Summary: Need help with PR? If you are looking for a great PR firm, you've found one. Walker Sands is a leading Chicago PR firm with a strong track record that makes it one of top national PR agencies..

Time to consider Internal Recovery

The consumer advocate mantra "if it seems too good to be true; it probably is" is typically dead on. But many savvy technology executives have realized that bringing critical disaster recovery and business continuity functionality in-house is significantly more effective and often markedly less expensive than the traditional approach of outsourcing disaster recovery to a hotsite.
(article continues below useful links)

Yet far more C-level execs remain behind the times, paying large monthly subscription fees for recovery functionality that, if used at all, surrenders their control of their own recovery. Do they think they don't know enough about, or are not up to the task of internal recovery?

Indeed, surveyed CIOs have indicated a lack of awareness and even intimidation of tasking such a fundamental business challenge in house. Others felt that their firms were not large enough to handle internal recovery, while others felt their enterprises were too big to concentrate recovery capability in house. The reality is that becoming self-reliant is a management decision. Of the many "ideal" parameters such as multiple sites, re-leverageable test or development equipment, cross-disciplined staff, or available bandwidth may not all be present-but usually many are.

Internal Recovery is an enterprise's internalization of disaster recovery capability, ideally by re-leveraging technology, facility and human assets it already controls. Corigelan has long had an insider's perspective on this issue. As former executives of disaster recovery industry pioneer Comdisco, the team has designed some of the most complex recovery solutions implemented by Fortune 500 companies including insurance firms, banks and manufacturing firms. Outsourcing a portion or the entire recovery capability to a hotsite was typically part of those strategies.

The business and technology realities that shaped the disaster recovery thought process have changed, and outsourcing recovery to a hotsite provider is now playing an increasingly smaller role in effective recovery strategies. Consider the following developments:

Compressed recovery time frames: The on-demand economy has compressed recovery time frame requirements for almost every firm. The majority of surveyed CIOs indicated that they have at least one or two critical applications that must be up and running in under eight hours. Transporting personnel to a hotsite facility and recovering those critical applications in less than 8 hours simply is not feasible for most firms.

Conversely, those same CIOs agreed that many of their applications were far less time-critical than once thought, meaning their recovery could be deferred for 48-72 hours after an interruption. Paying high monthly hotsite fees to recover applications in 24 hours that could wait 48 hours with no business impact is not prudent.

More complex technologies being employed: Disaster recovery hardware and software have advanced in sophistication at a rate that typically outpaces a hotsite provider's rate of adoption or purchase. Based on capital constraints that ultimately lead to profitability, most simply lag pace with the advancements in storage, network, and systems technology that are now standard and/or available to most in the market.

Platforms, applications being integrated outside of the enterprise: The increasing sophistication in available technology has also led most firms to integrate platforms and applications past the point where recovery is feasible in an environment external to their enterprise. That is, the adoption of ERP and middleware applications have driven integration past what most hotsites can accommodate in the shared environment. Further, firms sharing data and applications in their supply chains and integrated partner initiatives mean they share recovery responsibility, driving recovery complexity even higher.

More capacity exists: Several factors have contributed to a glut of raised floor data center space. The trend in many industries of distributing data centers across the country is reversing, as many firms concentrate assets in a single data center. Mergers and acquisitions often leave many facilities waiting to be utilized. Finally, technology footprints continue to shrink, leaving that much more space ready to be used for other uses.

Hotsites Still Part of the Mix? To What Degree?

Hotsites, however, are not obsolete. The scale of a firm, its risk tolerance and its specific recovery objectives and timeframes may make outsourcing recovery to a hotsite a part of the recovery solution mix. Hotsite vendors distribute the high costs of technology and space among their many customers. These firms have experience in coordinating recoveries and conducting crucial and required testing. Outsourcing recovery can also alleviate the growing pressure to clearly demonstrate to regulators and stakeholders that the firm has a recovery plan in place. However, firms must be more diligent in owning this process; a vendor will not "guarantee" your ability to recovery. Thus the critical decision for an organization, after determining specific recovery time objectives and considering business impacts, is determining whether or to what degree hotsites should be considered part of the recovery mix.

Standard procedure for making this "recovery mix" decision is submitting RFPs to vendors. These requests, however, tend to focus on comparing prices, similar system configurations and other comparable assets with other hotsite providers, but neglect the more important issue: whether this recovery resource adequately meets the overall recovery objectives. Following are questions that should be incorporated into every hotsite RFP. Having a vendor answer "the Four Cs" will help frame the decision whether paying thousands of dollars monthly for potential hotsite access still makes sense today.

Ask Your Hotsite Vendor Pointed "Four Cs" Questions

Costs, known and unknown: Monthly subscription rates are rarely the total cost of a hotsite access. Budget-breaking hidden costs may arise. To be prepared, ask the vendor:

• What are the declaration fees? Daily usage fees? Long distance and network usage charges?
• Is there an automatic renewal clause? What is the duration of renewal: 1 year? 5 years?
• What, in detail, are the additional testing costs? Third-party service charges?

Contention for access: A regional interruption may set off a scramble among hotsite clients for access, whether directly in the affected area or not. To ensure your ability to access the facilities, systems and network you have subscribed to in order to affect recovery, ask:

• How many subscribers exist for my specific recovery facility?
• How many subscribe to the configurations my firm does and what are the shared access ratios? 5:1? 500:1? Unlimited?
• Would any of these firms enjoy priority status above my firm?
• When and how will I be notified of the risk that my firm may have less then the full access proposed?
• What compensatory damages are due my firm if the vendor cannot completely fulfill contractual service obligations?

Contractual performance guarantees: What you and a hotsite vendor believe are acceptable levels of business process recovery may be markedly different. Establish this in advance by asking:

• What are my specific rights of access?
• What guarantees do I have that I will be able to access my subscribed equipment upon declaration?
• What guarantees do I have that I will have access in my chosen recovery facility?
• What contractual guarantees do I have that the contention for resources won't increase over the life of my contract? That is, will access to this equipment ever be resold, how often and up to what limit?
• What are the explicit services that are provided by third party relationships? For example, what is the specific installed base vs. satisfying contracts with Quick Ship, JIT or At Time of Disaster (ATOD) network services?

Close to home: Sending your business processes offsite can be painful; sending your employees and co-workers across country can be even worse-if they can get there at all. Consider the following:

• Why can't recovery be much closer to home, i.e., 100 miles vs. 1000-plus miles away? Many firms claim capacity in many major markets, yet they tell you your best options are locations in Pennsylvania or New Jersey. Will your recovery operations be split among two or more sites?
• Examine specifically how this may dilute your ability to effectively restore environments and response time when/if you are backed up.

While the shared-risk hotsite was a good solution in the 'mainframe only' days (and may still be part of a recovery strategy for some companies), current solutions dictate most can achieve their Recovery Time Objective (RTO) cost effectively by re-leveraging and augmenting internal assets, rather than paying for potential hotsite access. Given that new reality, ask yourself whether your firm being completely in charge of your data, business processes, and recovery should disaster strike seems too good to be true. The reality is, it isn't.

Tim de Lisle is managing principal at Corigelan, LLC (Chicago, IL). For more information on Corigelan, visit www.corigelan.com.

Copyright © 2004. Computer Technology Review.