With the outlook for the world economy continuing to look bleak, many organisations are predictably taking a hard look at their IT expenditures to identify projects that can be cut or deferred. The reality, however, is that business needs for available data and regulatory compliance obligations do not decline in step with an economic downturn.

'Focused on short-term pressures to make budget cuts, it often escapes companies that disaster preparedness needs may actually be greater during times of economic duress,' says William DiMartini, senior vice president of consulting services at US-based SunGard Availability Services.

'For example, many organisations are reducing costs by consolidating equipment, but because of compliance and a plethora of other requirements, data must still be retained - even with a cap on spending.'

The bottom-line consequences of failing to maintain an effective business continuity plan are indicated in a study undertaken by Suncorp in the UK, which found that just a third of small- to medium-sized enterprises (SMEs) are now taking active steps to ensure their business will continue to operate normally in the event of a disruption.

From those surveyed, 40% said a computer hardware failure or malicious attack on their systems would be detrimental to their business, while only 10% said they would be able to function as normal. For the legal services sector, with its extreme reliance on documentary and client data, the impact would likely be even greater.

In the US, an annual study on business continuity and disaster preparedness by AT&T found that in 2008 one in five businesses did not have a business continuity plan in place. Arguably of even greater concern is that for the third year in a row the study found that nearly 30% of US businesses did not consider business continuity planning a priority.

AT&T canvassed the views of IT executives from companies throughout the US that have at least $US25 million (HK$195 million) in annual revenue, and found that two thirds predict hacking will be the biggest threat in the next five years. The next most frequently cited threats are internal: accidents (56%), sabotage (47%) and remote workers (44%). Further, while six out of 10 companies have made some type of business change in the past year, only 28% updated their business continuity plans.

The risks they run are acute, and graphically highlighted in the 2007 Best's Underwriting Guide by AM Best, which revealed that only 6% of companies that suffer catastrophic data loss survive, while 43% never reopen and 51% close within two years of the disaster.

According to DiMartini - a veteran of more than 20 years in disaster planning and recovery - when reviewing corporate IT programs there are three core issues integral to optimal preparedness. What are the risks? Which information must be maintained and how can it be most effectively maintained? And what is the impact of technology changes on disaster plans?

Make Risk Assessments a Priority

'As organisations are challenged to scrutinise how to spend their dollars, conducting availability risk assessments to identify vulnerabilities can provide excellent guides on how to determine budget priorities,' DiMartini says.

However, he says it is essential to measure and assess three major areas: information security - covering policy, procedure and regulatory response; information management - examining program controls, flow of information and continuity of services; and information architecture - looking at network and facility design, environmental infrastructure and system design.

Keep Essential Programs Going

Typically, during an economic downturn, internal IT resources become stretched. This leads to companies looking for outside support to fill gaps to get essential work done and still save money. While many law firms will be loathe to outsouce for reasons of confidentiality, one key area in which third party providers can have positive input is maintaining and testing disaster recovery plans.

Importantly, disaster recovery plans need to be viewed as ongoing programs - not projects that can be put on a shelf for a year.

Another area that often faces cutbacks in tight budgetary times is recovery environments. However, when organisations are pressured to scale back an IT recovery site it often leads to the recovery installation not matching the current production environment.

The result is that critical applications can no longer be supported at recovery sites. To address the issue, technology-dependent firms can leverage third party-managed services that host secondary applications at a third party site and protect data with disaster recovery solutions.

Keep abreast of changing technology

As is well known, many organisations are now moving to virtualisation technologies to generate IT cost savings by consolidating servers and storage. But moving to such environments with untested plans to recover data should an unplanned outage occur can turn a problem into a disaster that impacts on an entire company.

'Data managed by virtualised systems still needs to be accessible,' DiMartini warns. 'Business continuity plans need to be updated to account for virtual environments to assure information availability.'

Mark Phillips

This article first appeared in Risk Management magazine.

削減資訊科技資源…不久便要付出代價
目前的經濟危機給公司帶來了前所未有的削減成本壓力，但假如資訊科技資源被削減的程度過甚，當有事故發生時便可能會產生嚴重後果。

在全球經濟持續低迷的狀況背景下，很多機構必然將會以更加嚴苛的眼光審查他們的資訊科技支出情況，希望能發現一些完全可以將其砍掉或者延遲的項目。但是現實的情況是，業務上收集所須資料以及履行在監管上的遵規責任，其程度並未隨經濟衰退而有同步下降的趨勢。

