If you think that meeting compliance standards has been difficult and that once you get there your chances for protecting your organization's information assets are assured, you may be missing a crucial point.

Compliance isn't just about protecting the business itself and ensuring continuity, although there are regulations that address acceptable risk for financial institutions, which, if followed, might certainly help avoid an Enron-style implosion. But compliance is also about protecting the other guy: the client, be it a customer or stockholder. The IT department has to take measures to protect two separate entities: the clients and the organization itself.

Adhering to compliance standards today is a good start toward protecting the organization, but it is only that: a start. To have a truly enterprise-wide resiliency plan in place that can effectively deal with a major organizational disruption means going beyond implementing compliance best practices of security standards and high availability; it means putting into place a solid resiliency infrastructure that takes into account both high availability technologies and operational challenges, including communications, that come into play during a major business disruption.

I will never forget being shaken out of bed at 4:31 in the morning of January 17, 1994, as what came to be known as the Northridge Quake shook Southern California to its core. Though I was miles away in Long Beach, our condo building was swaying back and forth like a fir tree in the wind, collapsing brick fireplaces in the residences of the 20 families who lived there. The 6.7 quake, one of the country's costliest natural disasters, killed 72 people and injured 12,000. It was enough to cause a friend of mine and his wife to leave the state for their native Washington. I wrote articles at the time about the IBM-supported businesses affected and the heroic efforts their owners made in getting back on their feet and operational after the office walls collapsed and all the monitors landed on the floor. It's about then that you value the expensive business continuity insurance on which you've been paying for the past several years.

According to a frequently cited study by KPMG LLP, 40 percent of all companies that experience a disaster go out of business within two years. A 2005 study by AT&T found that, among 1,200 businesses surveyed, 16 percent reported losing more than $100,000 a day during a disaster.

Consider the recent 7.9 quake in China's Beichuan County in Sichuan Province last May 12. So far, the estimate is that 50,000 people are dead and five million are homeless. Some 7,000 school classrooms collapsed, and 300 students were killed at one location. The irony is that an article in the journal Tectonics in July 2007 warned of just such a quake along the Sichuan faults when it reported that they "are sufficiently long to sustain a strong ground-shaking earthquake, making them potentially serious sources of regional seismic hazard." A research team of Chinese, European, and U.S. geoscientists studied the area and found pressure had been building up ever since a similar devastating quake hit the region in 1933.

Now think about the city of Los Angeles next to the San Andreas Fault, which scientists for years have been predicting will eventually cause "the big one," as it's affectionately known as in California. Companies such as Countrywide Financial, which up until the recent mortgage meltdown was one of the largest mortgage servicing companies in the U.S, have long been aware of the danger. Countrywide replicated its data real-time over a T-1 line to a remote facility in the southwest just in case its Los Angeles-area facility became inoperable.

Despite the frequency and likelihood of such disasters as Northridge, Katrina, and 9/11, only 40 percent of the companies in the AT&T survey reported that business continuity was a priority. As BusinessResiliency.com said, "the human tendency to believe that 'it can't happen to me' haunts the traditional business continuity discipline and results in leadership begrudgingly spending just enough to be compliant with laws, regulations, or accepted standards."

If a telephone book's worth of compliance regulations don't get business leaders on board to protect more than just their data, then what will it take? The answer is it's going to take a non-traditional business continuity approach where solutions for business resiliency return immediate value-adds to the company's bottom line. It's going to take a resiliency program that lends strategic and operational value throughout the organization so that it not only takes care of the organization during a time of disruption but also provides a number of additional features that immediately generate a return on investment upon implementation.

Let's review briefly the traditional technological solutions frequently cited as constituting high availability. Afterward, we can explore several of the value-adds that go into creating a truly enterprise-wide operational resiliency infrastructure.

The longstanding approach to preserving the company's information assets is to back up all data onto tape. This practice is still followed today, partly because it's traditional, partly because people like to have something tangible they can hang onto that represents their data--as opposed to a magnetic disk--and partly because tape is still a lot less expensive than disk and doesn't require burning electricity 24x7. The only trouble with tape is that it almost assures that once you go down, you're going to be down for some time until you can restore everything from the tape, and whatever data was input since your last backup is probably going to be lost.

At the other end of the spectrum is a clustering solution employing replication and failover among three or more servers that can pretty much assure you of continuous availability. Some businesses need that. Say you're a gambling casino in Las Vegas. Heaven forbid your computers should go down for even a minute.

In between these two extremes is a variety of solutions including disk solutions, such as Raid 5, journaling to a second partition, and virtualization. The big differentiator between them is whether you use a single-system or a multi-system solution. Having two systems to work with can not only dramatically increase your data currency but also vastly decrease your downtime. You can employ logical replication, switchable devices (virtual storage with multiple processors), cross-site mirroring, and peer-to-peer remote copying, among others, if you have two systems at your disposal. One system equals one flag; two systems equal six flags.

