Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Right size enterprise disaster recovery plans


Published on

All organizations need a Disaster Recovery (DR) plan, but many are unsure what is appropriate or how to scope the organization’s needs. Operating with an insufficient DR plan leaves organizations …

All organizations need a Disaster Recovery (DR) plan, but many are unsure what is appropriate or how to scope the organization’s needs. Operating with an insufficient DR plan leaves organizations vulnerable to negative business impacts in the event of a disaster. Organizations can save time and money by properly scoping their DR plan.

The process of examining your DR plan can be broken down into a series of steps:

* Determine the current DR capability which IT can provide
* Know what DR capabilities the business wants
* Align the business’ and IT’s DR priorities

Use this Storyboard to begin the process of building your organization’s ultimate DR plan.

Published in: Technology, Business, Education
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Right-Size Enterprise
    Disaster Recovery Capabilities
    Info-Tech Research Group
  • 2. Info-Tech Research Group
    Executive Summary
    • All organizations, needs some form of DR capabilities, or procedures and systems in place to lead them back to operations after a disaster.
    • 3. Your organization must establish the DR it has, the DR it wants, and the DR it needs. Info-Tech has looked at what other companies have done and will provide you with the do’s and don’ts when tackling DR:
    • 4. Measure your organization’s current DR capabilities
    • 5. Get business buy-in to establish appropriate DR priorities
    • 6. Separate DR wants from DR needs
    • 7. Set relevant and realistic objectives for your organization’s DR capabilities
    • 8. Plan for the cost of realizing your chosen DR objectives
    • 9. All DR scoping projects are comprised of three phases, move through these phases in a timely manner to reduce the time spent on planning your DR capability:
    Determine the current DR capability which IT can provide
    Know what DR capabilities the business wants
    Align the business’ and IT’s DR priorities
  • 10. Introduction
    • All companies have some form of Disaster Recovery (DR) capability in place whether they realize it or not. Depending on the size and needs of the company, DR capabilities can range from having an employee backing up the company’s files once a month to having a fully documented and tested plan in place.
    • 11. If the IT and the business side of an organization are in alignment with their DR desires, needs, and priorities, then the current plan may be well-suited to the organization. However, organizations rarely have proper DR capabilities in place.
    • 12. Many organizations make the mistake of having inappropriate DR capabilities. Having too much DR capability means the organization is overspending and having too little means the organization is still vulnerable in the event of a disaster. Make sure that DR capability is a good fit with the organization’s actual needs.
    • 13. It is often hard to settle on what amount of DR capability your organization needs. This solution set will walk you through the right-sizing phase of your DR project quickly and will address all the relevant areas:
    • 14. The Basics
    • 15. Current DR Capabilities
    • 16. DR Wants and Needs
    • 17. Aligning IT and Business
    • 18. Case Studies
    • 19. Once the organization’s appropriate DR objectives are agreed upon, IT can begin planning their development.
    Info-Tech Research Group
  • 20. Info-Tech Research Group
  • 21. Info-Tech Research Group
    Without some level of DR capability, the odds are overwhelming that your business won’t survive a disaster
    DR concerns the safety and restoration of an organization’s technology infrastructure in the event of a disaster. There should be some level of disaster recovery in place at every organization. DR will return the business to normal operations after anything from a natural disaster to a serious security breach.
    Research shows:
    • 6% of companies which suffer a catastrophic data loss recover and survive,
    • 22. 43% never reopen,
    • 23. 51% close within two years of reopening.
    Source: University of Texas
    DR focuses on the recovery of IT services, systems, data facilities and staff.
  • 24. Info-Tech Research Group
    Disaster Recovery focuses on IT, Business Continuity concerns the entire company. Don’t confuse the two.
    Disaster Recovery
    • A subset of BC that addresses the IT elements of continuity such as data, application, and infrastructure recovery
    • 25. Reactionary set of procedures that take place once a disaster has struck
    • 26. The IT side of an organization is responsible for its DR
    Business Continuity
    • A set of procedures that organizations can adopt in an effort to minimize the impact that an outage has on all aspects of a business
