Budget-minded small to midsized businesses (SMBs) once viewed business continuity (BC) planning as an expensive
luxury. Not anymore. Upgrading disaster recovery (DR) capabilities is a major priority for 56% of IT decision makers in the U.S. and Europe, according to Forrester Research Inc.'s 2007 Market Overview: Business Continuity Planning.
In addition, a spate of recent federal regulations makes it imperative for many SMBs to enact business continuity plans. The U.S. Department of Homeland Security says one in four businesses won't reopen following a disaster.
Unforeseen events are increasingly driving adoption. The Cambridge Security Services Corp. implemented a set of recovery protocols following two major disruptions: the Sept. 11, 2001 terrorist attacks and a major power outage in 2003. Since then, the 707-employee security firm has spent $110,000 to upgrade equipment and build redundant capabilities.
"We provide essential services to our clients when they need us the most," says Ralph Martell, the company's regional vice president. "As we grew, we realized we weren't prepared to deal with a national emergency."
Cambridge analyzed business operations and identified its three most critical needs: clients, employees and communications.
"We did department-by-department budget reviews asking for givebacks of 5% to 10% from each department, because it's critical to the survivability of our business," Martell says.
The Manhattan-based company invested $82,000 to install a secondary T1 line and battery-powered backup system. The combination, Martell says, provides failover capabilities should the main power sources be lost.
Another $28,000 went toward a backup system of non-digital copper phone lines, which can power Cambridge's IP-addressable phones in event of a disruption. The redundant phone system is "one step away from military grade," enabling Cambridge to transfer its New York command center to its New Jersey or Florida branch offices.
Taking preemptive action
On average, between 4% and 7% of annual data center budgets are spent on DR, says Robert Witty, a research analyst with Gartner Inc. in Stamford, Conn. This proportion is expected to rise to 8% and 10% or more in coming years.
But with careful forethought, even companies with finite funds can design effective BC strategies.
"You can't create a budget in a vacuum. All companies should conduct a risk assessment and business impact analysis before doing a budget. That will help determine the amount of resources they'll need to get back up," says Danny Shaw, who heads the technology risk-management practice at Milwaukee-based Jefferson Wells.
BC planning software can help, although packages vary in features and pricing. According to Forrester's Market Overview, fully featured suites start at $100,000, while midrange packages cost upwards of $20,000. Stripped-down versions start at about $10,000.
According to the report, Strohl Systems Group is the market leader for BC planning software, with on-demand services starting at less than $600 per month, while more sophisticated products carry licensing costs of $100,000 or more.
Next in line is SunGard, which prices by component and number of concurrent users. Vendors offering entry-level or midrange scalable BC planning suites include Binomial International, Business Protection Systems International, Coop Systems, CPACS LLC, eBRP Solutions Inc. and Office-Shadow.
One option is to outsource data center operations, which can provide cost benefits, but this is not always the best solution. "If you're outsourcing, you won't have to dedicate staff to do the backups, plus you'll have the assurance of knowing that data will always be available if a server is down and your normal routine is disrupted," Witty says.
Aside from outsourcing, Witty notes that enterprises could purchase services that use the Internet to back up data or conduct data processing, rather than running physical data centers.
Companies should examine business processes, not just recovery practices, says Michael Miora, who runs the consulting firm ContingenZ Corp. in Playa Del Rey, Calif.
"Small companies need to figure out in advance what equipment people will need and make sure they have access to it. That might involve taking a small chunk of money to buy laptops for people to work at home," Miora says.
The important thing, according to Miora, is for employees to resume normal operations despite abnormal working conditions. Another consideration is the potential reputational damage and lost business of having to recover from scratch. This can be particularly problematic for companies that are geographically limited.
"If everyone else in your area is buying services, you could pay a premium to buy [backup and recovery] software overnight, if it's even available to you," Witty says.
Test, test and retest
Cambridge Security tests its BC plan every 90 days by disconnecting from a main power supply. The backup system provides enough power at full load for nearly two full days of operations round the clock, Martell says.
Yet most companies neglect to test. In a survey of 1,000 companies, Jefferson Wells International Inc. found that 86% of firms with BC plans had never put them through a dry run.
"If companies don't make business continuity planning a key budget item every year, they're being shortsighted," Shaw says.
However, even enterprises with BC plans routinely underestimate the length of outages. Nearly two-thirds have planned for a downtime of seven days or fewer. This is woefully inadequate in light of hurricanes and other catastrophes, according to Witty.
About this author: Garry Kranz is a freelance technology writer in Richmond, VA. His work has appeared in SearchCIO.com, SearchSecurity.com, and other TechTarget news portals.