IT Infrastructure - News

The decision, issued by NFA's Business Conduct Committee, is based on an NFA Complaint filed and a settlement offer submitted by CMS.

The complaint alleged that CMS failed to implement adequate business continuity and disaster recovery plans and that CMS failed to report all system outages experienced by the firm to its customers and NFA. These outages left customers unable to enter new orders or manage their existing orders. In addition, the Complaint charged CMS with failing to adequately supervise the use of its electronic trading platforms.

NFA Compliance Rule 2-38 requires that 'Members establish and maintain a written BCDR plan to be followed in the event of an emergency or significant business disruption'.

One classification of categories is:

• Mission-critical - applications require continuous availability and synchronous or near real-time failover to an alternate site
• Business critical - nearly continuous availability, but tolerate recovery times in the minutes
• Online - support important business processes, but with low usage and infrequent access, with minimal impact if down for a few hours
• Noncritical - systems or data stores that cause no significant business disruptive if offline for few days or even a week
• Offline or archival - applications and data are seldom-used systems with large amounts archival information that will not affect business operations if unavailable for a week or more

In addition to these categories, it is common to apply two standard parameters to applications for DR purposes: the recovery time objective (RTO) and recovery point objective (RPO). The former describes the time window within which an application must be brought online to avoid significant business loss (financial or otherwise), while the latter quantifies the amount of acceptable data loss youÂ’re willing to suffer for a given application. In essence, RTOs focus on application availability and RPOs focus on data loss.

To the question of testing parts of the production environment at a time, rather than the whole data center, it's a matter of what the organiztion is trying to learn. Data centers are staffed to run the production environment. Many CIOs have focused on controlling costs and there are no "extra" hands available as a contingency measure, so disaster plans need to address how a few missing, key players would impact recovery effort.

Many disaster plans ignore one of the vital aspects of a data center recovery plan: the assumption the entire staff would be available at time of disaster. These plans just are not mature enough. Whether the organization tests the whole center or a few applications at a time, they need to inject some reality into it by "killing off" a few techs and/or DBAs to see how the disaster recovery plan works.

• Plan: When a business disruption threatens your top line and bottom line as well as your brand reputation, no company can afford to take chances.
• Focus on minimizing recovery time and reducing costs: Depending on your industry, location, number of employees and other considerations, the cost of downtime can range from tens of thousands to more than a million dollars an hour. A business impact analysis and risk assessment will paint a clearer picture of whatÂ’s at stake for your organization.
• Implement data protection and disaster recovery: In the event of a disaster, business-critical personnel need access to systems, data and other resources to keep the business operational. Fortunately, itÂ’s not necessary to double infrastructure and operational expenses in order to meet BC/DR requirements.
• Implement redundant hardware and intelligent routing: From redundant electronics and advanced routing protocols, to diverse network routes utilizing wide area network services to ensure network connectivity is maintained in the event of an outage or natural disaster.
• Focus on mainting  continuous business operations: In an already challenging business climate, uninterrupted business operations are crucial to success. Have a business continuity solution that enables customers and employees to experience business as usual, even in the event of disruption.
• Test it before the event occurs: If is is not tested you have no assurance that it will work.

Over 30% of all Disaster Recover Business Continuity Plans are not current according to data gathered by Janco

There are plenty of partial, outdated, or ineffective disaster and business continuity plans out there - why is it so difficult to get it right?

• Data collection
• Data inconsistency
• Categorization
• Manageability
• Maintenance

• Having a business continuity plan in place will keep businesses trading when they would have otherwise have probably failed due to an incident.
• Business continuity plans can significantly reduce the cost of disruptions.
• Companies with business continuity plans benefit from insurance premium discounts, reduced excesses and doors opening to new insurance markets.
• Having a business continuity plan allows what would otherwise be unacceptable risks to be insured.

Do you know what it would cost your business if your systems and data were unavailable for just an hour, or a day or even a week or more? Various studies conducted after natural disasters such as Hurricane Katrina and other major outages have shown that an estimated 25%never reopen after such a loss, and about 50% will be out of business within 2 years. Even an application and data loss that is not recoverable within three days can permanently impact a company's financial health - in fact, 40% of all businesses will never recover from such a loss. Even a few hours of downtime can ring up a very high price, so it makes financial sense to evaluate your business now, and come up with a backup plan to protect the vital core of your company.

Another factor that needs to be considered when evaluating the full extent of a business disruption is that your company doesn't only risk losing data, it risks losing its customers, and that can be very costly. For example, market research firm that conducts customer satisfaction and loyalty studies and has concluded "it takes many fewer resources to retain a satisfied customer coming back than it does to recruit new ones." They estimate that "the ratio of resources spent on retaining existing customers to resources spent on attracting new ones can range from 1 to 2 to as much as 1 to 5, depending on the industry and local market characteristics."

Other impacts can be felt in terms of business records, regulatory reporting, and compliance. A recent report from the U.S. Small Business Agency's Office of Advocacy, "The Impact of Regulatory Costs on Small Firms," indicated that federal regulatory compliance absorbed about 14 percent of U.S. national income."Clearly, even when things are operating smoothly the costs to maintain records and compliance are high, so significant downtime will significantly multiply that expense."

The United States set a record with 12 separate billion-dollar weather/climate disasters in 2011, with an aggregate damage total of approximately $52 billion, according to the National Oceanic and Atmospheric Administration. That is just continuing the trend of the past 30 years.

These incidents have prompted many organizations to reconsider the human element during a crisis or major news event and evaluate how they communicate with employees, suppliers, investors and customers. Emergency and mass notification systems are designed to help organizations communicate to stakeholders during an incident or disruption. However, in response to the high occurrence of prominent disasters in recent years, the marketplace has been flooded with products to address emergency and mass notification needs. The need to diligently evaluate vendors is critical to ensure that services will meet an organization's specific requirements.

To help you mitigate impact to your core processes, your plan should address three key phases:

• Business Continuity Response - these are the steps you take immediately to sustain your core processes, your primary business priorities
• Disaster Recovery Response - these are the steps you take to extend your core processes indefinitely and address your secondary priorities
• Restoration Planning Response - these are the steps you take to restore your business to its pre
  -incident level

As a result, the cost and complexity of using traditional disaster recovery products to address data replication needs in highly virtualized environments forces many organizations to forego disaster recovery altogether.