DISASTER RECOVERY 
JOURNAL

P. O. Box 510110
St. Louis, MO 63151
(314) 894-0276 
Fax: (314) 894-7474
Internet www.drj.com 
E-mail drj@drj.com

PUBLISHER
Richard L. Arnold, CBCP
richard@drj.com

EDITOR-IN-CHIEF
Jon Seals
jon@drj.com

SENIOR EDITOR
Janette Ballman
janette@drj.com

COPY EDITORS
Richard Sandhofer
richards@drj.com
Pamela Clifton
pamelaclifton@hotmail.com

ADVERTISING 
Robert Arnold
bob@drj.com

_____________

Corporate

President/CEO
Richard L. Arnold, CBCP
richard@drj.com

Vice President 
Robert Arnold
bob@drj.com

CONFERENCE COORDINATOR
Patti Fitzgerald, CBCP
patti@drj.com

CONFERENCE REGISTRAR
Merce Knese
mercedes@drj.com

CIRCULATION
Laura Baugh
laurab@drj.com

EXECUTIVE COUNCIL
Jeff Dato, MBCP, KPMG
John Jackson, J Albright Advisors
Edward Devlin, E.S. Devlin & Associates
James Hammill, CBCP, JMH Consulting
Pat McAnally, SunGard Availability
Brian Turley, Strohl Systems
Belinda Wilson, Hewlett-Packard


INTERNATIONAL
CONTACTS
England: Thom Hetherington
Business Continuity 
Phone: 0161-237-1007
thomh@tempus.demon.co.uk

Australia: Anthony J. Harvey
Journal of Business Continuity
Phone: 0011-613-953-0055-8
fax: 0011-613-953-0528
sector@notability.com.au

Japan: Shinji Hosotsubo
Quake Japan Co., Ltd.
Phone: 03-3215-2880
fax: 03-3215-2881

Click Here for a Printable Version

To Outsource or Not Outsource

By CHRIS HYRNE

Whether using a service provider or going in-house, disaster recovery comes down to flexible, well managed practices
Tape vaulting services from business continuity service providers (BCPs) have traditionally provided the last line of defense for many companies’ disaster recovery plans, particularly for mid-sized enterprises. However, growing requirements to recover operations more quickly than with traditional service offerings caused companies to look hard at internal alternatives. Now, BCPs have seen recent resurgence due to the emergence of long distance replication software as a viable solution for offsite data protection and recovery. BCPs are now able to offer a range of warm and hot site recovery options with near real-time recovery time/recovery point service levels and minimal disruption to their clients’ IT operations.
As the menu of options grows for companies pressed to improve business recoverability, the decision to outsource or to go in-house becomes less clear. Mobile computing has reduced clients’ dependency on BCP-provided office space, a significant bottleneck for BCPs offering regional disaster recovery services. Test time offerings have improved as well. The “standard” one week of test time per year goes quite a bit farther when recovery times are measured in minutes instead of hours or days. But when service level metrics dictate quick recovery, the overriding factor is proficiency. The ability to aggregate skills and maintain compliant recovery practices may be the biggest factor weighing in the BCP’s favor. The BCP’s only business is recovery: every hour of every day. The typical internal IT department may “practice” recovery two to four times a year at best.
For those looking to pursue an in-house strategy it makes sense to take some of your leads from the BCP model:

• Review your remote recovery. A successful recovery plan should incorporate an offsite capability for data and application recovery, and that the center should be substantially removed from your production sites. This sounds basic, but most firms today still only have sufficient practices in place for local recovery and offsite tape storage. Accordingly, implement a three-tier geographic plan for where, when and why data protection and recovery will take place: local protection and recovery at your production site(s) to maintain operations in the event of data loss, establish an offsite disaster recovery capability for site or infrastructure loss, as well as an archive (the bunker) for certification of records retention.
• Consolidate protection and recovery operations where you can. Putting your eggs in one basket may sound counter-intuitive but it does make sense. The biggest challenge to compliant recovery is solidifying your operational practices. Consider creating a center or centers of competency and move your data to sites where you can achieve better control through centralized management, leverage key skills, and gain economies of scale.
• Build a hardware-independent framework. One CIO told me he thinks of data protection and recovery as a business application, not infrastructure. “We used to buy data protection for the hardware. It should be the other way around. No one ties their business applications to specific hardware platforms,” he said. This approach will drive greater flexibility in meeting evolving service level requirements and allow deployment of more cost-effective infrastructures.
• Automate with care. These days there is a lot of “buzz” from the vendor community about automated recovery. Automation can be a very good thing and works well when things go as planned, but it is not a replacement for human judgment from skilled administrators when things go “bump” in the night. Think about automating discrete process steps first, before tackling end-to-end processes. The sequence of recovery steps may vary, depending on the events leading up to and following a partial, rolling or complete loss of processing at the production site.
• Know your RPO. Today, emphasis is still placed on recovery times (RTO). But the currency of your recovered data (RPO) is equally as important. For both, define service levels for not only your financials and transactional data but also data essential to the business such as e-mail, supply chain data, CRM and lead generation databases. And be prescriptive; build a basic menu of service levels that you offer, and know you can deliver with confidence.

When choosing between outsourcing to upgrade your disaster recovery capabilities, or building out your own infrastructure, the primary consideration is skills. In either case, a flexible service delivery framework, based on a utility model, can provide the foundation for success.

©Copyright Systems Support Inc. All rights reserved. Reproduction in whole or in part in any form or medium without the express written permission of System Support Inc. is prohibited.