How to Get Your DR Fund Requests Denied

Despite the attention focused on the vulnerability of businesses by events such as last year’s hurricanes, fires, and security breaches, money just isn’t being allocated for DR in ’06 budgets. To the extent there has been any uptick at all in IT spending (from whence most DR planning efforts are funded), these resources are earmarked for ventures such as storage consolidation. These consolidation projects are often justified, at least in part, on the assumption that data will be safer in a centralized storage repository like a fibre channel fabric (SAN) than it is spread out all over the distributed branch office environment. Contained in this argument are both great lies and great truths about disaster recovery planning.

The Big Lie… A Kernel of Truth
Contrary to the statements found in many vendor brochures, data is not any safer in a centralized platform than in a distributed one; in fact, it may be placed at a greater risk of loss. According to a survey cited in an article in the 2005 Disaster Resource GUIDE, the number three cause of data access interruptions – data access interruption is my definition of a disaster, by the way – was outages in FC fabric storage platforms (SANs), which is a commonly used topology for storage consolidation. Based on the survey, SANs come off sounding like the proof of the old adage about the risk of putting all of your storage eggs in one basket: When a breakdown occurs, all of your data thus platformed becomes unavailable and business stops.

Truth be told, the failure rate of SANs cited in the survey is probably a reflection of the abysmal state of management in SANs today, which in turn is a reflection of the “standards that aren’t really standards” mess that plagues FC SANs. Vendors can fully implement ANSI standards on fibre channel in their gear, but with absolute confidence that their gear will not work with their competitor’s gear, which is also fully standards-compliant. This is a pathetic testament to the inefficacy of standards-making when the vendor community isn’t committed to interoperability. Bottom line: In the absence of effective management, all data is at risk – regardless of where it is physically located.

Interestingly, however, there is something wise at the heart of all the “marketecture” around consolidation. The kernel of truth is the assumption that the best business continuity strategy is one that is designed directly into infrastructure. Instead of conceiving of disaster recovery planning as a method for bolting recoverability on to infrastructure that has already been deployed, the idea central to storage consolidation is that proper design, with attention to disaster recovery requirements, improves resiliency and enhances recoverability all by itself.

DR Planning has no Business Case
This truth actually extends beyond the choice of infrastructure components. It goes to the business case for disaster recovery planning – or rather, the lack of one. These days, to justify the expense of building a disaster recovery capability, you need to frame the case for the initiative in business terms. You need a full business value proposition for any IT initiative, including DR, that satisfies three basic requirements:

• Cost savings: the initiative must save the company money.
• Risk reduction: the initiative must reduce risk, whether conceived as investment protection or downtime reduction.
• Process improvement: the initiative must improve business processes in some recognizable way.

The problem with disaster recovery planning is that it doesn’t have a full business case. You could argue that a disaster recovery capability will reduce risk; that’s how its value has always been framed – as a complicated and expensive insurance policy. You might be able to claim that the reduced amount of downtime that accrues to effective planning adds up to operational cost savings and process improvement. This is a stretch, however, that is difficult to substantiate or quantify.

In point of fact, DR planning lacks a full-fledged business value case. This is one significant reason why initiatives fail to be funded: They don’t deserve to be.

This isn’t to say that DR is unnecessary or that it should not be undertaken. It means that we need to find a way to give DR a more solid foundation if we are to get the funding nod from the front office. This is actually a lot easier to do than you might think.

Disaster Recovery Becomes Data Management
If you accept the premise that data and personnel are your two most irreplaceable assets, and if you further accept the premise that time-to-data (how fast you can restore access to mission critical data) is the ultimate metric for evaluating the efficacy of any recovery strategy, then you must accept the notion that disaster recovery is part of a broader undertaking that we can call good data management.

Data management seeks to ensure that data is afforded proper provisioning and protection services from infrastructure based on the requirements of the data itself imposed by the business process and applications that create it. That’s a mouthful, but it is really common sense.

Data is just a bunch of 1s and 0s. It inherits its importance from the business processes and applications that create it. Critical data is only critical because it serves a critical business process. You need to understand these inherited data attributes to design an efficient hosting environment and develop controls and capabilities for security, compliance or disaster recovery.

In all of these endeavors – infrastructure design and service provisioning – you start by analyzing the business processes and classifying the data those processes produce and use. Business process analysis and data classification are data management processes, and they are the same processes whether you are building right-sized infrastructure, identifying appropriate security controls, developing compliant retention and deletion policies or developing a strategic disaster recovery capability. Do the job right and you will kill many proverbial birds with one stone.

If disaster recovery is contextualized in this way, as a subset of effective data management, then you have much more to offer the front office in terms of a business value case. What you are proposing to undertake is a data management initiative. The business value case is the following:

• Cost savings: By understanding and classifying data, you can design infrastructure that delivers exactly what business processes and their applications need to optimize efficiency; no more one-size-fits-most infrastructure that doesn’t fit anyone’s needs very well. If you can segregate only the data needed for recovery from the totality of data in your environment, you can breathe new life into backup schemes and extend the runway of your tape backup solution, deferring costly upgrades.
• Risk reduction: Good data management will help you optimize capacity and more efficiently allocate provisioning and protective services. This translates into greater manageability and control and offsets the risk of preventable disasters. Furthermore, effective data classification will enable you to expedite data restore following an interruption, putting the business back on a paying basis a lot sooner.
• Process improvement: The information gleaned from data management will enable you to construct business models from a data-centric point of view. A little extra work can equip this model with hardware, software and administrative cost data. That way, when the Front Office calls you and asks you to estimate the IT support costs for a new line of business they are considering, you can use your current costs as a baseline model and give them an answer.

All of a sudden, DR goes from being a low profile undertaking that delivers its value in non-events to an initiative to provide the front office with useful predictive information and improved investment efficiency. Although, one warning: You run the risk of becoming senior management’s “go-to guy.”

To get management support for disaster recovery, it needs to go away – replaced by data management. Disaster recovery planning is dead. Long live disaster recovery.

About the Author
Jon William Toigo is founder of the Data Management Institute and CEO of Toigo Partners International. He is a veteran continuity planner and the author of 15 books, including five on the subject of disaster recovery planning. You can reach him at [email protected].