How to Ensure IT Resiliency During an Economic Downturn:
The Top 10 Questions Your Company Needs to Ask Itself

During this period of economic uncertainty, many organizations are looking at ways to reduce costs, while continuing stability and growth.  Information technology expenditures are not exempt from this and are typically the first area to be scrutinized.  Consequently, costs to maintain critical information availability programs, including business continuity and disaster recovery (BCDR), are being identified for possible cuts.

Information availability needs do not slow down even though the economy does and disasters (natural or man-made) always come as a surprise.  In addition, regulatory compliance requirements do not stop even though IT spending may be reduced.  Here are some questions you need to ask in order to ensure that your organization’s BCDR program remains viable and effective, even with limited IT resources.

1.  What are the risks an organization needs to consider during an economic downturn?
There are different levels of risk to your operations that you need to consider during an economic downturn.  A formal risk assessment can help an organization identify potential risks before a problem puts you on the defensive.  For instance, many organizations tend to spend few resources to build or maintain effective and viable information availability programs, like business continuity.  How an organization allocates its resources toward BCDR programs can be assisted greatly if a formal risk assessment is conducted first.

A risk assessment can also prove the worth and need for a solid BCDR program to upper management  Organizations need to maintain these programs—just because the economy is slowing down does not mean that business requirements are!

2.  Why does an organization need to conduct a risk assessment now when IT spending is tight?
Risk assessments, done properly, will help an organization determine where and how to spend their dollars to ensure that they are getting optimum returns – in this case, for information availability and business continuity.  Risk assessments provide a comprehensive review of a company’s current information availability strategies and analyze the business impact of a potential interruption.  If you manage risks well, you can take on a certain level of risk and avoid over-spending while protecting your investment.  Investing in a risk assessment now, even when dollars are tight, can help your organization save in the long-run.

3.  Which programs should be maintained?
Conducting an overall assessment of your IT programs should enable you to pinpoint which programs must be maintained, and the best approach for them to continue.  This varies, based upon your type of industry (e.g., heavily regulated), geographic location, and other business drivers.  In general, it is recommended that key components of your program, such as your crisis management plan and your data protection and restoration practices and procedures, are addressed often. Industry research firm, the Yankee Group, recommends testing every quarter to help ensure your BCDR mechanisms will actually protect you when you need them most.

4.  Why is BCDR so important during an economic downturn?
Focused on short-term pressures to drastically slash spending, it often escapes companies that disaster preparedness needs may actually be greater during economic slowdowns.  E-discovery and regulatory compliance specifications require data to be retained, managed and accessible -- even with a cap on spending.

All too often, there are instances where organizations neglect their BCDR program only to realize that the costs to redevelop it are greater than if they simply tested and maintained their current plan.

Disaster recovery technologies have changed considerably in recent years, and with these powerful, yet affordable technologies, it has never been easier to implement an effective BCDR plan – despite the current economic crisis.

For example, many IT organizations are reducing costs by consolidating equipment, or running on virtualized environments.  Virtualization is an example of an up-front investment that is dramatically changing the BCDR landscape. By replicating to a shared storage infrastructure and a virtualized server infrastructure, organizations can enjoy improved recovery-time and recovery-point objectives without the cost of dedicated and custom recovery services from a DR service provider.

5.  Does your BCDR program meet the needs of the business?
A properly maintained BCDR program helps ensure that ever changing business requirements are identified and modifications made.  Along with an assessment of risk, an organization should conduct a business impact analysis to help ensure that the needs of the business are in synch with the current BCDR strategies.  It is not enough to just have a BCDR plan -- the plan also needs to be tested, even when resources are tight.  Skydivers do not wait to test their parachutes after they’ve jumped at 20,000 feet. Likewise, companies should be testing and adjusting their BCDR plans throughout they year to minimize the effect of any potential disruption – from a major weather event to the every day hardware failure.

6.  How can you ensure that appropriate resources are available to maintain the program?
During an economic downturn, it is expected that the organization will decide to freeze or reduce internal staffing levels.  This does not mean you should assume that the BCDR program has been abandoned.  It is during these times that use of outside managed service providers play a key role.  Experienced managed service providers can help augment the team and keep your program intact by managing critical systems and components. . In times of economic hardship, outsourcing is an attractive option for many companies, as they do not have to assume the headcount costs (e.g., salaries and benefits) associated with handling internally.  Third party services are also available to maintain the testing program.

7.  What technologies are currently available that can help to ensure a level of information availability and business continuity?
Businesses have already made large investments in their IT infrastructure and are now challenged with pressure to reduce costs while maximizing space and power.  The “green IT” movement is well underway.  Initiatives to consolidate IT infrastructure, such as employing virtualization or implementing information lifecycle management practices can help to reduce costs while contributing to your BCDR program.  Organizations can also look to a managed service provider to take on the burden on managing critical systems, allowing them to concentrate on more strategic endeavors for their business.

8.  How do these technological changes impact your overall IT disaster recovery program?
Even if IT budgets are reduced, you need to ensure that your business continuity program keeps pace with technological changes.  Improved technologies – such as virtualization, replication and vaulting -- are more cost and energy efficient, so while you may be investing money up-front, in the long-run you will get “more bang for your buck.”  With the proliferation of virtualized environments, there is a greater degree of flexibility with your disaster recovery strategy – but it is important to remember that you need to manage it properly.  You must ensure that proper security measures and testing processes are in place.

Many data centers are also running into space issues.  There are plans for major system migrations, but no room to house the equipment.  This is where a managed service provider can help.  Premier MS providers not only support the housing and operations of the critical system, but will help ensure a level of recoverability as well.

9.  Our company is part of a heavily regulated industry.  Are there any special circumstances related to an economic downturn that we need to consider?
It is worth repeating:  Regulatory compliance is the foundation to any BCDR program, regardless of economic conditions.  How your organization complies with specific regulations must be included in your risk assessment.  In addition, consider newly established BCDR standards, such as BS25999, as a framework to maintain your program.

10.  What are the other IT areas that need to be addressed?
Be prepared for a period of negotiation – ensure you are on top of the business requirements and confirm whatever service levels are in place for the business areas.  Research options for your organization, such as outsourcing to a lower cost region for your data center, or using more efficient technology, such as virtualization. Consider the use of outside professionals to assist with these technologies and stay on top of BCDR trends.  Finally, share your thoughts and experiences with others in similar roles within your local area or industry.  We can all keep learning best practices from each other.

William DiMartini, Vice President, Consulting Operations, SunGard Availability Services

Over the course of his 20  year career with SunGard, Bill DiMartini has worked closely with both IT and business leaders to address their business continuity needs and challenges, making him very effective at bridging the gap between business problems and technology solutions.  As Vice President, he supports a team of nearly 200 information availability professionals working in the field to help customers develop and implement their information availability strategies – representing more than 400 customer engagements last year.