What you will learn in this tip: How to select the best managed business continuity service provider for your business continuity (BC)/disaster recovery (DR) planning services, and how to get the best results.
The managed services industry is huge. Within the business continuity and disaster recovery professions, many managed services providers' offerings focus primarily on protecting data centers, systems, applications and data. They may offer business continuity/disaster recovery services outside the technical side, but that's generally not their real focus. One of the main aspects of a managed business continuity service provider is to offer a selection of disaster recovery services, generally for monthly fees. This article looks at another aspect of BC/DR managed services: the provision of DR/BC planning services, and offers tips to help you select the best provider, obtain the best deal, and get the best results.
Managed business continuity/disaster recovery planning services work to remove the responsibility of performing business impact analyses (BIAs) and risk assessments, develop and exercise plans, organize awareness and training programs, maintain plans and related documents and facilitate audits and other quality management activities. And these managed BC/DR planning services provide all of these activities using an experienced third party for a fee.
Naturally, you could make the case for a one-time project that covers all or some of the above activities. At the end, you'll have business continuity/disaster recovery plans, and that's about it. If that's sufficient for your needs, you may not be a true candidate for managed services.
However, if your firm recognizes the importance of protecting all aspects of its business operations, supply chain and other assets, but may not be willing or able to have the staff and overall financial commitment to a formal BC/DR program, a managed business continuity/disaster recovery planning option may be the answer. Also, if you already have a disaster recovery or business continuity program, and are concerned about the overhead costs, especially for personnel and office space, a managed service offering may also be a good alternative.
For very large companies, such as banks, that have well-developed BC/DR programs, a managed service option could be a major cost saving. It may even be possible for the managed services firm to acquire the company's BC/DR staff as part of the agreement. This is not uncommon in situations when large IT departments outsource all or part of their operations to a third party.
Pricing for business continuity services vary according to size of company
Numerous companies offer business continuity and disaster recovery managed services. These include Agility Recovery, SunGard Availability Services, CA, Cervalis, Consonus Technologies Inc., EMC Corp., IBM Corp., EMC, Iron Mountain, Lootok, Ltd, Paetec, Paradigm Solutions and Telehouse America, to name a few. Pricing for managed services is fairly straightforward if the issue is managing specific items, such a desktop system environment or deploying an intrusion detection system.
For example, Dell's "direct-from-Dell" managed services costs are:
• Alerts: $9 per desktop or laptop per month; $59 per server per month
• Resolution: $39 per desktop or laptop per month; $199 per server per month
• Management: $59 per desktop or laptop per month; $299 per server per month
By contrast, more specialized managed services pricing can be quite variable, as individual situations do not always fit into neat packages. For budgeting purposes, a range of fees for managed business continuity planning services is for small firms: $200 to $1,500/month; medium-sized firms: $600 to $3,500/month; large firm: $1,000 to $6,500/month. If the managed services arrangement also includes acquiring the client's existing staff, the cost could easily double or triple.
Tips for choosing a business continuity service
Regardless of your situation, if a managed business continuity service option is being considered, be sure to consider the following tips. Remember that this type of service is for BC/DR planning activities. If you already use a managed services firm for IT operations, remember, that firm may be able to layer the planning component on top of its existing activities.
- Determine if your existing business continuity/disaster recovery function is important to the business, and supports its ability to achieve its objectives.
- Analyze your current expenditures, including staffing, frequency of scheduled activities such as business impact analyses, risk assessments, plan exercises and training programs.
- Look for situations where functions can be overlapped or combined, presumably to reduce staffing.
- Determine the level of BC/DR support you need now, and in the future. Be sure to also factor in the potential for regulatory and compliance audits, as this may only happen a few times a year, but is nonetheless very important.
- Once you have validated and benchmarked your existing BC/DR short- and long-term requirements, draw up a requirements summary that can be converted into a request for proposal (RFP) to potential managed services firms.
- Ensure that candidate firms have verifiable expertise in BC/DR planning activities, as described earlier. Just listing BIAs, risk assessments, plan development and exercising on a Website or brochure doesn't mean the firm is really experienced.
- Look for evidence of professional accreditations in the staff, such as those offered by the DRI International, Business Continuity Institute (BCI) and the International Consortium for Organizational Resilience (ICOR).
- Contact existing -- and sometimes previous -- clients for references. These are probably as valuable as the other criteria.
- Examine contracts carefully. Review service level-agreement (SLA) documents; if none are available, require that one be provided.
- Compare pricing options. Monthly fees may be based on some sort of metric; see if you can determine how prices are computed so you can compare vendor pricing.
- If one candidate is already providing your firm with managed services, see if the firm will offer you a discount to add the BC/DR planning services.
- Determine how frequently the vendor proposes to conduct services, e.g., weekly, monthly, quarterly. Ideally you should define the frequency of conduct services in your requirements. That way you can determine if the vendors can satisfy your needs. Also, see if they offer any other alternative arrangements that may save you money.
- Review samples of completed documents (e.g., BIAs, plans, exercise documents, training programs) the firms have submitted to clients; this is one way to ensure that they really know BC/DR.
- If your firm has developed an effective BC/DR process, be sure the managed services firm will be able to replicate your process. It may not be practical for that firm to make you change an already accepted process.
- Determine the firm's experience in disaster situations. How effective were their DR plans? How successful were client recoveries? For firms that provide IT disaster recovery services, it's also a good idea to investigate their technical disaster experience.
- Examine the firm's financial stability; consult D&B reports and any other documents that will indicate their overall condition.
Steps to take if you have no or minimal business continuity/disaster recovery activity
- Determine and agree that an internal business continuity/disaster recovery function is desirable and supports corporate business objectives.
- Ask other businesses about their experiences with an internal BC/DR function, as compared with a one-time or periodic consulting engagement.
- It may be useful to retain a consultant to help you determine your BC/DR planning requirements, and what the investment might be.
- Assuming an in-house BC/DR planning activity is a desirable and worthwhile investment, proceed to the steps listed in the previous section.
Managed business continuity/disaster recovery services offer yet another way to operate an internal business continuity/disaster recovery organization, but they do so without the overhead associated with an in-house operation. Check the candidates carefully, be sure of what you are getting before you sign contracts, and include a process to regularly evaluate the managed services firm to ensure you are getting the best value for money.
About this author: Paul F. Kirvan, FBCI, CBCP, CISSP, has more than 20 years experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter.
This was first published in June 2010