Evaluating Business Continuity & Disaster Recovery Consultants
By Tim Pierce, Business Development Manager at FORTRUST
Fortrust works with a number of companies and consulting firms that provide BC/DR services, planning, and testing. In order to best meet our customers’ needs, we maintain a policy of vendor neutrality when it comes to BC/DR planning and consulting services providers. This Application Note is offered as a service to Fortrust customers, partners and the technology community, to provide some ideas and ‘food for thought’ to IT executives who are thinking about engaging a BC/DR provider.
It’s no secret that business continuity is, and has been, an important topic in the IT industry. And as hurricanes batter the Gulf and the eastern seaboard, and earthquakes in California make headlines, the importance of a reliable BC/DR approach is even more apparent. Business continuity services account for 3 to 4 billion dollars of revenue every year, according to a recent study by Gartner Research. Further, according to a survey conducted by KPMG, 28 percent of companies that have BC/DR plans outsource the management of them to external providers.
It would seem that, given the costs involved in planning, testing and implementing a rational business continuance strategy, a great deal of importance would be placed on the people chosen to lead that effort, and provide expert guidance to the initiative. However, we’ve found that, when it comes to BC/DR services, not all consultants are created equally.
With the above in mind, we’ve created this Application Note, with the objective of providing a few questions you should pose to any prospective BC/DR consultant.
Will the consultant help you to figure out what’s really worth protecting?
The key to a cohesive BC/DR plan is to first understand what’s important to your company. To achieve that understanding, you first need to have a solid grasp of your company’s strategic objectives and business processes. Once you know the business objectives and strategies of the enterprise, you’ll be able to understand what assets are truly important, and should receive priority for recovery. Without understanding the impact of different events and outages, you can’t create an effective BC/DR plan.
A qualified BC/DR consultant will work with you to create a business impact analysis that identifies your critical assets, systems and processes as well as quantifies the cost of downtime or interruption to those things. In other words, a good analysis will not only identify critical components of your enterprise, but will likely shed light on how valuable those assets really are to your business.
Does the consultant try to force you down a single path?
BC/DR consultants should be primarily focused on just a few things – namely, the identification of critical assets and business processes, mapping dependencies, and the prioritization of planning and recovery based on the expected impact to the company if that asset or process is rendered partially or completely unavailable.
BC/DR consultants should not be focused on selling products and services to mitigate potential disasters. Coming up with the solution to ensure that critical assets and processes are protected, ideally, should be someone else’s job. That’s not to say that a BC/DR consultant should have no say in whatever measures you take to protect your business. But if your consultant has an ‘end in mind’ before he or she ever really examines your business, they’ll spend more time trying to sell something to you than really understanding how your business operates, and the real impacts of downtime to your business.
Will the prospective consultant help prioritize and understand the impacts to your business?
Just as there are different approaches to mitigating and reacting to disasters, it follows that there are different levels of preparedness, and a company’s expectations for business continuance may not always be based in reality. Most companies, when asked, will tell you that they would like to have all of their systems available 24/7, with no downtime whatsoever, at all times. When the price tag associated with such a goal comes back from the planners, they quickly realize that such a goal isn’t realistic. In most cases, instant restoration of services and assets in the event of disaster is too expensive to justify in the boardroom.
A good BC/DR consultant understands this, and makes it a priority to determine key assets and real requirements for restoration of service. Further, qualified BC/DR providers understand that not all assets are created equal. Some things need to be restored very quickly in order for the business to survive. Other processes or applications can go hours, days, or weeks without restoration, and some can wait even longer if needed.
The key point in all of this is that a realistic BC/DR plan makes this distinction, and a consultant who tries to tell you otherwise is either not qualified, or trying to sell you something.
Does the consultant focus on BC/DR planning, or do they sell other things?
Today, lots of companies offer BC/DR services of one kind or another. The key question is, are their services the primary focus of their company, or a ‘valued-added’ product they’ve put together in order to lead you into purchasing another product or service. In other words, do they offer BC/DR planning ‘services’ that actually have no real object but to push you into their other services/products?
It’s not to say that a company or consultant who provides more than just BC/DR is inherently untrustworthy. But it might be an indication that you should look more closely at the provider and the services they’re providing.
How long has the consultant been offering BC/DR planning, and what qualifications do they maintain?
As disaster recovery has gained exposure in the past few years, many companies and consultants have entered the BC/DR industry. As a result, it’s important to differentiate among qualified, dedicated providers and consultants with no real qualifications to provide service.
A couple of activities that might help you conduct an evaluation of providers to support your BC/DR services:
- Request and follow-up on references from the provider you’re evaluating. Suspect a provider that neglects or delays sending references. When a provider does give references, ensure that they are specifically for BC/DR services.
- Evaluate providers that hold certifications related to BC/DR disciplines.
- Certifications from organizations such as the Disaster Recovery Institute, the Business Continuity Institute and others indicate, if not a true proficiency, at least a commitment to the practice and discipline of business continuance and disaster recovery.
BC/DR planning, along with the associated steps that are often taken afterwards to mitigate risk, is a major undertaking and very difficult to complete without a dedicated resource. But it’s critically important, for most businesses, to understand the true risks and the actual costs associated with downtime and disasters as they occur. At the end of the day, it’s your money, your company, and potentially your job on the line.
Because of that, make sure that whomever you work with will maintain a sense of urgency, and provide your enterprise with the information and approach necessary to support your business in a wide range of scenarios. Don’t be shy about aggressively evaluating potential providers and asking them to produce verifiable information about their services, and their level of service, before you sign on any dotted lines.
Thanks for taking time to read this Application Note from FORTRUST