How far away should a hot site or mirror site be?

A question that is often asked when designing a disaster recovery plan is how far away a hot site or mirror site should be. Is there a simple answer?

23 miles, 39 yards 2 feet and six inches.

I really wish answering the question, which I'm often asked, was as simple as that.

It recently struck me that two clients I had been working with had hot sites the same distance away. In one case, I had advised the client that the hot site was too close; in the other the advice had been not to put the hot site further away. Inconsistent? Not really. The recommended distance to the hot site comes as always from a Risk Assessment and Business Impact Analysis.

First of all, let's look at the reasons for putting a hot site as close as possible:

  • It's cheaper. Put simply, it costs less and takes less time for your staff to travel too and from the hot site, both during exercises and following a disaster. Equipment can be moved between the sites at reasonable cost.
  • Communication latencies between the two sites are lower. This enables you to split IT processing load between the two sites, and use synchronous replication techniques that eliminate data or service loss. Computer equipment need not sit idle waiting for a disaster: it can help provide better service times in daily situations too.
  • It's more convenient. Let's face it, if it's in a convenient location you are more likely to check it, use it for exercises, and so forth. And if there is a disaster, how long will staff be willing to work away from home in another city?

So why isn't the hot site or mirror site next door? The risk is that a single incident disables both the alternative site and the main site. What types of incidents could affect both sites?

  • A building collapse, explosion, or fire will affect not just the main building but also surrounding buildings. Even if the surrounding buildings are undamaged, access may be prevented until the buildings have been cleared by the emergency services.
  • A car bomb (or a car bomb threat) can require evacuation of buildings a thousand yards away.
  • Road closures (perhaps due to a noxious chemical spill) can prevent staff from reaching parts of a city.
  • Geological hazards (earthquakes and volcanoes) and extreme weather (floods and hurricanes) can affect nearby cities.
  • Breakdowns in infrastructure (electrical grid, communications networks) can affect half a continent.

Which of these hazards might apply and what effects each might have can only be determined through a proper Risk Assessment and Business Impact Analysis.

The situations of the two clients were different. For one client there was a significant probability of a situation that affected the city where both the main site and the recovery site were located. In addition the client provided a nationwide service that should not be disrupted even if the entire city was destroyed.

For the second client the situation was different: there were few significant wide area risks and, if a wide area incident occurred, the client would not be expected to continue operating while the incident continued. For the first client a hot site in the same city was too close; for the second client, a hot site in another part of the same city was a sensible choice.

So how far away should a hot site or mirror site be?

As Einstein might have said if he had been a business continuity consultant: as close as possible (given the risk assessment and business impact analysis), but no closer.

Michael Z. Bell
1 February 2008

To get notified when new articles appear, subscribe to the Risky Thinking Newsletter. It's low volume: we don't send out an issue unless there is something interesting to say. You can also subscribe to our RSS Feed

Recently published articles can also be found here.

Agree or disagree? I'd like to hear your thoughts. Please initially use the contact form to get in touch.