Balancing the Needs of Data Storage and Business Continuity

Nigel Williams, VP for EMEA Software Operations for Legato Systems, examines the intricacies behind classing and measuring the risks to data storage as an integral element of Business Continuity

Preserving valuable records and documentation in the event of an accident have been a vital part of assuring that a business can continue to operate after the event. Today, with businesses dependent on digital systems shared among employees, customers and suppliers, and often updated in real-time, the risks have become much more complex. If these two factors were not enough, all business are faced with the increasing rate of change inevitable in a technologically-led society. Many companies today do not have the experience of managing the data security of a newly introduced mobile workforce, for example. Change always introduces uncertainty of outcome and thus risk, making it yet more difficult to pinpoint the risks to a business' data and information.

Despite these impediments in viewing the risk to data and information, it is critical that they are understood if a good business continuance management regime is to be established. Whereas most organisations categorise certain core processes as critical, the actual risks they expose themselves to through these processes are often not considered carefully enough. The business may recognise that its livelihood depends on that process, but may not necessarily consider all the ways in which that process could be interrupted, or more importantly, how to minimise the impact of that interruption.

Risk analysis
Risk analysis involves identifying the risks that the company is likely to face and then for each of the risks, assessing the likelihood of suffering any particular incident. Once these have been performed the risk to a given company can be measured.

Risk measurement can be both quantitative and qualitative. Quantitative risk measurement could, for example, use terms such as 'high', 'medium' or 'low' probabilities. This is good for classifying the nature or frequency of the risk. Qualitative measurement (using percentages for example) can also be used though this is usually harder to perform.

Identification of the risks can be on an internal, corporate basis or through third party consultants. If an internal process ensues, the meeting should consist of a brain- storming session involving representatives from all departments of the business. This could be users, executives, operations, systems administrators, database administrators, and business continuity experts. The aim of this meeting would be to construct a 'risk register', forming the basis for protection that would be continually updated and reviewed. Establishing such a register necessarily involves prioritising risks according to the application's business criticality.

Here it is also important to identify any interrelationships between processes, and therefore interdependencies between applications. This could occur if there were peak periods for example.

The 'risk registry' allows a detailed evaluation of the risks in terms of probability of occurrence and the range of likely consequences. This, in itself, is often enough in providing the company with impetus for creating and adhering to a business continuity plan.

Some companies have in the past been lulled into a false sense of security, being under the impression that disaster recovery only applied to natural disasters like floods or fires. Even if they did not take the attitude that 'it won't happen to us', the expense of a full disaster recovery plan was not justified as the probability of a natural disaster was viewed as negligible. But only six or seven per cent of 'disasters' are actually caused by floods and fires, a far bigger proportion, are of a hardware or software nature. And what is disastrous is actually the consequence of the hardware failure, rather than the incident itself. The 'risk registry' thereby encourages businesses to look at risks from a different perspective and points to potential disaster areas the business may not have considered.

Once the risks have been identified, they are then assessed in terms of their probability of occurrence and the associated 'minimum', 'most likely' and 'maximum' cost. Often this is the harder part, but estimates can provide a good rough idea. This is termed the three-point estimate. This is then fed into a Monte Carlo simulation, which will then run these numbers against the appropriate probability curve to provide a computer model. (Monte Carlo simulation routines are widely available as add-ins to Microsoft Excel.)

Last of all, the business estimates the overall exposure to risk. In doing so, the calculated cost of the risks is compared to the probability of their occurrence. This almost certainly encourages a certain level of protection to be applied. As the potential costs of disasters can actually be established, the justification can be made to apply protective measures.

As the world becomes increasingly reliant on systems and data, it is apparent that business continuance management and planning is no longer just advisable, it is a necessity. And while a thorough investigation into the risks faced by a company may take time and effort, and perhaps some third party consulting, the end result will be a blueprint for protection that accommodates the change that the future will undoubtedly bring.

The views expressed in this article are those of the author, not necessarily those of Legato, and should not be read as an endorsement of any product or other company by Legato.

Web site: www.legato.com