If your data centre was flooded or lost power , the business impact would be significant. But how can you accurately measure and manage that risk, and how can you discuss it with other parts of the business?
Cabling picture from Shutterstock
In a presentation at Data Centre World Asia-Pacific in Melbourne this week, lawyer Stephen Coates from Moore Stephens discussed how general risk management principles could be used in data centre scenarios.
"We're integral to the business," he said. "The business has expectations of what it can do, and if data is the lifeblood of the business, then the data centre is the heart."
One key lesson? Now that data centres provide not just raw facilities (power and connectivity) but also services, the emphasis of management also needs to take a service-oriented approaches.
"In addition to rack space, we're now selling services — and when we're selling services things can go wrong. We have a reputation and a brand to protect, and failure is big news.
"We need a little bit of comfort over our data centres, because we're trying to sell those services," Coates said. "We've got customers and they have needs we need to understand. We have to help our businesses manage knowingly. We have to report in business speak so they understand what we actually mean."
One strategy Coates suggests for multi-tenant data centres: commission an independent third-party review of risk factors so you can provide that to customers, rather than them insisting on conducting their own. "You want to be able to say 'no need, I already have one here' and send them away with it," he said.
That said, many customers don't bother to read existing standard compliance reports. "I have read some of those reports that DCs have had done and it's pretty obvious customers don't read them because they're a warts and all report," Coates said.
Coates suggests dividing risks into five key categories:
- strategic risks
- operational risks
- financial risks
- people risks
- governance risks
Data centre managers are used to contemplating operational risks — that's why we have backup power supplies — but the other categories often get ignored. Financial risks are frequently neglected, Coates said. "Have we modelled what happens if sales fall off, either for us or the parent business? Have we modelled the perfect storm where both fall off?"
Asking questions is a useful strategy for risk planning. "What does not running a scheduled generator test mean? What does not sending backup tapes offline mean?"
The other unpleasant reality? As with most IT projects, risk management relies heavily on documentation. Coates suggests 10 per cent of the work in developing a risk management framework is scoping; 50 per cent is documentation; and monitoring is 40 per cent. Fun times.