    • 27. Incorporates organizational and human resources issues such as communications plans and crisis management
    • 28. The business side of an organization is responsible for its Business Continuity
    Business Continuity
    Disaster Recovery
    DR and BC initiatives should complement each other; a good DR plan relies on a good BC plan and vice versa. Ensure that the DR and BC teams work closely together to ensure success.
    For more information on the differences between DR and BC, please refer to the note, “Draw the Line Between Disaster Recovery and Business Continuity.”
  • 29. Info-Tech Research Group
    Organizations attribute their failure to develop disaster recovery capabilities to multiple factors
    Organizations listed business buy-in, time, and money as the main reasons why they had yet to develop their disaster recovery capabilities.
    “Cost and always something else to do…”
    -VP in Public Administration
    “The organization didn't have an IS executive in place and it wasn't considered a company priority until recently. “
    - VP in Wireless Telecom Carriers
    “3 blind monkeys - haven't seen a disaster, won't hear of a disaster, refuse to talk of a disaster. Strong plans have existed and been undermined over time due to lack of executive support. Some departments have maintained robust procedures, yet others are becoming weak links.“
    -Manager in Publishing Industry
  • 30. Info-Tech Research Group
    No matter how lucky you are, disasters occur. Everyone is vulnerable and can benefit from some preparation.
    DR only becomes useful when all else has gone horribly wrong.
    “In business, the disaster isn't the act of God or fire that destroys property, but the loss of data and the inability to continue operations - THAT is the business disaster.“
    -Manager in the Publishing Industry
    It would be best for an organization if the value of its DR capabilities is never truly realized. However, having DR ensures that an organization can (and knows how to) survive a disaster. If an organization invests a little now, it won’t lose nearly as much later.
    Unless you live in an impenetrable bubble, you will benefit from DR.
    Every organization that operates on the planet is at risk from one type of disaster or another. An organization will find DR valuable whenever the cost of losing its IT operations is greater than the cost of creating and maintaining its DR capabilities.
    “It’s a relatively cheap insurance policy.”
    - Director in Consulting
  • 31. Info-Tech Research Group
    Downtime costs money. If you know how much, then you know how urgently the organization must avoid it.
    There are several ways in which downtime may cost your organization money:
    Loss of Revenue
    If the organization is unable to sell product or fulfill orders, then it is losing revenue. This could be the result of an interruption in the shipping process or of the channel through which sales are made (building, website, etc.) being inaccessible to customers.
    Loss of Productivity
    The system is down, causing a production shift to stand around or "make work" to keep busy rather than doing their normal jobs. Since staff still have to be paid, this time is considered a loss.
    Increased Labor Costs
    Any additional work is going to require additional labor. This could be in the form of overtime shifts or extra workers during regular shifts. Whatever the case, expenses are going to increase and the organization is going to have to pay for these incremental costs.
    Increased Operations Costs
    If additional work has to be done in order to make up for lost time, then operating costs, such as utility costs, are likely to increase. These expenses are separate from labor and have more to do with keeping the company open longer or working at a higher capacity.
    What costs are relevant, and to what degree they impact the organization, is dependent upon the specific system that is down and its function within the business.
  • 32. Info-Tech Research Group
    There are three stages in DR Scoping; each is driven by a different group of stakeholders
    Step 1: Assess Current IT Capabilities
    • Prior to creating DR capabilities, know what degree of DR capability IT currently has.
    • 33. Know when IT can bring systems back online and to what point IT can recover data.
    • 34. Understand the infrastructure that is currently used to support recovery abilities.
    • 35. Once you know what resources IT currently has, it’s easier to identify potential areas that should be developed or cut in later steps.
    Step 2: Establish and Validate the Business’ Wants
    • The business side needs to be able to define when it wants systems back online and to what point it wants data recovered.
    • 36. The validity of these wants can be established by asking these questions:
    • 37. What systems are most important to the business?
