If you were to ask a dozen CEO’s for their definition of Business Continuity, you’d very likely get a dozen different answers. That’s not to say that the practice of business continuity is misunderstood – just not well understood in the SMB world.
As members of small and medium-sized businesses it is pretty safe to say that we really don’t have the resources (time, human or financial) to allocate to intense business process scrutiny, development of detailed “what-if” scenarios and implementation of anything that takes focus away from our core business. Despite the incredible resource drought that most companies are facing, it is important to realize that critical business interruptions are not reserved for the Fortune-500 alone.
What is a disaster?
One of the common misconceptions when discussing Business Continuity and Disaster Recovery is the definition of a “disaster”. For all intents and purposes, replace the word disaster with disruption. Anything that has the possibility of interrupting your normal critical business processes would be considered a disruption. So a BC/DR Plan has to consider anything, large or small, that could take processes down - from a power spike or server crash to an F5 tornado or terrorist attack.
Small disruptions based on hardware failure and human error are much more likely than broad-scale natural disasters, and fortunately these types of disruptions are most easily mitigated through the proper control and preparation.
Risk is not universal. Each company has unique risks associated to its location, type of business, life-cycle and amount/type of data stored. Businesses located in hurricane or earthquake prone areas, facilities in known terrorist targets and companies with regulatory compliance and data sensitivity issues are considered higher risk and would be more willing to take steps to reduce their exposure to these risks.
Risk Tolerance/Risk Response
Businesses are also unique in their tolerance and response to risks. Businesses commonly follow one of three approaches:
- Do Nothing – realize that business continuity and disaster recovery activities have costs associated with them and doing nothing is free.
- Insurance - purchase enough insurance to be able to rebuild or retire after a disastrous event. Rebuilding is essentially starting over and will cause the business incredible disruption.
- Mitigate the Risk – adopting activities and processes that remove or lessen the specific risks that have the greatest potential to impact the business.
At its most basic level, risk mitigation aligns the possibilities and probabilities of risk with the risk tolerance of the organization and the costs associated with mitigating the risks. Action is only necessary for risks that rise above the tolerance threshold and have associated costs that are reasonable given the level and probability of the risk.
So, what’s an SMB to do?
Given the fact that small and medium-sized business owners have too few resources to split between business continuity activities and core business objectives; the real opportunity for SMBs is to find a way to cost effectively mitigate some common business risks and at the same time provide the company with some visible operational benefits. In working with a business continuity and disaster recovery expert, we found that there are four IT based initiatives that would provide both risk mitigation and while offering additional business advantages.
Hands down, the most critical aspect of any business is the communication between the company and its clients, prospects, suppliers and vendors. Without a constant stream of communication, business slows to a crawl. To illustrate this point, consider how your business would react today if the lifelines to your phone and e-mail were suddenly severed. Frustration would abound as customers, partners and vendors were unable buy, sell or receive products and services from your company.
Fully hosted e-mail solutions are not compromised by on-site disruptions and are also accessible over any web connection or wirelessly through a mobile device. Both on a daily basis and during an on-site business interruption, employees will benefit from productivity options and can easily access their mail, calendar and tasks remotely.
In the event of a long-term disruption, traditional phone systems require the phone company to reroute lines which can be both difficult and time-consuming. Because of the time necessary to reroute, it is ineffective to switch phone lines for more common short-term interruptions. Switching to a hosted Voice-over-IP solution would allow employees to quickly reroute their office phones to an alternate phone number using Call-forwarding or Remote Office functionality without the need for administrative assistance. For daily use, the feature-set of a hosted VoIP solution allows employees to have complete control over their phone features, enabling them to transparently telecommute, receive important calls while traveling or take part in a call center regardless of their location.
Business Continuity is simply defined as a series of acts necessary to prevent business disruption and re-establish business services as quickly as possible in the event of a disruption. With this in mind, it is important to analyze your business flow and determine which processes are critical to the business. Although it can be different in every situation, most businesses regard the process between sales and accounting to be the most critical.
To prevent a disruption to critical business processes, applications involved in these processes must be available at all times. This can be done in several ways.
Purchase a redundant on-site server to be used in the event of a failure. This can be kept as a cold server (configured for use but not necessary up to date, turned off until needed), warm server (configured and periodically updated, turned off until needed) or a hot server (running and ready, available as a failover).
Another way to ensure the availability is by having the application hosted through an outside service provider. Hosting options vary greatly based on your performance and accessibility needs. Hosting allows your company to save the upfront time and money necessary to purchase and maintain an additional server necessary for better risk management, but also protects the company from technology obsolescence, reduces the strain on your IT department and offers nearly unlimited scalability.
