Recovering the Business
Even prior to the terrorist attacks of September 11, 2001, companies across industries grappled with how to rethink disaster recovery. Now that the unimaginable has occurred, IT departments are working in overdrive to ensure failsafe protection for their companies, their products and services, and their customers.
What was clear prior to September 11, is still clear today: Disaster recovery / business continuity is not the sole responsibility of IT, or any one group under the IT umbrella. That's because IT pervades all enterprise business and seeps across business units, departments and locations. What was traditionally known as disaster recovery in the 1980s, when it emerged as a formal discipline, has evolved into something broader and more complex: Disaster recovery in and of itself is not an exclusive strategy. It has evolved to be more broadly defined as business continuity and contingency planning, or the recovery of business processes.
Here's a case study of how one company has evolved in its thinking about disaster recovery over the years.
Phillips Petroleum Co., Bartlesville, Okla., is a $15.2 billion worldwide company with about 15,900 employees. Just five years ago, the organization viewed disaster recovery as a bricks and mortar and hardware issue. The company also viewed disaster recovery as a commodity service and saw it not only as a cost but at the ability for its internal IT to recover its systems. This view has changed dramatically.
Today, Phillips views disaster recovery as a full provider solution to recover all critical systems--and not as a commodity service. "Disaster recovery is not an IT issue, it's a business issue," says Marshall McGraw, manager business services for IT, noting that any loss is a loss to the business.
What drove the change was a change in view of the business and the reliance of the business on IT as a critical and competitive component by company executives and board level members.
As far as how the company looks at the cost for disaster recovery / business continuity, McGraw noted that every organization has to do a risk analysis relative to the business and look at potential revenue loss, loss of customers and the financial impact of loss, in the case of disaster, to stockholders. Then, decision makers must settle on a cost figure that they're comfortable with depending upon the risk at hand.
As part of its recovery plan, Phillips ships it data to a facility in N.J. where it IBM Corp. gets data tapes and restores the data, operating systems and applications. Back-up telecommunication services are also tested to ensure that they're alive and well. Phillips does the applications testing.
When devising its disaster recovery/business continuity strategy, the company looks at:
- How it will recover the network and access to facilities no matter where they are located
- What systems need to recover; what data, systems and talent the organization must have available
- Who is going to recover it
- How to keep the data current and make sure that there's communication and collaboration between the company and its disaster recovery/business continuity services partner to ensure that disaster recovery is up to data with the business
- Making sure that disaster recovery/business continuity is part of daily operations
When selecting a business recovery partner, Phillips had several key criteria:
- The scope of services offered to bring up the company's systems without the use of internal staff.
- A vendor who is constantly looking for improvement in how they deliver services.
- The vendor should be proactive.
- Cost is important but Phillips also looked beyond costs to the value-added vendor services.
- Global capability.
Today, Phillips spends slightly more than one million dollars per year on disaster recovery/business continuity services from IBM. This figure, notes McGraw is less then the company spent five years ago--at least 30% less. He attributes the decrease in spending on disaster recovery to two key factors: The first has to do with cost. While technology has improved the cost of technology has decreased which means Phillips gets more for its money. Secondly, the company also has less people working on disaster recovery/business continuity than it did in the past. Today, only one full-time person is devoted to disaster recovery/business continuity while many people make it a part of their daily jobs. In the past, there was a separate organization, of four or five full-time people, that oversaw disaster recovery/business continuity.
At Phillips, and other organizations, robust recovery plans tend to be driven by senior management. When upper management understands the potential for losses to the business as a result of some disaster, it understands the complexity and integration of IT systems and business processes across the organization.
Organizations have to decide to what level they want to grow their business continuity plans, for example, are they looking for traditional disaster recovery or are they looking for high availability and instant fail over? Once an organization has a business recovery plan in place it must get revisited because the IT infrastructure is always changing as is the business, its needs and requirements.
Lynn Haber writes on business and information technology from Norwell, MA.