Sungard Availability Services is a global business continuity specialist that has focused on financial services market, but operates outside that sector too. It maintains mirrored data centres to which its customers can fall back in case of an emergency or disaster. It claims to have over three million square feet of dedicated recovery space and more than 20,000 end-user recovery sites in North America and Europe.
Rob Thompson is the company’s UK marketing director and an advocate – as you’d expect him to be – of using business continuity services. But can anyone afford them and is compliance the issue it’s cracked up to be? Is it another Y2K in the making? He agreed to answer our questions.
Techworld: What are the main trends in business continuity today?
Thompson: One of the most important trends is that any business that raises its skirts to the outside world, needs to understand what would happen if it went down. Most can tolerate a few hours of downtime - there are very few who have to be always up all the time in everything they do - but increasingly for more businesses, if part of it went down, it would be critical to them.
So we're seeing a lack of tolerance to downtime and a willingness to invest in making sure that doesn't happen. The drivers are internal - compliance is the largest driver, for example FSA ruling and audit policies resulting from Sarbanes-Oxley.
For example, you may think SOX applies only to US companies but the practices that audit companies have adopted now apply across the board because it's easier for them. It means that even those businesses who have no relationship with the US are having to comply with their auditors' policies.
Q: So this is why we saw the story a couple of weeks back in the Financial Times about audit company fees having doubled?
A: I think there's a certain inevitability about that because of the learning curve that they are going through. Frankly, because it's a litigious society, we haven't had the first court case yet and when we do, the ground rules will get a bit clearer.
So in the meantime the audit firms are saying, "We don't know how bad it's going to be so we'll do everything, belt and braces, and impose that across that across all our clients. We don't want someone coming back and saying that we weren't compliant with Sarbanes-Oxley."
Q: Will the upcoming European legislation add more problems?
A: Hopefully lessons will have been learned. There was a tendency in the US - SOX is the prime example - for there to be a real bad reaction after something's happened, like what the SEC did after 9/11. They said every disaster recovery centre had to be 200 miles from the prime site.
No discussion, they just said, "You will do it". There was no discussion about what would be a good idea, but are you going to be able to move your people 200 miles? No, it ain't going to happen so they backed away from that.
I think much the same thing is going to happen to SOX. At its heart, SOX can't stop someone who wants to be a criminal, it can put governance in so that it makes it difficult t be a cook and makes it easier for them to get caught. But if someone wants to be a crook, they'll be a crook.
Q: So good business is still about trust?
A: Absolutely. So yes, compliance is importance but as much so is the inter-connectedness between organisations. For example, the SEC is concerned not so much with what happens if bank A or bank B collapses, but what happens to the rest.
It's about the trading relationships and that has spread into other markets. For instance, people talk about a supply chain but it's more like a supply web. Company A supplies company B and company C supplies them both, and those relationships actually exist now outside of financial services, and that's a real driver for business continuity. Small suppliers are getting requirements pushed down to them, and are being asked what happens if you go out of business.
Q: So how do smaller businesses cope?
A: People always think business continuity is a very expensive thing, it's going to cost me an arm and a leg. We need to let them know that out of say, 20 things, if you do 1, 2 and 5, that's it. So there's a job for us in the industry to educate the market.
Q: If I'm an IT manager in a large enterprise what do I look for in a DR provider?
A: Even mid-sized businesses as well as large ones need to look for people who are flexible, who can grow, change and adapt with you. If you use a point solution or supplier, you're probably going to be looking again in six months time.
If they are more holistic, they can figure out that there are parts of your information that you're going need back online very quickly, ad some that you can do without for two to three weeks. They should be able to look at the whole of our business.
Q: What's new from a Sungard perspective?
A: One's been out for a little while - about email. Showcasing here is email availability service, which knows about the outline configuration of your mail server, and it replicates that skeleton at our centre. If yours goes down, we can populate ours with data and you work off that. The main problem is the volumes of data once you start going back past 60 days.
Q: Going back to compliance issues, are companies managing to comply with new legislation?
A: It's about the balance between guidelines and regulation. The food supply industry is a good example. There's a series of regulations working their way through Brussels saying that they want each piece of food traceable on a very specific basis going right the way back, documented and provable. We know there are chunks of sudan-1 recently that made their way into the food chain without anyone knowing about it. How did that happen? It's a form of real compliance that must be managed and you can't trade without that piece of information.
More generally, there's continuing audit pressure and the knowledge that if you’re going to value your business, then you need to understand what it's worth. You have to look at your brand reputation and have your auditors give that a value, which then feeds into your compliance and disaster recovery calculations.
From an audit perspective, if they're looking at a set of books, the value of its trading relationships with other companies is auditable. Your company relies on the interdependence between those companies, so the auditors will ask, "how do you maintain those?" In other words, if all that goes wrong, what do you do, is the big question.
Customers ask us for a planning tool not only for planning scenarios but also to understand the impact of what happens if this bit of kit over here fails. We spent the last couple of years developing five modules that run all the way through that process. It's called Paragon.