Modernizing Authentication — What It Takes to Transform Secure Access
Many IT departments think disaster recovery (DR) and business continuity (BC) are the same thing. As a result, they tend to take a largely technology focus on the subjects.
And that's a problem, according to Michael Croy, director of business continuity at Forsythe Technology Inc., a Chicago-based IT consultancy and infrastructure firm specializing in BC and risk management.
''Many people are still confused by the terms DR and BC,'' says Croy. ''It is critically important that the DR plan is based on a solid BC plan that has taken into account the reality of the business requirements for recovery. If the DR plan cannot meet the requirements of the business units, it is of no value.''
Croy says business continuity plans touch all functions of a business -- from personnel to facilities to IT. In terms of a hierarchical view, business continuity is at the top. Below it is the disaster recovery plan. And under that come technologies, such as enterprise backup, recovery and restoration.
But true disaster recovery extends much more broadly than backup processes by using mirrored sites and replicated data to respond to an event. Similarly, business continuity goes well beyond disaster recovery by encompassing every aspect of company operations that could be impacted by a situation. Human resources, power supply maintenance or backup, transportation, food, health and safety issues all fall within business continuity.
The IT department with its disaster recovery plan is one element of a larger business continuity scenario.
John Glenn, a certified business continuity planner based in Clearwater, Florida, agrees that IT administrators need to take a wider view.
''Most people, especially MIS/IT folks, think BC is just a new name for DR,'' says Glenn. ''The difference is that DR for IT focuses solely on IT, and what IT perceives as the business unit's requirements. BC, on the other hand, should focus on the business units and, by extension, all the resources required by the business unit.''
Industry observers say it's clear that disaster recovery is one element of business continuity. While IT is junior to BC as a whole, the IT organization plays a central role in business continuity.
''It's a big mistake to think the IT department is the only department needed to develop, test and recover the business,'' says Gartner analyst Roberta Witty. ''It is advisable to form a business continuity program with a dedicated team of people with a senior management sponsor.''
IT, though, would provide one representative to the core BC committee.
According to Witty, the committee would be comprised of anywhere from two to five members, depending on the size of the organization. This group would take a wide view of potential disasters.
For example, consider employee health and welfare during an event. In a regional outage, you can't expect personnel to show up for business recovery if they are having serious problems at home related to the event. You must support them and help employees be better prepared at home for disasterous events. The American Red Cross, she says, can be brought in for this kind of training and awareness building.
Michael Gruth, head of system and network support at Deutsche Borse AG, the German exchange for stocks and derivates, says the IT staff tends to find it easier to relate to the hardware, software and networking components of DR. He has assembled an Alphaserver/OpenVMS cluster over two sites five kilometers apart. In the process, he discovered there is a lot more to DR than additional Alphas and switches.
''Do not forget things like having an office at your mirror site for remote management,'' says Gruth. ''Also, don't forget the human factor. While it may sound harsh to think about having additional employees to recommence business in the event of a tragedy, this is the reality we live in since 9/11.''
To help IT come to terms with a broader scope than disaster recovery, some IT organizations are dropping the term in favor of business continuity.
''We have gotten away from the term 'DR' as it assumes the facility is not available,'' says Jeff Russell, CIO of The Members Group, an Iowa-based company that provides card processing and mortgage services to credit unions. ''BC, on the other hand, deals with how we continue despite business interruption.''
Disaster recovery projects can easily run aground or fail to be funded if they are done in isolation. Glenn says it is essential to begin every initiative from the business continuity perspective in order to give technology its correct business context.
''Every organization I know about puts BC/DR under the IT umbrella,'' says Glenn. ''My preference is to put BC -- of which DR is a subset -- under the CFO, CEO, COO... someone with some real clout.''
To make his point about business continuity not being a matter of technology, Glenn enters the debate about what is the best platform for disaster recovery, or what technological elements are most critical. Should you use OpenVMS or UNIX, mirroring or disk-to-disk backup, SAN or NAS, or all of them? Glenn cuts through the complexity and vendor hype with a simple answer.
''My number one DR or BC technology is pencil and paper,'' he says. ''Seriously, it's not about platforms or technologies.''