Delivering the business value of IT. Recovery Site Evaluation: Finding Viable Alternatives Michael Croy Director, Business Continuity Solutions, Forsythe Solutions Group
Session Agenda - Past to Present: The Role of Alternate Sites in Recovery Planning Marketplace Survey Results Weighing the Alternatives: Pros & Cons of Insourcing and Outsourcing Case Studies Tough Questions that Have to Be Asked Q&A/Wrap Up
Alternate Sites - What is a disaster recovery site? An alternate facility that enables an organization to continue operations at a time of crisis, and may include: IT infrastructure Data network Telephony Personnel
Don t Choose this One! -
Alternate Sites: Past to Present - Late 1970s/early 1980s: marketplace for DR hot-sites is established with focus on IT recovery Initially based on the notion that organizations had relatively similar IT infrastructure needs Market consisted of mainly mainframe recovery solutions Early providers included Comdisco, SunGard, and IBM 1970 1980 1990 2000
Alternate Sites: Past to Present - Shared environment where several organizations paid a fee in exchange for access to a backup location in the event of a crisis Limited human recovery solutions existed 1970 1980 1990 2000
Alternate Sites: Past to Present - Marketplace grew significantly to include many new national and regional players Scope of DR solutions grew beyond mainframes to include workspace recovery Many new options for both IT and human recovery were introduced 1970 1980 1990 2000
Alternate Sites: Past to Present - Testing of DR plans became a primary focus and major expenditure for hot-site users Business continuity planning emerged as the watch word IT evolved from a nice to have to critical importance in daily business operations Demise of Comdisco (2001) 1970 1980 1990 2000
Ten Major Risk Management Trends Have Evolved Since and as a Result of 9/11 - An awareness of interdependencies The renewed focus on internal recovery alternatives A focus on the loss of personnel Trends towards integration of recovery, continuity, high availability and security (both physical and information) Strategies for dealing with the data explosion, both electronic and paper based records 1970 1980 1990 2000
Ten Major Risk Management Trends Have Evolved Since and as a Result of 9/11 - Planning for loss of strategic facilities The impact of the Internet & e-mail outages Awareness of communications issues & transportation limitations Regulatory issues have increased dramatically Terror concerns now based in fact 1970 1980 1990 2000
Impact of Regulatory & Compliance Issues - In the past five years, regulatory and compliance issues have become a major DR business driver: Sarbanes-Oxley Gramm-Leach Bliley HIPAA Bottom line: Organizations are now required to have stronger financial control and privacy measures instituted
Impact of Regulatory & Compliance Issues - What can we expect in the near future? Current regulations will expand to include privately held organizations in some states and perhaps even nationally Regulations will become better defined, which will make them easier to translate into specific initiatives for IT and the business You had better believe the auditors will know this!
Additional Business Drivers - Regulatory Sarbanes-Oxley, GLBA, HIPAA, etc. Governance Fiscal and Fiduciary SLA s Our customer s customers Risk Mitigation Regulatory compliance Data Protection Vulnerability protection
The New Marketplace for DR - Internal recovery capabilities for mission-critical data are gaining new respect and consideration Organizations are realizing they can leverage infrastructure changes to improve operational performance and build more resilient and costeffective recovery facilities The emergence of high performance backup applications and hardware are creating new recovery options for organizations The human factor and business continuity are emerging as primary goals
The Data Explosion - What s the impact on your business? Policies for determining the business value of your data will be as important as the technology for managing the storage of your data Storage of data could become a business performance issue, as well as a business continuity issue Alternative site infrastructure, cost and recoverability require a solid policy and strategy to deal with the Business Context of IT
Insource vs. Outsource - The best business decision depends on a careful analysis of the organization s IT infrastructure and, most important, how its collection of systems and data supports high-level business objectives It all revolves around the Business Continuity Gap
The Business Continuity Gap
Marketplace Survey Results - Is your company's IT disaster recovery capability currently insourced, outsourced, or both? 46% 42% insourced outsourced both 12%
Marketplace Survey Results - In the case where at least some IT disaster capability is outsourced, will the company consider insourcing the capability at the end of the contract term? 22% 51% yes no don t know 27%
Marketplace Survey Results - If the company will consider insourcing the capability in the future, what is the rationale why? Avoid availability/contention issues Enhanced Capabilities Better Recovery Time Low er Cost 49% 55% 58% 59% 0% 10% 20% 30% 40% 50% 60% 70%
Weighing the Alternatives - External Recovery Sites The Pros: Leverage vendor s knowledge and expertise Access to disaster-avoidance services Robust security, power and telecom capabilities Logistics assistance at time of disaster Potentially lower TCO Minimal impact on organization s resources
Weighing the Alternatives - External Recovery Sites The Cons: Many organizations neglect contractual language that governs accessibility, test procedures, excess fees, and the scope of equipment and services that the agreement includes (or excludes) Many organizations also discover they can t conduct DR test with their providers when they need to, leaving them susceptible to unnecessary risks Change management must be monitored closely to ensure the recovery site mirrors all changes in the organization s IT and business process infrastructure
Weighing the Alternatives - Internal Recovery Sites The Pros: Eliminate risks related to the use of pooled or shared equipment Better control over data and testing Improved monitoring capabilities More responsive change management No disaster declaration fees Leverage internal assets to achieve higher return on existing investment
Weighing the Alternatives - Internal Recovery Sites The Cons: Location is a primary factor that s often overlooked by organizations that house internal recovery sites Too close = huge risk exposure in the event of a natural disaster Too far = incur exorbitant costs due to employee travel and relocation expenses Cost
Costly Mistakes to Avoid - Regardless of whether you use an internal or external recovery strategy, careful planning can help you avoid costly mistakes: Location of recovery site Change management/capacity planning Mergers and acquisitions Organizational growth Limited testing time Accessibility at time of disaster Criticality of business elements
Case Study Outsource - A large Midwest manufacturer chose to outsource its facility: Didn t need short RTO s or RPO s Didn t have inhouse DR or BC expertise Limited IT resources space and technology Static infrastructure
Case Study Insource - A nationwide restaurant company and a large east coast utility company brought recovery in-house for the following reasons: Reduced RTOs and RPOs More flexibility over test schedules Leveraged existing internal assets (facilities and equipment) Better able to manage changes and capacity planning
Tough Questions to Be Asked - What are the costs associated with using an outside provider vs. building an internal recovery center? Do recovery time and recovery point objectives require facility exclusivity? What is the business value of the data in a fiduciary and fiscal context? What are the drivers for recovering the information?
Tough Questions to Be Asked - How critical is the access to and control of the data? Should testing be controlled by the provider or the business? What solution ultimately meets the business context of the organization? Is there a return for the business on the recovery site investment? Does the decision meet long term business goals? Can you better leverage your existing assets?
Insource vs. Outsource - Evaluate the context of your mission-critical requirements and then decide: Are the added costs of employing an internal recovery strategy justified by the higher availability and improved service levels? Does the plan provide answers to your fiscal and fiduciary liabilities? Regulatory and compliance issues? Governance? Customer relationships?
Delivering the business value of IT. Michael Croy Director, Business Continuity Solutions, Forsythe Solutions Group mcroy@forsythe.com