DR And BCP: Are We Doing Enough?

Disasters don’t provide adequate notice before they strike. Be it hurricanes, cyclones, earthquakes, or infrastructural failures (as is common in the Indian context). In cases like this, it is an imperative for businesses, which are interested in safeguarding their data, to have a Business Continuity Plan in place.

However, this is truly an ideal scenario. Do companies really take time out to design a Disaster Recovery strategy? Do they really take the time out to put a plan in place? Well, some do and some don’t.

Current Scenario

The CIO Klub recently did a survey to enlist CIO priorities for 2009, especially during this time of economic uncertainty. The top five priorities ranked by CIOs are listed below:

> IT Cost Reduction
> Information Security
>BCP/ DR
> Implementing Advanced Enterprise Applications (CRM/ BI/ DW)
> IT Consolidation

This list says a lot about enterprise priorities in today’s day and age. However, there are always fundamental issues. One of these is the inclination that an enterprise has towards safeguarding its data.

“DR as a practice gained considerable momentum around 2002- 2003. The market was looking up at that point. It’s a massive driver for storage. There are a few verticals that are highly focused on DR and BCP, such as telecom, banking and IT services, but some of the other verticals are yet to show momentum in this space. CIOs don’t seem to understand the requirements here. There are companies that are tech savvy and know the best DR practices. However, other companies are trying to meet compliance needs and DR is just for the sake of doing it as a mandate, which does not make too much sense from a long-term perspective,” says Aman Munglani, principal analyst-storage, Gartner.

“I think it is difficult to make a generic statement, which would be true across the spectrum; but I think pan-organisations especially in the BFSI sector, there is a good understanding of DR/ BCP, there is a good understanding of how far to go into DR/ BCP investments – ensuring only critical functions/ systems get included etc. Having said that, the execution is good on paper, but needs some more work in spirit – so ensuring that the DR environment stays in sync and is updated on a periodic basis, DR/ BCP are regularly tested, user awareness of DR and BCP processes is high – these are the areas to work on,” says Umesh Jain, CIO, YES Bank.

The Intricacies

“Maturity of both the appreciation and execution of DR and BCP are quite crucial to the maturity of the organisation itself as also the lifestage it is in. In BFSI, regulatory compliance factors also matter,” says Jain.

Jain feels that the problem with DR/ BCP, like with most other enterprise tech areas, is that the appreciation develops post facto. Till then, it is very difficult to quantify the benefits of adopting it. If you can’t quantify the benefits of implementing DR/ BCP, needless to say, there is no RoI case you can develop. So, it is left to management appreciation and discretion. And CIOs have a big role to play in channelising management appreciation. DR/ BCP is often like buying insurance.

Jain elaborates further, “The other problem is in terms of our own understanding of DR/BCP and positioning it correctly. Often, I have seen technology departments making ridiculous DR cases, which will never get approved – because they have no linkage to business risks. Given the high cost of implementing DR/ BCP being high, it is important to present a good business case for the same, and the CIO has to be a facilitator for that process. In parallel, we need to use innovative technology and architecture to utilise the ideal capacity created for DR for functions, which are not very critical and can be shut down in case of DR,” says Jain.

“When one talks about DR, there are three main postulates that are to be considered namely, cost, availability, and testing. DR is not about setting up the enterprise after disasters in minutes. There are procedures, tiers, etc, which have different recovery times. It’s about segregating information, applications and systems,” says Munglani.

Best Practices

According to Munglani, it is an imperative to tier or segregate your applications/ infrastructure in order to have a stringent DR/ BCP setup.

He outlines a few best practices that CIOs can use to build solid DR/ BCP plans.

> Tier 3 operations such as back office applications, should ideally be online in one-three days. Tier 2 and Tier 1 operations should have considerably shorter recovery times. One should also define, document, and update the RTO (Recovery Time Objectives) and RPO (Recovery Point Objectives) requirements for production applications.

> CIOs must update their Business Impact Analysis on a regular basis. RTO/ RPO requirements for tier 3, 2 and 1 should be put in place and ownership of the same and mainstream responsibilities should be managed.

> The Data Centre recovery plan should support Tier1 and Tier 2 RTOs/ RPOs. Critical applications should be identified and stringent RPO/ RTO requirements should be set up.

Adding a few pointers of his own, Jain says, “The strategy has to be aligned to business risk – this is the mool mantra – rest is design, execution and logistics. When one talks about Best Practices, below are a few points that CIOs should keep in mind while building their DR/BCP strategy.”

• Restrict to critical applications/ functions as defined by the business
• Periodic drills
• Continuous user education
• Periodic quizzes to employees
• Periodic review and updates/ upgrades to DR/ BCP plan/ process

Verdict

Although many enterprises today are waking up to the realm of DR/ BCP, much work needs to be done in this domain. Coming back to what Munglani and Jain have said, establishing testing facilities and teams to regularly perform drill downs and analyse systems is the best way to safeguarding your data. Storage vendors have a lot to look forward to, especially if this market is going to grow as predicted. CIOs need to get their priorities straight; however, it can’t be long before they realise the fragility and importance of their data.