任職於美國SunGard Availabil資訊科技服務公司的諮詢服務高級副總裁William DiMartini稱：「大家都感受到削減預算的短期壓力，但有些公司卻無法這麼做，這些公司在經濟不景氣的時期反而面臨著更大的災害預防需求。」

「例如，很多組織正在通過合併設備的手段削減成本，但因為合規性，以及不一而足的其他要求，資料是必須要保留的，即使公司規定需要將開支封頂，但也要保留這些東西。」

如果有些公司無法保持有效的業務持續性計劃，其最終後果將會怎樣？英國Suncorp公司進行了一項研究，結果表明：目前只有三分之一的中小型企業採取了主動措施，能確保其業務在遭受破壞的情況下能夠正常延續下去。

調查當中，百分之四十的被調查對象表示，一旦他們的電腦出現某一個硬體失靈，或哪怕一次對系統的惡意攻擊，就會對他們的業務造成破壞。然而，僅有百分之十的被訪者稱他們能夠在這些情況如常經營。對於法律服務行業來說，鑒於其對於文檔與客戶資料的極度依賴性，發生這些意外事故的影響或將更甚。

在美國，一項由AT & T公司進行的針對業務延續性及災害預防的年度調查顯示，2008年度，有五分之一美國公司並沒有制訂一個適當的業務延續性計劃。有證據表明，更令人擔憂的是，在連續性的年度調查中，第三次發現將近30%的美國公司並未將制訂業務延續性計劃列入重點日程。

AT & T向美國各地每年營業收入達2500萬美元（折合港幣1.95億元）以上的公司的資訊科技行政人員進行了調查，結果表明，他們當中三分之二將駭客攻擊預測為未來五年的最大威脅。緊隨其後的威脅是屬於內部的，分別為：意外事故（56%）、蓄意破壞（47%）以及遠端工作者（44%）。同時，在十家公司中，有六家在過去的一年中作出某種業務變動，可是當中僅有百分之二十八對其業務延續性計劃進行了更新。

它們所面臨的風險是嚴峻的， 而在AM Best的2007 Best掇 Underwriting Guide中，顯示在遭受災難性資料損失之後僅有百分之六的公司得以倖存，百分之四十三之後再沒有重開，而百分之五十一於事故發生後兩年內關門。

根據DiMartin（一位具備超過20年災難規劃與恢復經驗的資深人士）的看法，在核查公司的資訊科技程式時，有三個核心的問題是與最佳災難預防密不可分的。有哪些風險？哪些資訊必須留存，以及如何才能將其最為有效地留存？技術變遷對於災難計劃的影響如何？

將風險評估列入首要任務

DiMartini稱：「由於各個機構在花錢方面不得不謹慎從事，故實施有效性風險評估以識別組織弱點，可以在確定預算優先性方面為其提供最佳的指引。」

然而，他也表示必須留意衡量與評價三個關鍵領域：資訊安全—資訊涵蓋政策、程序與規管回應；資訊管理—檢查程式控制、資訊流量以及服務的延續性；以及資訊建構—審視網路與設施設計、環境基礎設施以及系統設計。

保持基本程式的正常運行

一般來說，在經濟衰退時期，內部資訊科技資源變得緊張。這一趨勢導致公司須尋求外部支援以填補缺口，從而使主要工作得以完成，但仍然能夠節省開支。當眾多律師行因為保密因素而對外判採取排斥態度時，第三方供應者在其中可以發揮積極輸入作用的一個關鍵性領域是：維護與檢測災難恢復計劃。

不容忽視的是，我們需要將災難恢復計劃視作持續方案，而非一個不妨束之高閣，可以拖它一年半載的項目。

另一個在預算緊縮期間遭受被削減厄運的範疇是環境復原。然而，當機構面臨壓力不得不削減資訊科技復原站點的規模時，往往導致復原安裝無法符合現行的生產環境。

結果是，關鍵性應用在復原站點不再獲得支援。為了解決這一問題，技術依賴型的公司可以在一個第三方站點，採用提供次級應用的第三方管理服務，從而在運用災難恢復方案之時保護資料安全。

緊隨技術發展步伐

眾所周知，很多組織正通過整合伺服器與記憶體，轉向虛擬化技術達成節省資訊科技成本的目標。但是，當我們轉為此等環境，使用未經檢測的計劃復原資料，而一旦出現意外情況時，一個小小的問題都可能演化成為一場災難，並對整個公司造成影響。

DiMartini警告說：「虛擬化系統管理的資料還需要加強其可用性。」他續稱：「業務的延續性計劃需要不斷更新以慮及虛擬環境，從而確保資訊的有效提供。」




Mark Phillips



本文首先載於《風險管理雜誌》。