Disaster Recovery Journal- Volume 13, Issue 3 - Summer 2004 Issue - Traditional Business Continuity Views Have Changed

Return to the
Summer 2004 Issue

DISASTER RECOVERY
JOURNAL

P. O. Box 510110
St. Louis, MO 63151
(314) 894-0276
Fax: (314) 894-7474
Internet www.drj.com
E-mail drj@drj.com

PUBLISHER &
EDITOR-IN-CHIEF
Richard L. Arnold, CBCP
richard@drj.com

SENIOR EDITOR
Janette Ballman
janette@drj.com

MANAGING EDITOR
Jon Seals
jon@drj.com

ASSOCIATE EDITOR
Ed Pearce, CBCP
ed@drj.com

COPY EDITORS
Richard Sandhofer
richards@drj.com
Pamela Clifton
pamelaclifton@hotmail.com

ADVERTISING
Robert Arnold
bob@drj.com

_____________

Corporate

President/CEO
Richard L. Arnold, CBCP
richard@drj.com

Vice President
Robert Arnold
bob@drj.com

CONFERENCE COORDINATOR
Patti Fitzgerald, CBCP
patti@drj.com

CONFERENCE REGISTRAR
Merce Knese
mercedes@drj.com

CIRCULATION
Laura Baugh
laurab@drj.com

EXECUTIVE COUNCIL
Jeff Dato, MBCP, KPMG
John Jackson, IBM
Edward S. Devlin, E.S. Devlin & Associates
James Hammill, CBCP, JMH Consulting Inc.
Pat McAnally, SunGard Availability Services
Brian Turley, Strohl Systems
Belinda Wilson, Hewlett-Packard

INTERNATIONAL
CONTACTS
England: Thom Hetherington
Business Continuity
Phone: 0161-237-1007
thomh@tempus.demon.co.uk

Australia: Anthony J. Harvey
Journal of Business Continuity
Phone: 0011-613-953-0055-8
fax: 0011-613-953-0528
sector@notability.com.au

Japan: Shinji Hosotsubo
Quake Japan Co., Ltd.
Phone: 03-3215-2880
fax: 03-3215-2881

Brazil: Jose Carlos Ferreira
Disaster Recovery Mercosul
Phone: 55 11 3666-9506
conc2000@uol.com.br
www.drms.com.br

Click Here for a Printable Version

INDUSTRY TREND

Building a Business Case For Disaster Recovery Planning

By KEVIN RODEN

Managers who are responsible for getting businesses up and running after a disaster are faced with a truly heroic challenge – especially since they are often faced with limited or no budget to accomplish this task. Financially justifying requests to senior management for the funding of disaster recovery planning and testing can prove a difficult task.
The trick is to understand and communicate the real costs of not properly protecting business priorities to help get the critical support and sponsorship from senior management.
The completion of a full business impact analysis (BIA) will reveal the true costs of downtime for a business, but they can be very expensive and many executives are reluctant to invest without some way to measure the value or return. One way to more easily demonstrate real metrics for justifying DR planning is to focus on one particular area, such as IT system downtime – which will help illustrate the plausible severity and cost of being unprepared.
IT system downtime is a good place to start in making your case to senior management, since, virtually every company faces the risk of IT interruptions that can bring business to a halt. So it’s easy to illustrate “disasters” that prevent your business from accessing the data and systems it needs to operate, including regional power outages, virus outbreaks, employee sabotage and terrorist attacks.
Using a case study of one of our company’s business units, we’ll walk through a series of steps to help you build the financial business case to justify disaster recovery planning and testing for your own organization, using IT system downtime as the focus area of cost. We conducted this particular exercise a few years ago and it was highly useful in garnering increased funding for disaster recovery planning and testing, which in turn have successfully reduced our systems downtime.
Step 1:
Identify the business continuity components you will focus on
There are four components of a comprehensive business-continuity plan: people, property, systems, and data. When we conducted this project several years ago for ourselves, we decided to begin with the systems and data.
Step 2:
Define what you’re protecting
Identify the core competency of your business and define what supporting IT elements must be protected to support it. This is the heart of what your business does – your competitive advantage in the marketplace. Local service is our core competency, so our systems must always ensure local service levels for all of our customers.
Step 3:
Prioritize business functions
Next, prioritize the business functions that support the core competence and the systems that are needed to support them. You’ll typically spend 80 percent of your available resources to restore the 20 percent of your systems, applications, and data that these functions depend upon. In our example, three systems were identified:

Vault Management – the company’s primary operational system that manages off-site tape inventories and movement.
Customer-Facing Applications – hardware and software used by customers to retrieve information or to communicate with us about their account(s).
E-Mail – critical for customer service and communication.

Step 4:
Classify outage types, frequencies, and duration
At the time of the project, this business unit had three data centers spread across the country, connected together by an ATM private, high speed network. There were about 60 branch locations, each connected to two data centers in the wide area network to provide redundancy. Our IT help desk provided records of past branch outages. Their log of trouble tickets supplied much of the information that was needed. Four types of outages were identified:

Branch Outage – One of the 60 branches goes down. These were typically caused by faulty routers, malfunctioning LANs, or a loss of electrical power – only rarely by a natural disaster. They affected an average of eight branch offices each month and each one lasted from one to four hours.
Regional Outage – This affects multiple branches within a single geographic region; most often caused by telecommunication-company failures.
Data Center Outage – This occurs when one of the division’s three data centers goes offline. Application failure – not fire, flood, or other catastrophe – was the biggest reason for a data center outage.
National Outage – Exceedingly rare, the only recent example is “Black Monday” in 1999 when AT&T’s telecom network failed nationwide.

Step 5:
Calculate the cost of downtime
Factors that need to be considered include potential lost revenue, reductions in worker productivity, damaged reputation with customers and in the marketplace, etc. Financial analysts and accountants at your company can help you come up with the factors for your business. The bulk of the outage expenses were the labor charges for a team of technologists who must resolve the outages. Also included were the cost of manually recording the 727,000 transactions that are recorded by our systems each day plus the cost of data entering those transactions once the system comes back online.
Frequency x Duration x Hourly Cost = Lost Profits
A “sample” cost for branch outages can be calculated if we use an example of 90 total branch outages in an average year … with a branch outage lasting for an average of 1.5 hours … and the cost per hour (use the daily cost divided by the number of hours in a day) was $300 an hour; then the cost of branch outages for a year would be in the neighborhood of $40,500.

How Much Disaster Preparedness Can You Afford?
The chart above is for demonstration purposes only. It lists “orders of magnitude” instead of specific dollar amounts. You can create a chart for the calculation of the cost of downtime specific to your own organization.
We can use the sample cost of branch downtime that we calculated at $40,500 to be the “1X” “minimum impact” cost for this chart. Rarely, but episodically, there will be an event for which branch outage costs will be unusually high. It may only occur every six or seven years, but you want to include it since it represents real costs.
After you calculate the financial impact of outages, you can calculate a payback period for any investment by using guidelines provided by your accountants, such as a three-year payback period. If you use a three-year payback period, you can demonstrate that there is solid payback value for any investment that is up to three times the annual cost of the downtime cost you have calculated.

Conclusion
Disaster preparedness and recovery planning is an iterative process, not a one-time event. You need to continually revisit disaster-recovery plans to ensure they remain aligned with current business realities and goals, and test those plans regularly to ensure that they perform as planned.

Kevin Roden is executive vice president and CIO for Iron Mountain, positions he has held since joining the company in 1999. Previously, Roden was with Fleet Boston Financial, where he was the CIO for the banking subsidiary. Prior to that, he held numerous technology and management positions in a 20-year career at BankBoston, most recently as executive director of U.S. technology, responsible for all domestic technology.