Business Continuity Revisited

• By David W. Dodd
• 02/01/13

Following the enormous destruction caused by Hurricane Katrina and other disasters over the past decade, institutions have placed higher emphasis on disaster recovery and business continuity planning, testing, and execution. Business continuity plans are built on a foundation of processes, people, information, technology — and perhaps most importantly, assumptions. Whatever the level of careful planning now in place, we must continue to reassess all of these elements. And whatever was in place before November 2012, Superstorm Sandy forces a careful, objective, and immediate reconsideration.

Sandy was the largest Atlantic hurricane on record. Because of this, institutions across an extraordinarily large area were affected. More than 250 deaths were reported as a result, and damage estimates ranged between $60-70B — placing Sandy second only to Katrina in financial losses.

Superstorm Sandy forces us to reconsider business continuity for several critical reasons. The size of the area impacted means that not only were primary places of business threatened by direct physical impact and power loss near landfall, but the impact was over an entire region and a number of states.

For organizations with communications and information technology provided by onsite data centers, as the majority still are, business continuity means provisioning and constantly testing a physically secure primary facility with backup power generators that also ensure adequate HVAC for critical systems. In addition, Internet circuits are critical if communication with onsite and offsite constituents is to continue without interruption.

For colleges and universities, our constituencies include students, parents, faculty, staff, and our local community. Inevitably in the event of a disaster, some number of individuals in these groups will be on campus, and some number in various other locations. But for all of these, information and communication technology is vitally important. This communication includes web, email, and emergency notification systems. In addition, student information, residence management, and other vital systems are essential if students and employees are to be identified, located, and their safety ensured. Information and communications are essential in supporting the decision-making of a wide community of individuals who have direct ties to our institutions.

If on-site mission-critical functions fail due to the disaster, under traditional models contingency plans are initiated and backup systems are enabled at satellite locations. Unfortunately, many of these satellite locations are within the same region for cost and logistical reasons. In the case of events like 1,100-mi.-wide Sandy, this proves highly problematic.

As a result of the lessons learned from Sandy, many of us are now intensifying efforts to move strategically to the cloud for fault-tolerant mission-critical systems. The reasons are clear. First are the benefits of cloud computing, even when balanced against valid concerns about data security. The benefits include minimal front-loaded deployment costs, high availability/near universal accessibility via the web, 24/7 support for software as a service (SaaS) and platform as a service (PaaS) models, and in many cases inherent multiregional or even global redundancy built in through dynamic fallback locations.

The latter point is critical with regard to climate change and increasing severe weather events like Sandy. Cloud hosting with key partners means that there is redundancy designed into the cloud system, so that even if regional data centers are lost, failover occurs to other centers outside the effected area. For example, a number of SaaS and PaaS companies now utilize backup capabilities through Amazon Cloud Services, Google Cloud Platform, and others to ensure a high level of business continuity enabled by computer centers located throughout the world.

By using mobile technologies operating with commercial carriers, which have proved to be surprisingly resilient, communications officers at our institutions would be able to change website content, send email, and use emergency notifications to maintain up-to-date information. As learned through the experience with Sandy, the web has become one of the most important means of communication in disasters.

Businesses that had pursued this SaaS/PaaS cloud strategy with key partners ahead of Sandy were able to maintain their web presence and mission-critical systems without interruption. This lesson should be incorporated into our continuing reassessment of disaster recovery and business continuity in higher education.

David W. Dodd is vice president of Information Technology and CIO at the Stevens Institute of Technology. He can be reached at 201/216-5491 or [email protected].