Disaster Recovery Journal- Volume 13, Issue 3 - Summer 2004 Issue

Return to the
Summer 2004 Issue

DISASTER RECOVERY
JOURNAL

P. O. Box 510110
St. Louis, MO 63151
(314) 894-0276
Fax: (314) 894-7474
Internet www.drj.com
E-mail drj@drj.com

PUBLISHER &
EDITOR-IN-CHIEF
Richard L. Arnold, CBCP
richard@drj.com

SENIOR EDITOR
Janette Ballman
janette@drj.com

MANAGING EDITOR
Jon Seals
jon@drj.com

ASSOCIATE EDITOR
Ed Pearce, CBCP
ed@drj.com

COPY EDITORS
Richard Sandhofer
richards@drj.com
Pamela Clifton
pamelaclifton@hotmail.com

ADVERTISING
Robert Arnold
bob@drj.com

_____________

Corporate

President/CEO
Richard L. Arnold, CBCP
richard@drj.com

Vice President
Robert Arnold
bob@drj.com

CONFERENCE COORDINATOR
Patti Fitzgerald, CBCP
patti@drj.com

CONFERENCE REGISTRAR
Merce Knese
mercedes@drj.com

CIRCULATION
Laura Baugh
laurab@drj.com

EXECUTIVE COUNCIL
Jeff Dato, MBCP, KPMG
John Jackson, IBM
Edward S. Devlin, E.S. Devlin & Associates
James Hammill, CBCP, JMH Consulting Inc.
Pat McAnally, SunGard Availability Services
Brian Turley, Strohl Systems
Belinda Wilson, Hewlett-Packard

INTERNATIONAL
CONTACTS
England: Thom Hetherington
Business Continuity
Phone: 0161-237-1007
thomh@tempus.demon.co.uk

Australia: Anthony J. Harvey
Journal of Business Continuity
Phone: 0011-613-953-0055-8
fax: 0011-613-953-0528
sector@notability.com.au

Japan: Shinji Hosotsubo
Quake Japan Co., Ltd.
Phone: 03-3215-2880
fax: 03-3215-2881

Brazil: Jose Carlos Ferreira
Disaster Recovery Mercosul
Phone: 55 11 3666-9506
conc2000@uol.com.br
www.drms.com.br

Click Here for a Printable Version

DATA PROTECTION

The Business Value of Data

By MICHAEL CROY

What is the value of your organization’s data?
The ability of business and IT managers to answer that question directly correlates to the success of their company’s business continuity and data recovery efforts. The answer is difficult to provide, given the massive amounts of data coursing through organizations and the fact that the value of data changes frequently and quickly in today’s unpredictable, highly competitive, and increasingly regulated business environment. Business continuity and disaster recovery professionals should collaborate with their business partners to address the difficult challenge of restoring data in a timely and cost-effective way.
Most business managers say their data must be highly available, but few identify which data needs to be highly accessible and which data can be stored in less accessible locations. Few companies can afford the cost of storing all data in a highly accessible, immediately recoverable manner.
As data ages, it often becomes less valuable to the business. As a result, the frequency and speed needed to access the data also decrease. By developing frameworks for identifying and tracking the changing value of data and storing it accordingly, business continuity and disaster recovery professionals can restore their company’s most important data faster. Rather than taking several days or more to restore all 40 terabytes, for example, they can first restore the most critical 10 terabytes of data in a matter of minutes or hours.
Storing data in a way that supports the company’s changing business needs also lowers the total cost of storage. Lower-value data can be migrated to less expensive storage locations. Higher-value data is stored in highly accessible, immediately recoverable, and more expensive locations. That arrangement enables companies to respond quickly to changing regulatory requirements, strengthen the security and integrity of their most important information, and more efficiently scale information access and recoverability to meet changing business needs.
Currently, there is a limited set of tools available to help identify the value of an organization’s data, monitor its useful value, and migrate data to storage that is commensurate with its present value to the organization. The IT department and the CIO should work closely with the CEO, CFO, the legal department, the compliance office, applications owners, HR, the business units, and other information owners to get a handle on the value of data to each section of the business.
That collaboration is vital. The responsibility for identifying the value of data resides with the business. IT’s role is to match data value with data storage to support the business.

Data Value Determines Data Storage
Thirty years ago an employee from what was then known as the data processing department would deliver a two-foot stack of paper to a business manager’s desk. The manager would use that information to help guide his decision-making over the next month. Thirty days later, the data processing employee would deposit another stack on the manager’s desk.
Today, that information is updated instantaneously and it is delivered to the appropriate knowledge workers with the stroke of a key. Data is the lifeblood that nurtures the applications knowledge workers rely on to help make crucial decisions.
Sound business continuity and data recovery plans ensure that a company’s most important information remains accessible, accurate, and secure, even when the unexpected occurs. An organization’s approach to data storage should enable that continuity, integrity, and security. Twenty years ago, the bulk of an organization’s data was still stored in file folders and the data’s value to the business changed less frequently. Today, the amount and complexity of data has increased exponentially, and it is scattered throughout the organization on numerous storage devices, networks, servers, and laptops.
Traditional methods of data backup – storing the data on tape and moving it offsite – provide minimum recovery times of about 48 hours. In today’s real-time environment, 48 hours represents an eternity. Select data needs to be protected in a highly available format using sophisticated replication technologies that reduce recovery times to minutes or even seconds. Storing all data in the most highly accessible and recoverable manner doesn’t provide the best return on investment.

