The Role of Data Centers in Business Continuity
Written by Michael Boccardi, CEO and Co-Founder of CervalisOctober 3, 2014
Can your business afford downtime? While the obvious, likely answer is “no,” the more important question is, “Has your business clearly defined the true cost of significant downtime?” We are not just talking about an hour without Internet access or a half-day without your server. We’re talking about significant business interruptions such as natural disasters or internal data breaches that compromise sensitive client information and can last a week or longer, leaving you without access to your critical systems and data. The type that can negatively impact not only day-to-day operations, but employee morale, customer confidence, and bottom lines. The truth is that significant downtime and the inability to service your customers can jeopardize the survival of a company.
While business continuity planning is vital to the long-term success of any company, the time and resources required to effectively complete the process often leave many firms, either opting out entirely or only scratching the surface of what needs to be done. Unfortunately, this translates into a lack of clarity around the who, what, when, where, and why of data storage and backup, leaving businesses in the lurch when disaster strikes. It’s not just about access to information; it’s about preventing the loss of mission-critical data while maintaining a laser focus on strategic business goals.
Avoidance: mitigate risks up front
Perhaps one of the most overlooked first steps in business continuity and disaster recovery planning is assessing and reducing your risk of outages in the first place. As an example, many small-to-medium-sized companies have the data and servers in locations that are susceptible or prone to outages. Step 1 in these cases should be to relocate the equipment to hardened data center facilities to reduce the risk of an outage from the start. Once the primary risk has been reduced, a company can proceed with developing the backup/recovery scenario.
Plan for the worst
Your business continuity plan should examine how your company will respond to an untimely business disruption and maintain functions long-term. While it may feel like an exercise in planning for “what if” scenarios that may never happen. A 2012 study by Swiss Re found that nine of the top 10 most costly natural disasters in the world occurred in the United States in 2012, making it the third-costliest year on record for insurance losses across the globe, at a staggering cost of $77 billion. (Of note: 2011 was the costliest year, coming in at $126 billion.) While this number highlights the need for a comprehensive business continuity plan, a 2012 survey of business owners conducted by Travelers found that nearly half (48 percent) of business owners do not have a business continuity plan in place. This oversight translates into increased risk for business owners and their clients.
While examining the losses associated with natural disasters in recent years, it is important to evaluate disaster response. One subset of the broad and inclusive business continuity process is creating a disaster recovery plan, which should incorporate an up-to-date risk assessment (including a business impact analysis that clearly outlines what each risk becoming a reality would mean to your business), secure data storage and back-up practices, a redundancy plan, and clearly-documented processes and procedures. One of the most time-intensive parts of the process, developing a business impact analysis, should not be overlooked. This process will help to develop a hierarchy of importance as to the order in which data needs to be restored. As with the overall business continuity plan, the key elements of any disaster recovery plan should be developed in collaboration with the firm’s chief technology officer (CTO), chief information officer (CIO), chief operating officer (COO), and chief security officer (CSO), among other key leadership team members. It is important to gain buy-in from all parties during the plan development process to ensure its effective implementation when necessary.
During the planning stages, it is important to distinguish between on-site and off-site processes. For example, if your business opts to contract with a data center for work area recovery services, know how data access will differ between the office and the data center should you need to temporarily relocate operations following a disruptive event. To that end, it is important that staff be trained in processes for both locations and become well-versed in how each will impact the delivery of your product or service to clients.
RPO vs. RTO: what every business owner needs to know
Data centers and managed IT services providers will often talk to prospective clients about their uptime – i.e. their track record in the face of a business interruption. Along with uptime comes recovery point objectives (RPO) and recovery time objectives (RTO). What does this mean? Simply put, it’s all about risk tolerance. RPO is the point in time to which data will be backed up for restoration of services. As an example, if a company has an RPO of one hour, data backups, or replicated data would be recoverable up to an hour before the incident. RTO then refers to how long a company is targeting to achieve restoration of services to its recovery point objective. As an example, if a company has an RTO of two hours and an RPO of one hour, it would take two hours to restore the data to an hour before the incident.
In extreme cases, when access to up-to-the-second data is a must, and the RPO and RTO can be zero, companies need to invest in a robust continuity plan that ensures full redundancy and real-time replication of data in an alternate location. The costs of developing and maintaining this strategy will vary widely based on the company’s RPO and RTO tolerance, so budget and plan accordingly. You can be assured that as your RPO and RTO approach zero, costs to maintain your total solution will increase substantially.
Note that accurately calculating RPO and RTO requires collaboration among members of the c-suite to both identify the potential impact of data loss and to fully understand the depth of its projected impact.
Once those two metrics are calculated, businesses must determine whether or not to invest in their own, proprietary solution, or to work with a third-party vendor. Case in point: will you build a private data center to house your client’s sensitive financial information and incur the cost of building infrastructure from the ground up, or will you seek a third-provider who can customize an IT environment in existing data center to meet your business’ needs?
Building vs. Buying: investing in infrastructure
When you think about companies that have invested in building their own data centers, it’s hard not to think of the giants – Amazon, Facebook, Microsoft, and the like. Conversely, small- to mid-sized companies have been known to do the same thing, working to build from the ground up a custom data storage solution that can be scaled to the needs of their business. The bottom line is that the size of the business doesn’t dictate the value of its data. A small community bank’s data is every bit as critical to secure as is that of a national mortgage broker.
While new and custom choices can be appealing, building one’s own data center requires a significant capital investment. Because data centers require specialized engineering and technology – fire detection and suppression, networking, cooling, security, and natural disaster resistant measures – the cost of building from scratch is sizeable. Depending upon the specific size, environmental controls (raised floors, cooling systems, etc.), power (generators, multiple grids, etc.), security (firewalls, backup, monitoring, staff) and physical structure, building a single data center could easily require tens of millions of dollars. Further, the data center you build today may not meet the needs of your business in the future, thus requiring you to build an entirely new structure – and costing even more – to house the company’s data. Plus, there are some data centers that offer customizable work area recovery spaces that enable a team to continue working during planned or unplanned outages or disasters. Whether storing data on-site or off, at your center, or a provider’s, having uninterrupted power and cooling, monitoring, and redundant connectivity, all 24x365, are critical.
Building vs. Buying: what it means to own a data center
While building its own data center can differentiate a company, the cost of ownership reaches far beyond the construction of a physical structure. Electricity, connectivity, technology (which is constantly changing), security and staff are just a few of the expenses you’ll face. If you decide that building your own data center is still the best way to ensure an effective business continuity plan, be sure to prepare for often overlooked but critically important recurring expenses such as hiring and training staff (security and data center technicians), building maintenance, technology upgrades, and general repairs (including HVAC, power maintenance, etc.). Depending on your industry, you may need to incur additional costs to obtain and maintain the necessary certifications to support audit and regulatory requirements.
An investment in business continuity is an investment in your company’s bottom line and its sustainability. While developing a cohesive a business continuity strategy requires both commitment of time and money, a well-conceived, research-informed plan can mean the difference between staying up and running in the face of disaster and losing both productivity and profitability.
Michael Boccardi is president, chief executive officer, and a co-founder of Cervalis, a Connecticut-based provider of technology and IT infrastructure solutions. Boccardi is an industry veteran with more than 30 years of experience leading IT and business operations. Throughout his career, he has held key positions at The Bank of New York, DeGeorge Home Alliance Inc., and The Dreyfus Corporation, specializing in developing technology solutions in dynamic and complex business environments.