One of the most common disruptions in business is a simple internal hardware failure that causes a loss of data. Depending on the severity of the failure this could necessitate a simple recovery from backup tape or a bare-metal recovery of the entire server.
As is customary in every risk assessment, the criticality of the process defines the nature of the mitigation strategy. Most company’s data falls into one of four categories. The backup/recovery strategy will likely be different based on the importance and availability needs of the data.
- Regulatory Compliance - Many businesses (healthcare, financial, government) are subject to regulatory compliance for their data storage. If your business data falls into a regulated category, then you should be careful to follow the appropriate guidelines to ensure that the information is stored safely, securely and is free from risk.
(Offsite disk-based backup in a SAS-70 audited facility)
- Critical Data - This category includes data that is both of high importance and requires high availability. Other than data subject to compliance, this is the most important category and requires the most care. The backup plan that you choose should allow both frequent backups (to optimize the recovery point) and easy to administer backup (to optimize the recovery time).
(Primary: Offsite disk-based backup, Secondary: Offsite Tape Archive)
- Essential Data - Essential Data is important to the company, but is not referenced very often. With this type of data you want a very reliable and secure solution, but speed to recover is not the most critical component.
(Offsite disk-based backup)
- Important Data - The lion's share of the current data within your company falls into this category. This includes data that is used and updated on a regular basis, but is not critically important to the fundamental operation of the company. The backup strategy for Important Data should ensure that this data can be restored quickly to avoid a disruption to general work processes.
(Offsite disk-based backup)
- Non-critical Data - Out of date information should be offloaded using a long-term archiving strategy. While this data may need to be referenced at some point in the future, the time constraints are usually low so it is best to select a low cost storage option with an emphasis on reliability rather than speed to recover.
(Archive to Virtual Tape Library or Tape)
Important elements to understand in a Backup Strategy:
- Recovery Point Objective - The easiest way to understand a RPO, is to realize that if you currently backup to tape after hours and you have a failure at 4:30 p.m. the next day, you can expect to lose an entire day's worth of work. Ideally, a backup solution will be performed during business hours - perhaps several times per day to optimize the recovery point.
- Recovery Time Objective - If a recovery is necessary, the recovery time objective is the time necessary to complete all of the actions between the realization of an issue all the way through the data restoration.
- Incremental Block-Level Backup - Tape backup is performed at the file level, which means a single change in a large database or file requires the entire file to be backed up. Incremental Block-Level backup is a disk-to-disk backup method that takes a point-in-time snapshot of the drive and only backs up the blocks that have changed. This allows more frequent backups, and reduces the amount of data being transmitted and stored.
- Retention Time - Your retention time will differ greatly based on the type of data and your business drivers. Some businesses require only a very short retention time (24-48 hours) while other might need to be able to access point-in-time views of the data for months or years.
- Offsite Backup – Significant risk is mitigated by separating the data backup from the location of the server. In many cases it is possible to quickly run from the backup while recovering the main server. This Continuous Data Protection ensures maximum uptime with your data.
Data continuity practices clearly demonstrate a blur between what affects daily operations and BC/DR planning. An effective and timely data backup and restoration model means that processes will be able to continue or be quickly remedied in the event of a business interruption.
In extreme conditions such as terrorist threat, fire/smoke, chemical hazards or other situations that negate the use of the primary facility, having communication continuity, process continuity and data continuity allows your employees the flexibility to work from alternate locations. Many will be able to telecommute productively by utilizing their laptop or home computer. Once you have created an environment which removes the ties to the main office for all of your communication, applications and data, your employees are able to work with complete mobility.
Key employees such as executives, managers, and functional work groups may need to be in the same physical setting to collaborate. Likewise, employees without laptops may need workspace and hardware to effectively perform their job roles. In these instances, it is necessary to provide an alternate workspace during both temporary and long-term business interruptions. The alternate workspace will allow critical business processes to remain functional while disaster recovery actions are being performed.
While alternate workspace is usually only used during true business interruptions, having an alternate workspace has been effectively utilized by companies to provide employees a place to work during seasonal business spikes that warrant the use of temporary employees and office construction/redesign.
In the past, small and medium sized businesses have not appreciated the value of mitigating business risk, likely because of the cost. This whitepaper has outlined some simple ways that businesses can begin realigning their business processes to activities that require very little upfront capital, reduce IT support, provide nearly unlimited scalability and most importantly provide the flexibility and geographic mobility necessary for improved business continuity.
For more information regarding the LightEdge services that support Communication Continuity, Process Continuity, Data Continuity and Workforce Continuity please contact LightEdge Solutions at 877-771-3343 or email@example.com. LightEdge Business Continuity and Disaster Recovery services can be added as a complete package or individual On-Demand services. LightEdge Solutions is the IT management company for Edge Business Continuity Center (EdgeBCC).