Your midrange company has outgrown a disaster recovery plan that relied on backup tapes stored in a systems administrator's car trunk -- now it's time to sign up a disaster recovery service provider.
|James M. Connolly|
The first step is to look inward so you can define your needs. A self-analysis should help you identify the amount of downtime you can endure for key applications and the cost of that downtime. In turn, this will determine what types of services you require.
"Usually, the amount of money you are going to spend with a service provider is going to be based on what you potentially could lose if you are down for an hour, a day, a week or whatever," said Roberta Witty, a research vice president at Gartner Inc. in Stamford, Conn.
Costs vary widely depending on what you're after: disaster recovery or business continuity. "If it's business continuity, then it involves more than backup tapes," said Bob Laliberte, an analyst at Enterprise Strategy Group Inc. in Milford, Mass. "That's when you start getting into some serious expense with replicating data synchronously and the high-bandwidth links that allow you to do that over greater distances. If all you are doing is tape, you have already accepted that you can afford to lose up to 24 hours of data.''
Managers in midrange companies also need to weigh whether they want "one-stop shopping,'' in which they pay disaster recovery service providers extra for features such as workspace to house employees, or data center space where they can install their own systems.
Larry Marler, disaster recovery coordinator at Southern Farm Bureau Casualty Insurance Co. in Jackson, Miss., is a certified continuity professional. He said he advises managers to look at a service provider's technical strengths in terms of its ability to support a customer's core technologies, as well as its understanding of customers' business needs. "For a company the size of mine, I want to make sure we have the resources available to assist my people in a disaster. We exercise regularly, and I find that a provider's expertise is a big part of that,'' said Marler, a customer of SunGard Availability Services.
Managers must strike a balance in terms of the proximity of a service provider's data center. If it's too close to your primary data center, it could be affected by the same storm or power outage that sends your team to the recovery data center. If the recovery site is too distant, it can be difficult to get IT staffers to the site, particularly for a smaller company with limited resources, according to Witty.
When considering a new provider, always visit the data center. "I've been in regional data centers where the equipment was located on the outside wall with windows," Laliberte said. "If a hurricane blows through the glass, that equipment is going to get wet. Make sure it's a hardened data center with good physical security, redundant power, separate power grids and communication links."
A key decision in the selection process is determining whether you will be part of a shared model or if you will have dedicated resources. Cost and recovery time both play parts in that decision. In a shared model, the service provider maintains computing resources that are available to multiple customers on a first-come, first-served basis.
For instance, if several of your neighbors declare emergencies before you do, you may be shut out of the data center and forced to wait until resources are available, or your staff may be transported to another part of the country to the provider's other data centers. Laliberte noted that many New York-area companies that declared emergencies after the Sept. 11 attacks lost days of business when their staffs were bused to recovery centers as far away as Colorado and Florida.
If you aren't comfortable with a shared model because you can't afford hours or days of downtime, you will probably want dedicated resources -- but you'll pay for it, perhaps 10 times more than for a shared model, according to Witty.
While experts say customers can't force a provider to prove that it's financially stable and positioned to support every type of emergency, Marler advises managers to make an effort. "They may not give you a lot of information, but you certainly can ask things like how many true disasters they have handled, what types of recoveries they have done, and the average size of company that they recovered,'' he said.
Witty suggests that users sign on a service provider for three years. One year is too short a contract because of the amount of time and effort involved in bringing in a new vendor, and five years is too long because customers don't get to leverage falling technology costs.
Another element to build into the services contract is sufficient testing and flexibility. "In many cases, you are paying a lot of money for these services but can test your plan only once a year. The problem is that something almost always fails. You want the ability to fix the environment and test it again,'' Laliberte said.
Frequent testing also raises the need to modify the contract midstream, perhaps factoring in new systems or business units. "People learn every time you go into these test scenarios. 'We need this, we didn't have that, let's change this,' It comes down to the administrative people helping you amend or modify the contract,'' Marler said.
Finally, you may think you're safe because you've outsourced all your crucial applications to software services, an option that may be attractive to many midrange companies. But, who is backing up that outsourcer?
"What happens if that outsourcer has a problem? Can they meet your recovery needs?'' Witty asked. "If they have a production outage, how are they going to get you back online? If they have no solution for that, you have to wonder why you would go with that outsourcer.''
James M. Connolly is a contributing writer based in Norwood, Mass. Write to him at firstname.lastname@example.org.
This was first published in January 2008