This article can also be found in the Premium Editorial Download "CIO Decisions: CIOs discover effective business continuity and disaster recovery strategies."
Download it now to read this article plus other related content.
Just when it seems things can't get any worse, they get better.
I was talking recently to an architect who works for a very large technology provider. During our conversation, he contended that the cloud was making it easier for vendors to bypass the CIO. That way, salespeople can pitch the vice president of marketing directly about
For this reason and others, we might think that the cloud makes things worse. From my own perspective, however, the availability of cloud-based products also can make things much better.
For example, disaster recovery and business continuity planning is a lot easier now than it was just a few years ago. In the old days (you know -- a few years ago) if you wanted a cold, warm or hot site, you had to build it yourself. And justifying such an investment was always a challenge. I found it difficult, even with a generous board of directors, to convince people to spend money on something we hoped we would never have to use.
With cloud-based products, on the other hand, we can take advantage of the work of others, as well as the existing infrastructure, to reduce implementation time and costs. Doing this, pluseffective planning and analysis, makes disaster recovery and business continuity significantly easier. Let me explain my approach.
Disaster recovery and business continuity begin with a risk analysis. Those risks run the gamut from natural to man-made disasters. Potential natural disasters vary by location but include such events as storms, earthquakes, fires and floods. At the opposite end, potential man-made disasters range from disgruntled employees (typically any member of my staff), to accidents (someone crashes into the electric utility transformer down the street and takes out my electric service), to "boneheadedness" (for example, the system administrator pushes the wrong button and shuts off the data center cooling, then walks away, not realizing what he just did).
Next, I like to define the likelihood and impact of a particular disaster. For instance, how likely is a forest fire at my data center? Because my data center sits in an area that's more like a desert than a forest -- not very likely. How likely is a power outage? Given my location's potential for heavy winter storms, my plans typically anticipate power outages.
After analyzing my risks and establishing their likelihood and impact, I define plans for mitigating them. How to deal with my risk of a power outage? Backup power. How to deal with boneheadedness? Error-proof my data center and IT processes. How to deal with potential natural disasters? For me, that mitigation now resides in the cloud.
My cloud-based, disaster recovery and business continuity plans include one more critical step: systems stratification. One of my favorite practices is to segregate systems into A, B and C categories. Category A systems are those that put the business at risk if they are down for even a few minutes. Category B systems can be down for a few hours or even days before the business is at risk. Category C systems can be down for a long time before anyone outside the IT department notices. This stratification is the foundation for service-level agreements, as well as for disaster recovery and business continuity planning. I worry about cold, warm or hot sites for A systems. I invest in redundancy for A systems. My risk assessment focuses on the risks to my A systems.
More cloud resources
For example, if I am operating a customer call center and the phone system goes down, I can't process orders. So, the phone system is categorized as an A system -- but not the entire phone system, just the phones that support customer calls. Only a few years ago I would have had to worry about how to create an off-site backup call center. With the availability of cloud phone services, my life got a whole lot easier -- well, easier as long as I remember which systems, namely the category A ones, require this level of attention.
Niel Nickolaisen is CIO at Western Governors University in Salt Lake City. He is a frequent speaker, presenter and writer on IT's dual role enabling strategy and delivering operational excellence. Write to him at email@example.com.
This was first published in February 2011