In Business Continuity, Size Matters

Starting Small

Some time ago a I read a forum posting by a disenchanted attendee at a lecture on business continuity who obviously felt that their time or money had been wasted. “It's all just backup, isn't it?” was her complaint.

It bothered me because I knew the lecturer (who was competent) but not the context. I also knew that I'd given a press interview where, when asked my key advice for very small businesses, I'd replied “backup, backup, backup”.

I've since concluded that the poster must have attended a lecture tailored to very small business which failed to explain how things get complicated as you get larger. For the smallest companies, a plausible disaster recovery plan is something like this:

1. Go out to Best Buy and buy 5 replacement PCs, a wireless router, and lots of Cat5 cable.
2. Install the computers in a temporary location (e.g. a staff member's basement), along with a telephone, internet connection, etc.
3. Order telephone and internet services from your local telephone company.
4. Restore the computers from off-site backups.

The critical part here is backup. If you don't have a recent off-site backup, you can't put even this rudimentary disaster recovery plan into action

Scaling Up

There are a major differences as you get bigger.

As an analogy, considering giving a dinner party where you serve strawberries and ice cream to half a dozen friends. ¹ .

You buy the strawberries and ice cream at the local supermarket, put the ice cream in your freezer, the strawberries in a cool place. At the dinner party you get the ice cream, let it warm up a little, and serve it with strawberries to guests.

You now decide to hold a bigger party with twelve guests. You double the quantities ordered, the freezer gets a little cramped, but otherwise there is no change.

So you decide to hold a dinner party for 12,000 guests. ²

It's no longer just a question of a bigger order from your local supermarket:

• You need to buy strawberries in wholesale quantities, possibly on the futures market.
• You need to arrange trucks and truckers to ship the strawberries.
• You need to arrange refrigerated and chilled storage
• You need to arrange a special venue.
• You need to arrange plates, cutlery, washing up.
• You need to arrange insurance.
• You need to arrange security guards, parking valets, first aid, waiters and waitresses, etc.
• You need to send out invitations, and process replies, and ensure only invitees attend.
• … and so on.

It's no longer a simple matter within your realm of expertise. You may even need to use a consultant to assist with planning and running the dinner party.

Scaling Up in Business Continuity

In Business Continuity and Disaster Recovery it isn't any different. Past a certain size the simple disaster recovery plan outline above just doesn't work. The equipment isn't readily available from the local computer store. A space which meets power, networking, and heating, air conditioning, and ventilation requirements can't be rented immediately. A space where people can work may not be available. You need to figure out (in advance) who does what and when.

Simply recovering to the latest backup may not be good enough. (How happy would you be if your bank recovered your banking transactions to the end of the previous day). Being incommunicado for an extended period after the disaster takes place (when your customers and suppliers are trying to reach you) might not be acceptable. Your staff will still expect to be paid, even if their timesheets (and the accounting system) went up in smoke.

The questions which must be answered for a larger business are many:

• Who will talk to the emergency services? The press? Your customers? Your suppliers? The employees?
• How will equipment be salvaged?
• How will a damaged site be secured?
• What information is needed for insurance claims to be made and verified?
• Where will people work? What should the people unable to work do?
• …

The list of questions is many, and the ability of you (or anyone) to answer them immediately after a disaster without pre-planning is limited.

So at the very small company level, it is mainly a matter of backup. Some pre-planning will help (Where can we work from? Which documents are critical and where can we store them safely?) but the time and effort invested may be minimal.

As a company grows bigger, disaster recovery requires more pre-planning. Backup (which nowadays is more likely to involve internet data transfers than moving tapes) is still of vital importance, but ensuring that you have the knowledge and resources to rebuild a data center at an alternative location at short notice becomes critical. You need to plan what staff will do during and after a disaster.

Grow even bigger, or work in a critical industry (or government department) and an interruption to operations may be unacceptably expensive. You need to think in terms of delivering services in spite of disasters, not just recovery. Losing any data may be unacceptable, and a redundant infrastructure becomes necessary.

So it isn't just backup. Backup is just the beginning.

¹ I wish this example of scaling up was mine. Unfortunately I've lost the original reference so can't credit its originator.

² In Toronto, Canada, “Honest” Ed Mirvish — owner of the unique store Honest Ed's — holds a free party for the local community on his birthday with literally thousands of attendees. As far as I know he doesn't serve strawberries and ice cream, but the logistics for the event are not trivial.