It could be your worst nightmare. A server overheats, starting a fire that consumes your computer room before the sprinkler system kicks in and completes the disaster process. You've lost facilities, hardware, network, and data. Now what?
With proper contingency planning, hardware and network systems can be replaced and facilities can be moved to a new location in the event of a disaster. In fact, with the exception of data, almost every company asset can be replaced. Therefore, your top priority should be to protect the asset that is most at risk and hardest to replace: your data.
Data loss can result from any number of factors, such as:
- Human error
- Operating system or application software bugs
- Hardware failure
- Fire, smoke, or water damage
- Power outages
- Employee theft or fraud
- Natural (earthquakes/floods) or manmade (hacking/viruses) disasters
The loss of one of your most important corporate assets can have a tremendous impact in real dollars, lost opportunity, customer dissatisfaction, shareholder insecurity, and overall corporate image. Regardless of the cause, data disruption and loss pose a significant risk for any business.
You need to strike a balance between the level of business risk you can tolerate and the cost of perfect security. Initially, you may be tempted to say you can't afford to lose any data and you can't tolerate any downtime. However, protection on that scale can be cost-prohibitive and overzealous. It is unlikely that all applications and processes are equally mission-critical and all systems are equally vital. That is where metrics like recovery time objectives and recovery point objectives enter the discussion.
Industry research by leading analysts such as IDC and Gartner Inc. has determined 98 percent of all companies are adversely affected by unscheduled downtime. This speaks directly to the need for recovery time objectives (RTO) to guide your company when disruptions occur. Proven and tested RTO metrics will give you confidence in how quickly you can recover critical systems and be back in business serving customers. Researchers have also found 93 percent of organizations that have experienced a significant data loss are out of business within five years, confirming the need for recovery point objectives (RPO). Once your company's systems are back online after a disaster, your RPO standards help keep data loss to a minimum.
Business continuity plans start by determining the RTO and RPO for your company's applications and processes. The relative importance of RTO and RPO is different for every organization. For example, an e-commerce website may tolerate a higher RPO than RTO because while the business cannot afford to be offline, orders that end up backlogged may not affect the customer experience as negatively. A financial services firm, however, would likely have close to zero RTO and RPO because not only does it need to be up and running quickly, but also the large majority of financial services firms store most of their files electronically. Brokers, for example, need immediate access to their up-to-date files so the business can move forward serving and handling transactions on behalf of its clients.
When most companies formulate business continuity plans, the first concern is typically how fast they can get their business running again. While this is a critical concern, it is only half of the recovery equation. The second part of a recovery plan needs to focus on the amount of data your organization can afford to lose. Establishing business continuity metrics such as RTO and RPO is critical in business continuity planning. Devoting attention to both RTO and RPO is the only way to guarantee your organization will still be able to operate in the event of a disaster. After all, being able to get your business up and running quickly after a disaster is not much help if you are operating with data that is several days or weeks old.
Sassan S. Hejazi can be reached at Email or 215.441.4600.