Data Value Changes ... Constantly
The alignment between data value and data storage would be a straightforward and easily manageable proposition if business were conducted in a vacuum untouched by change. But business changes, sometimes radically, from year to year, from month to month, and, in many sectors on a daily basis. Those changes affect the importance and value of the data that flows through the applications that support key processes and inform knowledge workers.
For example, if a pharmaceutical corporation sells a business that produced the parent company’s only line of aspirin, the transactional and inventory data for that product line will no longer factor into the corporation’s day-to-day financial performance. The transactional and inventory data have suddenly become much less important to the parent company. The executive team no longer needs to see aspirin sales data on their executive dashboards.
Yet, the same data remains important to different parts of the organization even after the sale of the aspirin business. The finance organization, for example, still needs that data for its year-end reporting. Other businesses or product lines within the company that use the same suppliers may want access to the data well beyond the end of the fiscal year. And federal regulatory agencies likely require the company to maintain detailed records of suppliers and customers for several years.
Although the pharmaceutical corporation may not require immediate access to aspirin-related data after the sale of that business, it still needs access and, equally important, a policy that documents what that access is and how it is provided. The absence of that guidance can cause headaches.
The organizational importance of data changes over the course of its lifetime. The value of the data that flows through a highly automated supply chain changes quickly as an order is fulfilled. If that order is a large one from a top customer, the data contained in the order might be of “bet-the-business” importance to the company fulfilling the order. Once the order and billing process have been successfully completed, the order data, while still important for financial and tax purposes, is much less critical than it was days or hours earlier.
The Sarbanes-Oxley Act, HIPAA, Graham-Leach-Bliley, and other sweeping regulatory changes pose unique data storage challenges for different companies in different industries. Yet, all of the major regulations that have appeared in the past five years share a common theme. They generally require companies to establish, document, monitor and maintain the availability, authenticity, accessibility, security, and recoverability of their data. Data concerning internal controls, for example, became more important to publicly listed companies on the day that Sarbanes-Oxley became law.
In some cases, data can transform from critical to worthless in a matter of months or days. An effective information life cycle management strategy keeps pace with those shifts and, in doing so, ensures unfettered access to crucial data while optimizing an organization’s storage investment.

Information Classification
A company would never tether its top sales person to a desk in an administrative position. Nor should it relegate its most important data to legacy storage. Savvy executives also groom successors in case their top rainmaker leaves the company for greener pastures. Similarly, savvy management teams ensure their most valuable data can be recovered if an unexpected event strikes.
For that reason, effective data and storage management represents a key component of business continuity and data recovery planning. Savvy IT managers ensure data is stored, accessible, secure, and recoverable in ways that align with its importance to the business. The following data-valuation framework can help managers classify data so it is stored appropriately in light of business importance and in accordance with recovery needs:
1. Mission Critical: Frequently used, immediate availability, significant and immediate financial impact, significant and immediate operational impact, eventual compliance impact.
2. Business Critical: Regularly used, reasonably available, significant long-term financial impact, significant operational impact over time, eventual compliance impact.
3. Essential: Periodically used, available within defined timeframe, potential long-term financial impact, probable operational impact over time, probable compliance issues.
4. Consequential: Occasionally used, available within extended timeframe, possible but not likely financial impact, possible operational impact over time, probable compliance issues.
5. Non-Critical: Rarely used, limited availability, unlikely financial impact, doubtful operational impact over time, potential compliance impact.
6. Inconsequential: Used only on request, limited availability, no financial impact, doubtful operational impact over time, potential compliance impact.
7. Disposable: Never used, no need for availability, no financial impact, no operational impact, no expected compliance impact.
Mission-critical data might include quarterly expense figures and a list of addresses of key suppliers – or it might not. Each organization will define the value of its data in a different way. The management team for a national restaurant chain, for example, might be perfectly fine with being able to recover transaction data from its sole New York location within two to three days of an outage or disaster. A Wall Street investment firm, on the other hand, would likely define its transaction data as mission critical. The financial services firm and the restaurant chain face different types of regulatory demands – all of which should be reviewed in the data valuation process.
Once that process takes hold, companies are better positioned to make more cost-effective decisions about future storage investments. The storage of data is optimized so that lower-value data is not slowing access to the type of data that drives decision-making.
And, most important, when a system outage occurs, business continuity and disaster recovery professionals immediately restore information to the business in the quickest, most cost-effective and business-savvy manner.

Michael Croy joined Forsythe in 2002, bringing more than 20 years of experience in building, developing, and implementing disaster recovery and business continuity programs. As Forsythe’s business continuity practice manager, Croy is responsible for the company’s business continuity offerings, including risk analysis, best practice models for continuity of IT infrastructure (storage, server, and network), and disaster recovery planning, strategy, and management.