It could be your worst nightmare. A server overheats, starting a fire that consumes your computer room before the sprinkler system kicks in. In a matter of moments, disaster. You have lost facilities, hardware, network, and data. Now what?
Many businesspeople focus on getting their machines up and running as quickly as possible. However, with proper contingency planning, hardware and network systems can be replaced and facilities can be moved to a new location in the event of a disaster. In fact, recent developments in cloud computing alternatives offer a way to replace nearly all your infrastructure assets. The exception is your data. Therefore, your top priority should be to protect the asset that is most at risk and hardest to replace: your data.
Losing your most important corporate asset can have an enormously negative impact in real dollars, lost opportunity, customer dissatisfaction, shareholder legal insecurity, and overall corporate image. Regardless of the cause, data disruption, corruption, and loss pose a significant risk.
You need to strike a balance between the level of business risk you can tolerate and the cost of perfect security. Initially, most companies will say they cannot afford to lose any data and cannot tolerate any downtime. But protection on that scale is probably cost-prohibitive and overzealous for most businesses. It is unlikely that all applications and processes are equally mission-critical and all systems are equally vital. That is where metrics such as Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) enter the discussion.
RTO is the targeted duration of time and a service level within which a business process capability needs to be restored after a disruption in order to avoid unacceptable consequences. RPO is the maximum tolerable amount of time in which data might be lost from IT service availability due to a major incident.
Business continuity plans start by determining the RTO and RPO for your company's applications and processes. The relative importance of RTO and RPO is different for every organization. For example, an e-commerce Web site may tolerate a higher RPO than RTO, because while the business cannot afford to be offline, orders that end up backlogged may not affect the customer experience as negatively as long as confidential customer information such as credit cards has not been jeopardized. A financial services firm, however, would likely have close to zero RTO and RPO because of its need to be up and running quickly and the majority of firms store most of their highly sensitive information electronically. Brokers, for example, need immediate access to up-to-date files so they can handle transactions on behalf of their clients.
When companies formulate business continuity plans, the first concern is typically how fast they can get the business running again. While this is a valid concern, it is only half of the recovery equation. The second part of a recovery plan needs to focus on the amount of data the organization can afford to lose. Establishing business continuity metrics such as RTO and RPO in conjunction with proper data security measures such as encryption and access controls is critical in the overall business continuity planning process. Devoting attention to fundamentals of IT disaster recovery, security, and overall impact of potential data loss on the operations is the only way to guarantee your organization will still be able to operate in the event of a disaster.
When it comes to business continuity planning, it is one thing to be able to get your business up and running quickly. But can you afford to operate with data that is corrupted, outdated, or potentially exposed to unauthorized sources?
Sassan S. Hejazi can be reached at Email or 215.441.4600.
Related content: