For these reasons, ContinuitySA is finding that more and more companies are looking for backup solutions that are fully managed and monitored by a specialist service provider, and that do not use tape as the storage medium.
When it comes to backup technologies, ContinuitySA believes that the ideal solution should include an onsite backup and recovery vault at each major location. Because most restores are required within 48 hours (accidental deletions of files and data corruption due to software faults are the most common reason for restore requests) this facility is very convenient. As it uses the existing local-area network, backups and restores are very speedy.
The backup vault should be a purpose-built appliance that can scale easily as well as integrate with new technologies. It should be designed to check the integrity of backups, and compress and de-duplicate data.
The onsite vault should then be synchronised to an offsite recovery site. Providing the right kind of bandwidth is very important to ensure that backups can be completed as scheduled and replicated offsite quickly, with full encryption across the whole process. It’s very important that the recovery site has the necessary server infrastructure on which to perform the restore but also to provide workstations for employees in the event of a major disaster.
As an aside, bandwidth is one of the reasons why cloud restorations don’t work that well. Most companies would take weeks or even months to perform a total system restore over normal Internet connections!
There are fairly high technical specifications built into all of this, which is why so many companies are partnering with a specialist provider like ContinuitySA. Whoever the partner might be, though, it’s very important that the client be provided with user-friendly dashboards and reports to maintain oversight, and that the parties meet regularly to ensure that the backup strategy remains aligned with the overall IT and business continuity strategies.
Data is becoming a key corporate resource—it’s really time to make sure it’s protected adequately with the right backup solution.]]>
In an earlier blog we mentioned the importance of ICT and business working together, but the reality is that most organisations still have a long way to go in achieving this. One common problem that can manifest, is that when the business specifies that process A has be recoverable within, say, two days, ICT plans for two days without taking into account that the total 2 day timeframe has to include the recovery of the people who make the process happen—and where they will work.
The ICT and Business Continuity teams thus have to work closely in developing their plans, and the same principle holds true in exercising.
The second key point we want to make is somewhat more contentious. In the previous blog on exercising, we indicated that the ability to test the Business Continuity Plan in a flexible mannner was vital, partly because companies are risk-averse, and shy away from running a full interruption exercise. Their concerns are understandable and, for many, the risk of running a full interruption exercise on which something does go horribly wrong is too high, especially considering that the chances of a full interruption event actually happening are low.
However full-scale exercising of the ICT environment should at least be seriously considered when the stakes are high and time urgency is a key driver. The point is neatly illustrated via the Tale of Two Banks.
Bank A takes its ICT Service Continuity very seriously and periodically switches off its production servers and runs on its ICT Service Continuity systems for a full week. When the fateful day did eventually arrive, Bank A suffered a very public and massive IT outage, but it was able to get its systems up and running within five hours and ran on them for three months while its data centre was reconditioned.
Bank B, suffered the same problem and took a whole day to get back up—and was sued by its clients for nearly R1 billion for lost business. In the banking industry, minutes, not hours can cause irreparable damage to the organisation – financial, reputationally and in lost productivity.
The former had actual experience of what to do, and had used the opportunity of its periodic exercising to hone its performance; the latter had state-of-the-art equipment and facilities but no practical experience.
The Tale of Two Banks clearly demonstrates the return on investment that organisations can achieve if they put in the time and effort to prepare for, and exercise their ICT and Business Continuity solutions.
If you are interested in learning more about our tailored training and exercising solutions, please contact ContinuitySA on +27 11 554 8000 or click here and we will contact you.]]>
Because business is so dependent on ICT, it stands to reason that ICT’s ability to recover from a disruption is integral to the business’s ability to do so. Trouble is, ICT Disaster Recovery has traditionally been a highly technical discipline with scant attention paid to the needs of the business.
That’s all set to change as specialist ICT Continuity consultants like ContinuitySA take the lead in helping to move ICT professionals from the “Disaster Recovery” mind-set to a more framework orientated “ICT Service Continuity Management” approach. ICT Service Continuity Management addresses ICT Continuity in parallel with the wider Business Continuity Management Programme ensuring joint ICT and business objectives, outcomes and maximising synergies to ultimately reduce cost and effort.
The impetus behind this welcome move is the fact that the ISO22301 standard references ISO27031, a little-known standard for ICT Service Continuity Management, dating from 2011. The crux behind ISO27031 is to move the focus away from purely technical ICT recovery issues to look at ICT Service Continuity as holistic framework of steps that form an integral and interdependent cog in the Business Continuity Management Programme of work. (See Figure 1 for an bird’s eye view of ISO27031.)
For this reason, ContinuitySA offers a two-day course for ICT professionals structured around the ISO27031 standard for ICT Service Continuity Management. The course aims to bridge the gap between business and ICT, so that ICT Service Continuity Plans reflect the recovery needs of the business—and thus can motivate for the right level of budget allocation. Course attendees will receive training to enable them to understand the needs of business, perform a Business Impact Analysis for each component of the ICT system and then exercise the solution to provide assurance to the business that the ICT recovery is indeed achievable within the business required timeframes.]]>
But the time to find out that plans don’t work is not when the disruption has already occurred! If a plan hasn’t been exercised or tested, it’s just not a plan you can depend on.
One mistake many Business Continuity Plans make is to focus on total outages. That means they are often structured so that they can’t be tested piecemeal. Quite understandably, companies see a full interruption exercise involving the entire business as too risky, so testing never moves beyond a theoretical discussion based exercise—often leading to an unpleasant surprise when the plan does need to be invoked in practise.
In ContinuitySA’s view, therefore, a Business Continuity Plan must be able to be exercised in a flexible manner, starting with a theoretical discussion based exercise and then progressing in maturity into practical simulations and exercises. The plan and exercising thereof must also make provision for the fact that a department or even half a department may be sent offsite to the work-area recovery site for a day to see if they can, in fact, continue to function as planned.
This approach has the added advantage of familiarising staff with the components of their plan documents, the various logistical arrangements and communication requirements and what is truly expected of them should the plan be invoked. Exercising is an important and integral component of Business Continuity Management—and forms part of the five-day course mentioned in the previous blog.
In summary, training and exercising go hand-in-hand, ensuring that the ‘reaction is routine’ and that the recovery capability has been validated and proven! You don’t want to be counting the cost when it is too late…]]>
In ContinuitySA’s experience, many companies end up with failed BCM programmes after months of work and effort—amounting to many hundreds of thousands of Rands wasted—simply because their methodology and/or ability to maintain the programme was faulty.
For example, one of the fundamental mistakes is that companies approach the Business Impact Analysis phase incorrectly. Because Business Continuity is concerned with recovering business processes in a sequence that is logical in terms of the overall corporate strategy, it’s necessary to determine the impact and time-urgency of each process. This exercise can be a political minefield within the company, with each department “talking up” the importance of its own processes. Without a skilled and knowledgeable BCM facilitator, this will result in incorrect information being collected and will jeopardise the integrity of the whole programme of work.
It’s easy to see how tricky such an exercise can be, and how easily it can yield the wrong answers. It can also take much longer than it need to—by a factor of 400 or 500 percent in many cases! Inevitably, too, such plans will be 80 percent useless because they do not reflect the nitty-gritty of the recovery process or the strategic imperatives of the company.
In short, it’s vital that the corporate strategy is used as a measure against which to assess the relative importance of business processes, and how soon each one needs to be recovered. It’s also vital that the team putting the plan together understands how to negotiate the political minefield of the Business Impact Analysis.
Proper training can help you to avoid such costly errors. ContinuitySA has been running a very successful and popular five-day course for BCM practitioners. The course builds on our decades of experience to help attendee’s avoid common pitfalls, manage company politics successfully and navigate the Business Impact Analysis phase and other phases in the BCM lifecycle. In addition, we offer courses tailored to meet the needs of the different layers of the organisation from general staff induction to executive awareness and more detailed courses for those who have specific BCM responsibilities.
We recognise that a five-day course will at a minimum provide you with a framework and techniques, but the need for post-training support for day-to-day implementation issues is where the heartache is felt by most practitioners. That’s why course attendees automatically become members of the ContinuitySA Special Interest Group (“CSA SIG”). Monthly SIG meetings provide a great opportunity for mentoring by our in-house specialists, an opportunity to ask questions in an open forum and interact with other practitioners in a safe learning environment.
Truly a way to save costs for your company in the long run!]]>
Once this analysis is complete, one can begin to work out where to start. ContinuitySA performs a scaled down basic assessment free of charge for long standing existing clients and can also assist with a very detailed billable Backup Assessment for clients and prospective clients who would like a comprehensive independent analysis of the current health of their backup approach.
Using your offsite recovery infrastructure, perform a complete recovery test of the entire IT system to understand just how well your current backup setup would perform in the worst-case scenario. As part of this process, companies must understand the full sequence of events involved in a recovery, and how long each one takes (see Figure 1). These include:
The first three steps are often overlooked when rehearsing and timing the recovery process.
Next time, we’ll look at the kind of backup solution that you should be moving towards.]]>
Our guest speaker Alan Argyle will give a 90 minute multimedia session we’ll explore the most common sources of corporate crises and why they are more likely to be slow-creep issues like pythons; the real costs of getting it wrong and why best practice crisis communications is often counter-intuitive for corporate leadership; balancing legal and public relations counsel; and stress-tested, practical guidelines for building, sustaining and defending your most valuable strategic asset – your reputation – when the media, activists, customers, the regulators and your own employees are banging at your door.
Should you wish to register for this event click here.]]>
For example, many CEOs and CFOs make copies of their important documents on public cloud storage like Dropbox and OneDrive (previously SkyDrive), external hard drives, flash drives and even their home PCs. This type of practice is extremely unsafe from the point of view of data security, both company and personal. The Protection of Personal Information Act will impact the latter, and compliance audits get ever more rigorous.
They aren’t alone. It’s not uncommon for the database administrator in a company to make a complete copy of his or her database each night, in addition to the official backup. The same is true of mail, document management, virtualisation and other administrators. The end result: backups of backups and a massive growth in data stored on primary (i.e. expensive) storage systems. EMC says that backup consumes up to 10 times more storage than production, a factoid that should be giving grey hairs to both CIOs and CFOs.
All this distrust is not unreasonable, one must hasten to add. Research for EMC revealed that 34 percent of companies in South Africa are not sending their backups offsite. While this may seem shocking, ContinuitySA’s experience in South Africa is that many corporates and government agencies indeed are not following this basic procedure, which seriously compromises their ability to recover from the loss of their local systems. And in addition to this, in our experience up to 10-25 percent of all backup jobs are failing before they are even removed offsite. Even when a backup job appears successful it is very rarely verified.
Added reasons for mistrust include the fact that hardly anybody encrypts the data stored on tape owing to the complexity of the process and the time it takes. Added to this, the unencrypted tape is then transported by a courier on his or her normal route around town to a warehouse that in all likelihood has worse security (and climate control) than the company’s own data centre.
EMC’s Disaster Recovery Survey 2013 for South Africa indicates that 52 percent of companies experienced electronic data loss or system downtime in the last year and 74 percent fear they could not fully recover from a disaster. Traditional tape backups are not only unreliable, they are also extremely difficult to scale and do not easily adapt to new technologies.
Having indicated something of the scale of the backup problem, next time we’ll look at some ways to fix what you have.]]>
In response, this year’s Business Continuity Awareness Week will focus on the true cost of business continuity. The theme for the week is counting the cost, which will highlight the potential costs of not having an effective business continuity management system in place.
“When the alternative is going out of business, it’s clear that business continuity offers great value for money,” says Cindy Bodenstein, Marketing Manager at ContinuitySA, who are providing 4 speakers at the global event this year. “It’s a theme that resonates with us here in South Africa because business continues to battle against global economic headwinds—but, at the same time, we have to recognise that incidents that threaten business survival, from weather to social unrest and terrorism, are unfortunately becoming extremely common. And as it’s an election year with higher levels of social tension, business disruption is a fact of business life.”
Business Continuity Awareness Week (BCAW) is an annual global event organised by the Business Continuity Institute, and this year will take place on 17-21 March 2014. During the week, leading international business continuity experts will deliver free webinars. This year’s topics presented by ContinuitySA experts include: (click on the titles to access and register for the webinars)
Full details of the upcoming events and webinars are available here.
For further information about Business Continuity Awareness Week visit the BCI Website]]>
Most organisations have considered and gone a long way to implementing IT disaster recovery and so when business continuity appears on the horizon it gets assigned to the IT department. As discussed in the previous blog, business continuity and disaster recovery are interconnected but should not be owned by the same executive. This reason for this is simple: disaster recovery is IT-focused and requires technical insight. Business continuity is founded on business processes and decisions regarding recovery times and associated resources. Business continuity decisions need to be made by the business owners themselves.
So what’s the logical place for BCM to be located within the enterprise, where it will deliver the maximum benefit to the company?
There’s no correct answer to this question. In fact it’s safe to say that many hours of debate—sometimes quite heated—have gone into finding it. In our experience, we have found that the correct home for BC depends on the culture of the organisation. Most often it resides with the risk management department. Although it is relevant to risk reduction, placing business continuity may make it seem like a once-off event and not a continuous improvement process.
In other instances, business continuity is assigned to the COO. The advantage of this approach is that buy-in is likely to be wider, and there’s a greater chance that business continuity will become ingrained in the organisation. On the downside, it’s likely that the risk-reduction component might not be implemented correctly.
The reality is that BC is a key governance requirement and ultimately accountability should reside with the CEO and/or the Board. The implementation of the project beneath this should then be the responsibility of the department best suited and skilled to achieve the objectives of the BC programme.
Where does your business continuity management function fit?]]>