Business Resilience Is a Constant Concern
by Hu Yoshida on Apr 7, 2011
Ros Schulman is our leading expert on disaster recovery and business continuance. Many of you may have heard her speak at different events or had her visit your business to provide an update on our DR capabilities. I asked her if she would give her perspective on the recent disasters in Japan. Here is her response. -Hu
Data availability is only one part of Business Resilience: People, infrastructure and processes are critical components. Nowhere has this been more evident than in the recent disaster in Japan, just as it was after 9/11. Today I think we are more prepared than we were in 2001, since the disaster itself taught us all lessons from a personal and business perspective. However, we are all human and all the planning and preparation often seems to fly out of the window in times like these.
The human side of disaster recovery is something that was never really considered in the early Business Continuity (BC) and DR plans. That changed significantly after 9/11- as did many things in the BC spectrum – but still needs to be emphasized after disasters of this magnitude. Many companies still put together business continuity plans without taking into account that they need people to recover; they make the assumption that people will be available to recover their critical business systems after the disaster and that is not necessarily true.
People will be more concerned about their families and may not want to travel, even if it is required. One of my colleagues in Japan told me that his wife is deathly afraid of him going to work, which is not dissimilar to my own experience after 9/11. My family was safe but my spouse along with a large number of people in the small community in which I lived worked in New York and sadly some of those never made it home.
Work was a secondary consideration, so the ability to work from home, even more so in today’s connected world would seem like something we need to build into our plans. While this option is not typical in some cultures, e.g. Japan, we all need to change our thinking especially in mitigating circumstances. Other factors like transportation also present logistical issues in getting people to work, just as it did after 9/11, Hurricane Katrina and numerous others disasters. All these factors impact the ability of companies to recover in a timely fashion.
Japan is probably the best prepared nation in terms of infrastructure. Despite this, thousands of buildings were damaged or destroyed, and even though most were not in the major business centers like Tokyo, that doesn’t mean that hundreds of corporations were not impacted. We are not just talking about data here. For example, supplies of electronic components for items such as smartphones have been severely impacted and the auto industry globally has been affected. More on this later.
The next step is to shift critical operations away from areas that have or might be affected. Companies have started shifting operations from one place to another – switching phone networks, and moving datacenters. Many companies may not have alternative facilities to which they can relocate core business operations. They may have a DR site for their IT operations, but do they don’t have alternative manufacturing capacity or places where thousands of displaced employees can work. After the events of 9/11, many employees were displaced from their primary place of business; some companies even rented hotel rooms to give people a place to work, although as I mentioned previously, I think working from home is a much better alternative where possible.
This brings me to the third component, which is processes. When I look at the processes we put in place to recover after a disaster, how far should we take them? We often talk about cost vs. risk, but can you really prepare for a wide scale event like a 9.0 earthquake? The size and area impacted by the original and subsequent events in a compact country like Japan make that extremely difficult.
Let’s just talk from an IT perspective and protecting your data; in an event of this size it is likely that more than one facility has been affected. Combine that with the ongoing aftermath, moving operations outside of the affected area or country may seem like a logical option.
How do we accomplish that? An IT Director I spoke to a couple of weeks ago has a large IT operation in Japan and is now in the process of moving that back to data centers here in US. How are they accomplishing that? Replicating large amounts of data outside of the country for DR purposes is very expensive, even for large corporations, so we look at alternative methodologies. The CTAM (Chevy Truck Access Method) comes to mind though in this case it would be airplanes, and that is what they are doing, using tapes to back up their environment then shipping them to the US for recovery, however at what cost and how long it takes remains to be seen.
Another area I touched on earlier is the impact of a major disaster on the global economy. I heard on the news a couple of days ago that 13% of the world’s auto industry has been affected and virtually all US auto manufactures have components made in Japan. We may have to wait longer for that new car, or iPad in the case of electronic components, but what would be the affect of a major event that severely impacted a major financial center, like London or Switzerland?
London financial services is huge and if it closed down there would be massive disruption across the globe, as it is by far the major player in a number of markets which would be affected. For how long and to what extent would depend on a number of factors. There are regulations in place and the FSA in the UK does undertake contingency planning events on a market wide basis. These vary from closure of exchanges to other forms of crises, and all regulated firms are expected to have arrangements in place.
After 9/11, regulators in the US looked at putting measures into place to make sure financial institutions had out of region recovery sites. Those regulations never went into effect, though many customers I have worked with have moved their recovery sites much further away since then. It will be interesting to see whether this event in Japan, prompts another attempt at regulation. My experience has been that after any disaster, natural or otherwise, there is a renewed look at our preparedness. I get a significant increase in customers wanting to talk to me about DR plans, and I am usually told by an IT executive that they will find the budget. Sadly out of sight, out of mind, I usually find that a year after a disaster, projects get put on hold and budgets shut down.
Globally, as well as in Japan, many decisions about how to move forward from a business standpoint will continue to be made over the next few weeks. When all is said and done, IT organizations will learn from the recent events in Japan and we will rewrite our BC/DR plans. However can we ever truly prepare for events that ore often beyond our wildest imagination?
– Ros Schulman, Data Protection Product Line Manager, Global Solutions Strategy and Development
Ros Schulman has over 33 years experience in the IT business both on the vendor and customer side. This has included systems programming, operations, technical support and sales support. Ms. Schulman has worked at Hitachi Data Systems for 19 years. She currently works in the Global Solutions Strategy and Development organization with responsibility for Data Protection Software including Disaster recovery and backup software. She spends much of her time with Customers, discussing their unique Data Protection challenges. She has also co-authored many white papers in the area of Business Continuity.
Ms. Schulman is also a Certified Business Continuity professional and has met all the requirements as designated by the Disaster Recovery Institute.