I’ve said it before (again, with a hat-tip to the author of ‘Fight Club’) – on a long enough timeline, the lifespan of every storage medium drops to zero. The thing is, business continuity comprises much more than data. Even if you’re two-guys-in-a-garage, you have to give thought to what happens next if you lose not only data, but your place of operation.
Through our disaster-recovery practice, we’ve identified some areas which are held in common by all successful DR plans. I’ll outline them below:
#1 – Keep Your Business Going.
On the face of it, this is obvious, but the steps necessary to do so are not. It’s worth completing a basic business-continuity checklist (if you need one, we can help with that) in order to ensure all the bases are covered. Some of them are:
- Insurance – I once owned a business that necessitated a warehouse. Every year, I’d take my agent out for a very bad (at least on my side) game of golf, lunch, and a review of my insurance needs. Thankfully, I never needed to make a claim, but the advice I received was sound: Keep your inventory current, and ensure you know, right down to the last desk chair, what’s needed to start over. (Remember that you’ll need to insure everything for replacement cost – not what it was worth when the disaster occurred.) You’ll also need BCI (business continuity insurance); literally, this is coverage for your downtime.
- Infrastructure – Do you have a warehouse or manufacturing facility? Best to line up resupply of critical hardware and/or goods. While you’re at it – are your fire suppression systems up to date? Adequate hand held fire extinguishers? Proper training for the staff? (Your local fire department can help with this.) Evacuation plans? What about small disasters, like power outages? Is critical equipment attached to a UPS or generator? What about critical endpoints (not just servers)? If there are any ‘holes’ in your plan, now’s a good time to identify and ‘plug’ them!
- Downtime – If you have yearly revenue of $1.2M, your hourly revenue needs are $625.00 (assuming an eight-hour workday). You need to be insured for the length of time it’ll take to recover from a disaster which puts you completely out of business until you can relocate, replace everything, and begin again (worst case). On the other hand, the best case is a simple server failure, which will impact your data, but nothing else. Regardless, your hourly ‘nut’ is $625.00. This is the number on which all other calculations – as well as recovery contingencies and planning – need to be based.
#2 – Communication – Most business owners don’t consider this issue, but it’s critical. The old saying, ‘the channel will absorb the difference’ affects everyone today; no business is irreplaceable. It’s therefore crucial that you communicate, immediately, with every one of your customers and suppliers. Have you a basic IT installation offsite (it doesn’t have to be any more than a laptop) which can facilitate this? At minimum, you need to be able to send an email out from your business address, informing everyone of a disaster, and when you anticipate being up and running. (This necessitates, by the way, having your email hosted by a third party.)
#3 – Shorten Your Data Recovery Window – I’m going to introduce you to three terms: RPO, RTO, and RCO. It’s easy to remember the differences when you look at them this way – RPO (Recovery Point Objective) is the point in time to which data can be restored following a loss-event. RTO (Recovery Time Objective) is the amount of time needed to restore. RCO (Recovery Cost Objective) is the cost-tolerance of your business to the time needed to restore/recover after an event. RPO and RTO are applied to data. RCO is applied to the entire business.
- RPO: This one’s easy – and upon examination, will give you a good idea whether or not that inexpensive data-copy service you’ve been using is adequate. Example: If you back up your data only to an online service once a week, and your disaster (worst case) occurs the day before you run a backup, then your RPO is six days for data only. (Of course, if a server failure is involved, you’ll have to have a new server built and software installed.) If that process takes a week, you will be nearly two weeks behind by the time you have a new server up and running. You’ll be paying a lot of overtime to get the data back to ‘current’ – so make certain you’ve insured yourself accordingly). If you don’t like the figures you see when you do your basic calculations, you can take practical steps – like running differential backups on a daily basis, and/or implementing a point-in-time backup methodology; both will shorten that data recovery window.
- RTO: This one can get somewhat more complex. Let’s go back to that online data backup service. If you’ve got 1TB of data or less, the cost to back it up and restore it later is almost equivalent to the cost of buying the hardware and doing it in-house, without the headache of owning the backup gear (hardware and software) yourself. Remember; there are four costs to backup offsite or in the ‘cloud’ – the cost to transport the data (bandwidth and time); the cost to store it; the cost to download it (again; bandwidth and time), and the cost of retrieving the data. At under 1TB that expense may be easily justified; at over 1TB, that cost begins to mount, quickly. If using a cloud or offline service to back up a server image and software as well, these costs can strip the budget quickly. (A good benchmark to consider whether to bring backups in-house is that 1TB mark.)
- RCO: The Recovery Cost Objective is the amount of time expressed in dollars you can afford to be out of business. It’s important to consider all expenses in a worst case scenario, including rebuilding a partially-lost customer base, and then add at least 20% to the total – this is the amount of business continuity insurance you should purchase. Note that this has nothing to do with your RTO and RPO!
You’ve probably seen now that replacing even a modest revenue stream can be costly, but consider the alternative: 80% of businesses experiencing catastrophic data loss and/or physical catastrophe are out of business within a year if they have only partial plans in place and suffer a data loss and/or business disruption lasting three days or more; that number jumps to over 90% if they’re idle for a week or longer. Insurance is cheap – and a solid DR plan including infrastructure replacement is the first line of defense.
Once you’ve got a handle on RTO, RPO and RCO, you need to make some decisions. As covered in a prior article, the cost of keeping all of your data secured on site is usually prohibitive unless you’re at or below the 1TB mark. It’s best to determine which data is critical or mandatory, which is likely to be needed within the month, and which may be archived. Cloud storage is used to best effect for archived data. Secondary storage (like tape or removable disk in the company vault) is a logical choice for near-line data. On premise disk storage with replication to another company owned facility is your best choice for data as well as server images which will need to be restored immediately.
Summation: Your business depends not only on a complex supply and customer chain, but on critical data which you need to do everything from communicate with your customers and vendors to collect money and pay the bills. That data is your business, in electronic form. As tedious as the process might be, putting together a plan to protect it should be a gold-plated priority!
(Cymbidium Systems is a Pacific Northwest based value added reseller with a 35 year legacy of assisting small and medium business. They have practices in data protection, security, and general networking.)