CIOs Digg This!     StumbleUpon     Del.icio.us

More DR, BC resources Disaster recovery strategy shift reduces data loss, recovery time Disaster recovery budgeting and recovery time objectives

It is this business leadership, as much as the plan determining how much data an organization can afford to lose and for how long -- known respectively as the recovery point objective (RPO) and recovery time objective (RTO) -- that dictates how well and how fast an organization recovers.

"A lot of people make the mistake that business continuity is an IT function or that this is everybody's responsibility," said Richard Jones, an analyst at Burton Group Inc. who is working on a study of what makes companies succeed or fail at disaster recovery and business continuity.

"The successes have mostly centered around organizational structure and the people put in place to drive the process," said Jones, service director for Midvale, Utah-based Burton's data center strategies group. "Companies where business executives were not intimately involved -- who basically said, 'Let somebody else do it' -- the plan always just kind of fell apart."

John Morency, an analyst at Stamford, Conn.-based Gartner Inc., said that, in theory, the business continuity (BC) person "always needs" to be in the business unit. What often happens is that the program manager charged with the IT business continuity plan is then tagged with the companywide plan. That can work on an emergency basis, but a significant portion of business continuity and recovery falls outside IT and requires a deep understanding of how the business works, Morency said.

"Eventually if the program is going to be sustained, the business continuity person has to report right into the CEO or the board or to a chief risk officer, if the company has one, but not to IT," he said.

Standard RTOs, RPOs for business continuity plans

The most successful efforts at setting RTOs and RPOs also require participation from business leaders, including the board of directors. RTO and RPO requirements vary widely by company and industry. Jones, for example, found manufacturing firms where a data center outage of three days is not a big problem, because the facility can keep manufacturing. After that, the downtime starts to cost the company.

Other resources for business continuity planning A number of online resources offer guidelines and training for business continuity: The U.K.-based Business Continuity Institute The U.S.-based DRI International Business Continuity Planning Methodology by Akhtar and Afsar Syed

At the other end of the spectrum is financial services, where a single trader being down for one minute can cost a company $1 million to $2 million, Jones learned.

But companies make tradeoffs between RTOs/RPOs and cost. For example, rather than fund a system that would result in zero data loss, one bank Jones talked to has tellers keep their slips of paper; if the data center has an outage, tellers consult an application that tells them their last transaction then work late to re-enter the paper trail that didn't make it through.

"The cost of doing that for the infrequency with which this happens was less than spending a bundle more money for mirrored data centers that were synchronously replicated to each other so you could have zero downtime," Jones said.

Having a single RPO and RTO is unrealistic for most businesses, unless the CIO is charged with running a continuous organization, because of the high cost, Morency said. While there are no official benchmarks for RPOs and RTOs, Gartner uses a four-tier system (see chart), and many other places offer guidelines (see box).

Calculating the cost of downtime that underlies RTOs and RPOs starts with a business impact analysis, which includes both hard and soft costs. Hard numbers are easy to get. A CFO can tell the company how much money it makes in a day and how much it will lose by not producing product, or what the run rate for salaries will be per day or what it will cost to replace equipment.

More difficult to tote up are the indirect business impacts, such as the cost of customer dissatisfaction or the variance in cost related to when the outage occurs.

"A lot of it is subjective, but you need to get a first swipe at trying to quantify indirect business impact," Jones said.

The quantitative or even quasi-quantitative analysis is essential in brokering a viable RPO/RTO strategy. A classic error IT departments make is showing up and asking business owners how soon they need to be back up.

"The answer always comes back that 'We have to be continuously or in an hour,'" Morency said.

Source: Gartner Inc.

Tags: Enterprise business continuity management,  Enterprise risk management,  Leadership and strategic planning,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise business continuity management Disaster recovery is dead; long live continuous business operations Swine flu preparedness: Business continuity during an H1N1 outbreak Talking swine flu and Conficker with the CIO of the CDC Tips from the CDC's CIO on H1N1 flu preparedness Tips for business continuity and contingency planning for swine flu Recession squeezing IT disaster recovery budgets Seven tips to make the value case for disaster recovery A disaster recovery plan meets cloud computing Disaster recovery strategy shift reduces data loss, recovery time Information security and IT governance guides for CIOs Enterprise risk management Email archiving solutions and strategies for enterprise CIOs For CIOs, email deletion scandal shows need for email retention policy Swine flu preparedness: Business continuity during an H1N1 outbreak Talking swine flu and Conficker with the CIO of the CDC Tips from the CDC's CIO on H1N1 flu preparedness Tips for business continuity and contingency planning for swine flu Enterprise risk management quiz for CIOs Enterprise risk management solutions for CIOs Gartner: Future IT security jobs to focus on risk management strategy How CIOs are enabling business activity monitoring with existing tools Leadership and strategic planning The Real Business of IT: Download a free chapter Gartner's top 10 strategic technologies for 2010 Qualities of a great leader from Jim Collins Lean thinking in IT: Case studies and advice from practitioners FAQ: IT and organizational change management ITSM and ITIL best practices for process improvement Maturing an ITIL strategy beyond incident, problem, change management CIO management mistakes that can harm CIO careers, cause IT failures Do you have the qualities of a good leader? Test your leadership IQ Google Wave: A sea change for business collaboration, communication?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary GRC (governance, risk management and compliance) software  (SearchCIO.com) sustainability risk management (SRM)  (SearchCIO.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary