Some companies put it at the low end of their priorities, wise companies are putting disaster recovery at the top of the list and leveraging it to attract more business. Jeanne-Vida Douglass reports

When David Meiklejohn started as IT support team leader at database cleaning and enhancement outfit Acxiom he was already well aware of the importance of disaster recovery systems. In a previous incarnation at Digital (before it was swallowed by Compaq) he saw telecommunications outfit Optus forced to relocate its data centre after a major incident.

Hoping to avoid a similar event he set about writing a paper explaining the risks and repercussions Acxiom faced should it lose data, or access to its databases. Although Acxiom’s management was appreciative of his efforts, they remained confident their existing plan of switching processing requirements offshore would be sufficient in the case of a disaster.

“It wasn't so much that I wasn't taken seriously, but the attitude was more like well if a disaster happens then we can send some of our processing to our parent corporation in the US,” Meiklejohn explains. “So to get real money to be spent it required something more to happen. They thought they could get by.”

In the end it wasn’t a monumental disaster, but an air conditioner failure late in 2002 that forced management to rethink its approach. Initially the company decided to move its data storage to a Macquarie Corporate Telecommunications (MCT) telecentre in Pitt Street in Sydney's CBD. However, just as the company was in the throes of implementing this solution, another event set it on a different track.

“Initially we set Pitt Street up as a disaster recovery site, thinking very much in terms of how can we run our processing, rather than second-order issues of e-mail and that sort of thing,” Meiklejohn says. “Then in January 2003 we had a flood in the basement, and no one could get into the office for three days. After that we realised we had really done it the wrong way.”

Switching its focus more to the need for business continuity, Acxiom decided to take a more thorough approach.

“We are now running in a split environment; we run big Oracle databases on Unix boxes and that production equipment is all at the Macquarie Corporate site, whereas the production file servers for the office and that sort of thing are in our Bridge Street office (in central Sydney),” Meiklejohn says.

“So we have our development and testing environment for the Unix and Oracle side at our offices, and a disaster recovery environment for the office functionality at the MCT site. If we lose either site we are covered in both directions.”

Such a duel approach is becoming increasingly popular as upper level managers begin to focus on both data and access protection. And while this approach looks expensive, industry pundits argue that the key to disaster recovery and business continuity lies in integrating appropriate checks and balances into the overall IT infrastructure. In fact, they suggest that a well designed system can even offer savings in terms of operating costs.

An integrated approach

As a consultant for Citrix’s enterprise division Phil Osborne is looking increasingly at approaches which tightly integrate disaster recovery and business continuity features into standard information systems.

“Our whole approach to disaster recovery is based around the idea that you still need to protect your data and the recovery servers, but if your staff can't get access to that once a disaster occurs then you are back to square one,” Osborne says.

According to Osborne ideally companies should have two data centres, each with full production capabilities, operating at about 60 percent of their total capacity. In the case of a disaster at one centre, staff can be automatically switched to the other, without interrupting the flow of business.

“So the days of just keeping a disaster recovery site there just in case, but not actually doing anything and not making money for the business, are long gone,” Osborne says. “By integrating disaster recovery into your normal day-to-day operations the costs go down considerably and the ROI is very fast.”

Rosemary Stark, national business manager for data centre solutions at IT integration outfit Dimension Data, takes a similar approach.

“CIOs need to look for ways to use that infrastructure so they are not compromising disaster recovery but are using it to solve other business issues as well,” Stark says. “By using the disaster recovery site to do some of the more intrusive day-to-day maintenance that we would usually do in our production environment, we increase our overall productivity.”

Stark goes on to point out that an integrated disaster recovery model pays for itself even more quickly because companies are able to use the back-up systems to fulfil service level agreements with customers.

“We are using a more holistic approach which looks for opportunities to reuse infrastructure, and leverage disaster recovery solutions to meet other business needs,” Stark says.

Not only are companies discovering that an integrated approach to disaster recovery expands their IT infrastructure in a way which enables them to win business, some are finding that without disaster recovery infrastructure they may face losing business, whether or not a disaster occurs.

“You asked how do you sell it to the CFO, well it was very easy after the flood,” Acxiom’s Meiklejohn says when asked about approaches he has used to ‘sell’ disaster recovery.

Traditionally disaster recovery has been placed IT managers and CIOs in a bit of a no win situation. It was often very difficult to convince upper management and especially finance departments to spend money on disaster recovery. If a disaster actually occurred it was almost inevitable that blame should fall on the shoulders of the IT department.

However, recent changes to legislation in the US and the UK, as well as changes to the APRA (Australian Prudential Regulation Authority) have seen disaster recovery and business continuity systems move to front of mind for the boards of directors in many companies.

Steve Cartland, manager of business continuity services for Hewlett-Packard in the South Pacific believes there are two factors driving disaster recovery uptake in corporate Australia: corporate governance issues and risk management, and he believes the last two years has seen increasing emphasis placed on the former.

“The sleeping driver has been corporate governance, as companies which operate across several jurisdictions are being forced to comply with changes to the law in either the US or the UK,” Cartland says.

Like many in the industry he believes boards of directors began paying real attention to disaster recovery when they realised they may be held personally liable for company failures due to insufficient data recovery or business continuity infrastructure.

In a similar vein Seamus MacLochlainn, director of business continuity services for consultancy Montrose, says IT managers are more likely to get a hearing regarding disaster recovery plans if they point to the possible legal ramifications.

“There are potential legal impacts. If you let your business partners down they can sue you,” MacLochlainn says.

“Credibility, reputation and failure to adhere to standards will put you out of business in a world where credibility, reputation and ethics are very important.”

However, government regulations, and personal liability aside, there is another group looking to ensure that the companies they deal with have reliable disaster recovery plans in place; the customers.

Dimension Data’s Stark increasing customer awareness of disaster recovery issues is at least as important a driver as increased regulation.

“Recent changes to the legislation for listed companies in Australia have accelerated data recovery uptake, but there are still two magic phrases which drive the importance home to upper management: financial loss or loss of customers,” Stark says.

“Customers are often more rigorous than the companies themselves because they see a definite value in ensuring they get access to the service they have paid for.

And when it comes to the coal face, Meiklejohn believes the company’s investment in disaster recovery has actually won the company business.

“The increasing focus on Internet-based delivery being down for a couple of days when you are delivering information via the Web is not an option, so it has really become customer driven,” Meiklejohn says.

“We are now seeing disaster recovery as a checklist item on some of the jobs we tender on. That is to say some of our disaster recovery systems have given us access to more work.”

Finding the right approach

However, there are IT managers and CIOs out there for whom disaster recovery continues to be a hard sell. Frustration is perhaps most strongly felt in the small to medium end of town, where disaster recovery infrastructure, albeit integrated, represents a far greater proportion of overall revenues.

Tim Smith, marketing manager for storage vendor Hitachi Data Systems says the assumption that those companies that spend on disaster recovery systems are those with the most to lose is not always correct.

“As a general rule, a large enterprise will have more money to spend on disaster recovery, but they probably have less to lose, from a personal point of view,” Smith says.

“In a small or medium enterprise the manager is the person who created the company and if they lose that business, the personal cost is a lot higher; they often have houses and mortgages tied in with the business.”

Whatever the size of the company the key to getting a disaster recovery proposal approved, according to many in the industry, lies in bringing different levels of management into the design and decision process.

“If the first time you are discussing it with the CFO is when you are putting the presentation on the table, it won't fly,” Smith says. “A lot of it comes down to the pre-work.”

Smith believes upper management can be brought into the design process as long as it is clear that disaster recovery plans focus on business continuity rather than risk aversion.

“When you are talking to a CEO the core area of their business is how to gain competitive advantage and maximise business opportunities. The CFO is thinking of how to minimise costs and reduce risk to the business, and the CIO is always looking to be more operationally efficient,” Smith says.

“Disaster recovery needs to fit into all their requirements.”

Similarly, Stark says IT managers need to move away from the traditional insurance metaphors when it comes to pitching disaster recovery expenditure.

“We have moved entirely away from the insurance metaphor, because while people look at disaster recovery initially with that in mind, they generally will be more favourable if they can see it as more of an opportunity to take control of their IT environment,” Stark says.

Ultimately, a disaster recovery plan needs to make sense to its readers, or it is simply won’t get sign off. Montrose’s MacLochlainn goes to the core of the requirement.

“You have to answer the question: what could happen to our business, what could happen to my role, and what am I accountable for?” MacLochlainn says.

“No one does disaster recovery without a justification, nobody does it without understanding the impact.”