So what happens when you experience a Katrina, or a 9/11, or a San Andreas fault--oops, that one hasn't happened yet--or a Sichuan-style earthquake? Well, who cares if you can recreate your data if you don't have an office building or any employees, right? Wrong. You care because the heart of your business is on your computer (not to mention the fact that the government or a business partner may hold you liable if you can't recreate it). It's all about planning ahead. Gartner reported that after 9/11, the three leading hot-site vendors serving businesses in Manhattan were using only 40 percent of their processing capacity. Why? There weren't enough workstations for the banking and other firms to use to access their data. They had underestimated their operational recovery needs even though they had properly planned for their IT recovery. Events rarely go according to plan after a disaster, and it's just as important to have a flexible and connected workforce that can operate, say, from remote and disparate locations, as it is to have a state-of-the-art high availability solution in place.

So where am I headed with this argument? The point is that in order to protect your customers, you have to have a best-practices compliance program in place; to protect your data, you have to have a high-availability solution in place; and to protect your business, you have to have an enterprise-wide business resiliency plan in place that takes a holistic approach to business continuity. And it has to make sense economically so that you are reaping payback benefits from the first day of implementation. All this is contained in your business impact analysis that lays out the objectives, processes, resources, interdependencies, and consequences of actions designed to help you achieve business resiliency.

Let's discuss what I mean by a holistic business continuity, or resilience, plan. Today it is actually possible to implement a business resiliency program that has immediate return to the company's bottom line. It can have strategic and operational value, and the organization can leverage its technology infrastructure to support ongoing business requirements. A resilient infrastructure can help the company to adapt more quickly and to tighten its operations so as to offer more competitive pricing, which of course will be an advantage against competitors and will most probably increase market share.

The systems that can help keep your people intact as a unit, even if your office building isn't, include such things as a robust remote access solution, the latest in collaboration tools so that people can continue to work together and make fast decisions, and a single point of access to allow users to employ any browser or desktop to get at information and applications, contact people, and control processes.

Remote access is a must-have if you are going to have a solid business resiliency program. Employees will need access day or night to the information necessary for them to do their jobs. Core business applications, employee documents, earlier conceived plans on how to deal with emergencies, email, CRM functions, even the sometimes overlooked legacy applications--all should be accessible remotely to be able to weather a major disruption.

Using such tools as instant messaging, team workplaces, virtual meetings, and joint contact directories in order to collaborate in decision-making will come in extremely handy during a disaster, but is sure to raise everyone's productivity in the meantime. New tools from Lotus as well as online services from Yahoo!, Google, Microsoft, Zoho, and Citrix make these tasks a breeze today.

Having a single point of access can help avoid confusion, frustration, and wasted time during an emergency. It also will improve worker productivity during regular business sessions. A portal that extends a user's work space to any desktop, is scalable, and can be counted on to work as planned during an emergency is an integral part of a sound business resiliency infrastructure. Users need controlled but simple access to the portal, where they can edit documents, spreadsheets, and presentations. Such portals can also help render faster decisions and lower costs during normal times by providing for such things as self-serve human resources functions, more-efficient IT help desk service enhanced by improved communications, wireless and voice-based access to improve productivity, and reduced office costs through expanded telecommuting programs.

Apart from the aforementioned benefits such an infrastructure offers, having such a resilient infrastructure can lead to running a tighter ship and maintaining agile players in the competitive world of business. In addition, having such capabilities can be a feather in your cap when talking to customers or investors, who will be looking for a company that is operating on the leading edge of technology.

With a sound high-availability solution, a detailed business impact analysis, compliance requirements that are under control, and a resilient enterprise-wide infrastructure, you can taunt the big bad wolf to try to blow down your house, but you'll feel confident it's made not of straw but of brick. What? Brick homes will likely crumble during earthquakes, you say? Don't worry. There isn't ever going to be another earthquake.

Chris Smith was the Senior News Editor at MC Press Online from 2007 to 2012 and was responsible for the news content on the company's Web site. Chris has been writing about the IBM midrange industry since 1992 when he signed on with Duke Communications as West Coast Editor of News 3X/400. With a bachelor's from the University of California at Berkeley, where he majored in English and minored in Journalism, and a master's in Journalism from the University of Colorado, Boulder, Chris later studied computer programming and AS/400 operations at Long Beach City College. An award-winning writer with two Maggie Awards, four business books, and a collection of poetry to his credit, Chris began his newspaper career as a reporter in northern California, later worked as night city editor for the Rocky Mountain News in Denver, and went on to edit a national cable television trade magazine. He was Communications Manager for McDonnell Douglas Corp. in Long Beach, Calif., before it merged with Boeing, and oversaw implementation of the company's first IBM desktop publishing system there. An editor for MC Press Online since 2007, Chris has authored some 300 articles on a broad range of topics surrounding the IBM midrange platform that have appeared in the company's eight industry-leading newsletters. He can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it..

Also Read

Can You Overcome an IT Outage?

Three Compelling Drivers for Implementing an HA Solution on an IBM i Cloud with MIMIX

Maxava's Enterprise+ "Saves the Ship" for Averitt Express