Global safety zone

If it seems that the world has become a more dangerous place for sensitive organizational data over the past five years, that's probably because it has. As natural disasters, terrorism, disease and social unrest have threatened to affect staffing in various parts of the globe, the business continuity plans of many organizations have had to become heavy on the disaster recovery side.

Such safeguards become critical when companies extend their data infrastructures overseas. Catastrophic events such as the 2001 terrorist attacks in the U.S. have forced IT managers to make disaster recovery a priority. At Advance Transformer Co., a lighting manufacturer in Rosemont, Ill., and a division of Philips Electronics North America Corp., the attacks were a wake-up call, said CIO Julius Tomei.

"The federal government shut down airports and closed borders, which imparted to us, like all companies, the importance of disaster recovery," he said.

Tomei isn't alone. In a November 2005 survey, Gartner Inc. found that North American IT managers are more than redoubling their data backup and replication processes, in large part because of natural disasters such as last year's Hurricane Katrina in the U.S. Other global threats to business operations, such as the December 2004 Asian tsunami and the SARS epidemic in 2003, got the attention of disaster recovery planners as well.

In 1999, Advance, which has engineering and manufacturing facilities in the U.S., Mexico, Southeast Asia, the Netherlands and Brazil, contracted Hewlett-Packard Co. to provide business continuity services, including disaster recovery. HP set up a data recovery center, currently located in Pennsylvania, that replicates the hardware and software in Advance's Rosemont data center, creating a "low-level layer of our environment," said Tomei.

Twice annually, Advance tests its disaster recovery infrastructure and processes by running its Unix applications in the HP service center. For ongoing data backup, Tomei works with IT staffers at outlying global locations to determine which data should be transferred to the central data center and how often.

Who owns business continuity?

When an organization's IT infrastructure extends across national borders, business continuity plans grow more complex. Staff management, local regulations and the location of data centers all come into play in a global company's business continuity plan.

First and foremost, management must decide how to coordinate a business continuity plan infrastructure -- not just hardware and software, but also employees who might be affected by disasters. IT assets and data may be geographically scattered, but someone still has to be in charge of the plan, and that person shouldn't be the CIO, said Dan Bailey, senior manager at Protiviti Inc., a Dallas-based consulting firm.

"Thinking about disaster recovery on the level of a CIO is certainly appropriate. But if disaster recovery in its own right is strictly an IT function, you're only recovering all of IT. You're not recovering HR, accounting and other departmental applications," said Bailey. "From a global perspective, for overall crisis management and business recovery, all the potential impact is on the business side."

For that reason, managers in financial or operations departments can be more effective leaders, because those are the areas of business that get affected by data disruptions. "[Business continuity plan] ownership is very ineffective from IT," Bailey said.

At The AES Corp., a $9.5 billion global energy firm in Arlington, Va., IT managers are implementing companywide business-continuity standards to ensure that power generation and distribution facilities located in far-flung places such as Cameroon, Pakistan and Panama stay up and running during a crisis.

According to CIO George Coulter, passage of the U.S. Cyber Information Security Act, which is part of the Department of Homeland Security Appropriations Act of 2005, inspired the IT group to put global standards in place. The company set up data centers in Europe and the eastern U.S. and a global WAN connected with fiber to provide real-time load balancing.

With 70% of its business outside the U.S. and 135 businesses in all -- including 124 power generation businesses, nine distribution businesses and 15 million customers worldwide -- getting everyone on the global WAN and conforming to companywide business-continuity standards wasn't easy, said Coulter.

"It's extremely challenging, but we treat all businesses with the same standard," he said. "With the data centers in place and the global WAN, we don't have to worry about in-country problems, even in areas like Cameroon. Business by business, we connected them to the data center, and those problems go away."

Coulter said AES chose the data center sites not because they're in relatively stable global regions, but because they're on the 311Mbit/sec. fiber backbone used by AES's network infrastructure provider.

"You can't get this kind of bandwidth in Brazil, for example. With the data centers on two different continents, each with its own network links, we have a reliable, robust architecture and built-in redundancy," said Coulter.

Staffing matrix

AES's IT staffers are geographically dispersed. To ensure that various units conform to standards for business continuity, all 45 of AES's distribution centers have full IT staffs, including an IT leader who reports to an IT council.

With power distribution businesses worldwide, Coulter's staff spends a lot of time working with idiosyncratic local government agencies that oversee utilities. In fact, he has a staff dedicated to the task. "In our business," he said, "it's a full-time job to work with local authorities."

In addition to local IT leaders, global companies must have one person who oversees business continuity and disaster recovery, said Protiviti's Bailey.

"Should you have foreign IT locations? The answer is an absolute yes, but how do you coordinate them? From a business-practice continuity perspective, there should be a single, overarching point person," he said.

This person should have responsibility for managing the disaster recovery process and ensuring that the three core elements of corporate business continuity management -- crisis management, business resumption and disaster recovery -- are met, in part through regular evaluation and testing, said Bailey.

"Each business unit should also own a recovery plan," he said. "One owner couldn't go in and know how that unit worked. The person managing the proc-ess, steering the ship, has to make sure people are in compliance with the overall plan."

As an IT infrastructure gains new hardware and software and as the business grows, evaluation of disaster recovery is crucial, said Advance's Tomei.

"We continually review and look at our disaster recovery plan to take into account how we can be better prepared," he said. "A disaster recovery plan is a living, breathing document. It's part of what we do."

Webster is a freelance writer in Providence, R.I. Contact him at john.s.webster@verizon.net.

Copyright © 2006 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon