Analyst group IDC has cast doubt on whether many organisations in the Asia-Pacific region can effectively restore systems when facing natural disasters and other IT outages.
The region has suffered a spate of natural disasters in recent months – including earthquakes in Japan and New Zealand, floods in Queensland and NSW, and two highly-publicised, major IT outages.
But even considering the latter – in which IDC considered the outages both avoidable and highly damaging to the company’s brand – organisations in the region remain exposed to “near paralysis” should disaster strike, the analyst group said.
Less than a third of organisations across the region surveyed by IDC said they would be able to restore more than half of their applications in real-time should a disaster strike. IDC inferred that most organisations would be left with only half of their systems running in the event of a disaster.
Matt Oostveen, associate director of infrastructure at IDC questioned whether this level of availability was sufficient, given the critical nature of IT.
Rather than being attributable to negligence, Oostven said organisations simply didn't prioritise business continuity as they apportioned IT budgets toward initiatives were going to have the most impact.
“It’s not that disaster recovery and business continuity aren’t a priority – it’s that organisations are looking to transform their infrastructure and modernise their applications. That doesn’t leave a lot left over,” he said.
“Now, of course, every time you do run into a situation where your business continuity is impacted, then all of a sudden it becomes the most important thing in the world.”
Oostveen drew a parallel between how businesses approach this matter and how home owners cover their property.
“It’s like the value of insurance and how much you are prepared to pay for your insurance coverage; are you looking for the cheapest possible policy or are you looking for all of the additional extras to make sure that you are properly covered for fire, flood, theft, and so on?”
Oostveen says that one of the problems associated with convincing the brass to spend up on disaster recovery is that it can be very challenging to measure the impact of downtime. The problem is that the downtime doesn’t just incur additional operational expenses to bring systems up again, but also some impacts more difficult to measure, such as customers finding your services inaccessible and churning to another provider.
“It can be very difficult to measure those impacts and it’s only something that can be seen in the books from an accounting perspective retrospectively,” he says.
Judging by IDC’s findings, it would appear that most businesses in the region have paid little heed to the two major outages that occurred last year, when Singapore’s DBS Bank had their systems offline for seven hours in July, and Australian airline Virgin Blue was out for even longer two months later.
“Whilst there was clearly an impact to each of these business as a result of these outages, more important was the impact to the thousands of customers that each of these businesses had,” said Oostveen.
In the absence of a desire among many businesses to address this issue effectively, several governments across the region have issued guidelines to ensure outages occur less frequently.
The outage at DBS Bank in Singapore was a case in point. The Monetary Authority of Singapore has mandated that four hours is the maximum window that IT servers can be offline. As DBS exceeded this window by a further three hours, they were penalised accordingly.
While the onus should be upon business to ensure that they have adequate disaster recovery measures in place, Oostveen suggests that governments should do more to force organisations to address this issue.
It would be especially prudent, he said, for situations in which access to IT systems are critical, not just for the organisations that own and manage them but also as a consideration to customers that are negatively impacted by system outages.
But he stopped short of suggesting that legislation be introduced to cover all businesses.
“I think largely legislation exists where it needs to exist,” he said. “Banking, insurance and government are all mandated to have business continuity and disaster recovery plans in place. Where it doesn’t exist, by and large, is that vast area of small and medium business in Australia, but I think it’s very difficult to legislate standards for information technology systems with businesses that just don’t have the scale of operations to be able to give themselves the type of IT environment that a larger corporation or government department can afford.
“I think the policies that we have in place, particularly around banking and large government agencies and departments, is acceptable so I would not go to the extent of recommending that push that same level of legislation out to the broader base of businesses in Australia,” he said.