    • 38. Are there manual processes which can temporarily replace these systems?
    • 39. How much does downtime cost the business?
    Step 3: Aligning IT’s Capabilities and the Business Needs
    • Ensure that what IT provides and what the business side wants are aligned.
    • 40. Avoid discrepancies between the two groups; negotiate to find the right compromise.
    • 41. IT should be able to explain the costs of attaining various objectives.
    • 42. The business side should be able to explain the potential downtime costs various objectives are meant prevent.
    • 43. Once both sides of the puzzle are understood, the organization can settle on a balance.
  • 44. Info-Tech Research Group
  • 45. Info-Tech Research Group
    All organizations have some form of DR capability; determine if you need to spend more time on DR
    If the answer to any of the questions above is "No", your organization needs to spend more time on DR.
    The “DR Recovery Objective Alignment and Cost Tool” will walk you through these questions and help you determine if you need to spend more time on DR.
  • 46. Info-Tech Research Group
    The legend below appears on the slides ahead to remind you of where you are in the DR scoping process.
    Knowing IT’s existing ability to withstand and recover from disaster provides a baseline from which all future DR enhancements and/or downgrades can be made.
    The business needs to be able to communicate the amount of time and data it can afford to loose in the event of a disaster in order to establish an initial target for DR improvements.
    Business desires must be validated by balancing potential downtime losses with the cost of enhanced DR capabilities.
    IT and the business must ensure that capabilities are aligned with requirements and that budgets are reasonable and can be achieved.
  • 47. Info-Tech Research Group
    Business buy-in should be collected throughout the project; it is crucial for establishing proper DR goals
    “We absolutely had difficulty getting buy-in, no one has time for something that may never happen. You just have to explain it to them, and eventually executives come around, however reluctantly.”
    – IT Director in Real Estate Development and Operation
    • Without understanding where the business’ needs begin and end, IT will be blindly assembling disaster recovery objectives.
    • 48. The organization will either waste money on unneeded DR or, won’t be fully prepared for disasters.
    Buy-in is not as elusive as you might imagine, but here are some tips just in case:
    • Many organizations have found that simply explaining DR’s relevance to the business and the company’s survivability goes a long way in generating buy-in.
    • 49. If you have trouble getting buy-in from the business group, try focusing on one key individual. If you can win over a business leader and have them champion DR to the rest of the departments, then the process should be much smoother.
  • Info-Tech Research Group
    You can’t know which direction your organization should head in until you know where it stands.
    Milestones on the
    Path to Understanding
    Knowing what recovery infrastructure and systems are in place is the first step in understanding how your organization can improve recovery times. If you know what you currently have, then it’s much easier to identify what you still need. Moreover, a review of your organizations’ resources may also identify what can be cut, and thereby save your organization from some unnecessary expenses.
    What is IT currently doing?
    Are there multiple data centers? How often is data backed up? What are the general practices around storing data and fixing technology problems?
    Whether IT realizes it or not, aspects of DR might already be incorporated into their standard operating procedures.
    How do these practices translate into measurable statistics?
    Once IT recognizes what’s being done, it becomes a matter of recording how effective those practices are.
    Recovery objectives, which are defined on the on slide 17, are a useful metric for determining effectiveness.
    “Not having DR is like gambling on a game you are certain to lose long-term.”
    -Director in Real Estate Property Management
  • 50. Info-Tech Research Group
    Maybe you need to spend more time on DR. Here’s a tool to find out.
    Answer a few simple questions in the “DR Recovery Objective Alignment and Cost Tool” and determine your organization’s current and recommended DR capability.
    “DRPs are never completed; they’re always drafts as far as I’m concerned.”
    – IT Director in Real Estate Development and Operation
    This tool will assist you in defining which areas of your DR plan are insufficient for your organizational needs.
  • 51. Info-Tech Research Group
    RTO and RPO are the building blocks of DR
    Info-Tech Insight:
    Recovery Time Objective, or RTO, is the amount of time an organization can afford to have its systems down (e.g. the organization's systems can be down no longer than one hour).
    Recovery Point Objective, or RPO,is the point in time beyond which an organization cannot afford to lose information (e.g. the organization can afford to lose 24 hours data/processing)
    Off-site back up does NOT result in RTOs and RPOs of zero hour. Unless data is streamed to redundant facilities and simultaneously processed, outages can still occur.
    RTOs and RPOs are the metrics which set the level of your organization’s DR capability.
    RTOs and RPOs vary depending on the needs of the organization and the criticality of the system/data they are relevant to; they can range from less than an hour to more than a week.
  • 52. Info-Tech Research Group
    Organizations care more about reducing data loss than restoring system operations
    For most organizations, limiting data lost during a disaster is more important than minimizing downtime. This is likely because so much of a business’ day to day activities rely on the data.
    It’s cheaper and easier to support longer recovery objectives. The percent of the yearly IT budget that is spent on DR decreases as RTOs and RPOs increase.
  • 53. Info-Tech Research Group
    Shorter RTOs and RPOs provide greater protection, but at a greater cost. The inverse also applies.
    When an organization decreases its RPOs and RTOs, it will need to increase its DR budget to procure and maintain more infrastructure and policies to support the new objectives.
    When an organization decides it can afford to increase its RPOs and RTOs, it can decrease its DR budget because it needs to procure and maintain less infrastructure and create fewer policies to support the new objectives.
    “We must prepare for the worst and hope for the best, but it is a balancing act as to how much you spend on insurance.”
    -Manager in Chemical Manufacturing
    Disaster Point
    Required Investment Increases as RPO Decreases
    Required Investment Increases as RTO Decreases
    1 Week RPO
    1 Day
    1 Hour RPO
    1 Week RTO
    1 Day RTO
    1 Hour RTO
  • 54. Info-Tech Research Group
  • 55. Info-Tech Research Group
    Even moderate business involvement will make DR projects much more time effective
    In emergencies, organizations need to get critical systems up and running as fast as possible. The business side plays a key role in determining exactly which systems are critical, and which are secondary.
    “A balance is needed between spend and potential impact - this depends on business criticality and so it is entirely down to the business leaders to decide. IT can assist in optimizing the DR solution so resources aren’t wasted.”
    -Manager in Other Services
  • 56. Info-Tech Research Group
    The Business Impact Assessment is an important step in building proportionate DR capabilities
    Business Impact Assessments (BIA) gauge the approximate costs and frequency of system downtime. Systems are then prioritized in terms of criticality, allowing organizations to focus attention and resources where they will be best spent. BIAs should be done before attempting to create any DR capabilities.
    “We looked at descriptions of the divisions, what applications were used within them, and how they broke themselves down in regards to criticality with timeframes listing their priorities. We didn’t worry about price at this point; it was just a matter of determining the levels of importance.”
    - Senior Technical Support Specialist in the Government
    Current RTO
    RTO that Bus. wants
    RTO that Bus. Needs
    Current RPO
    RPO that Bus. wants
    RPO that Bus. Needs
  • 57. Info-Tech Research Group
    BIAs help the business side determine what DR capabilities they actually need
    How is the BIA used?
    “People who haven’t created a DRP are just one disaster away from making the change.”
    - Director in Consulting
  • 58. Info-Tech Research Group
    The Business Impact Analysis tool is a fast way of figuring out how much downtime is costing you
    You have read about the ways in which downtime can cost your organization money. The next step is to calculate how much money your organization actually loses to downtime.
    In the “DR Recovery Objective Alignment and Cost Tool”, the “Business Impact Analysis” tab will tell you what kind of annual losses you can expect due to downtime, which will then be compared to the amount spent on DR. A large difference indicates there is a need for change.
  • 59. Info-Tech Research Group
    While bigger budgets might not guarantee shorter RPOs and RTOs, they do raise DR satisfaction
    Organizations that have dedicated a larger percent of their IT budget to DR were 44% more likely to have been more satisfied with their performance during an actual disaster than those with smaller DR budget percentages.
    The organizations with larger budget percentageswere also 33% more likely to reach their RTOs and RPOs than less DR-endowed organizations.
  • 60. Info-Tech Research Group
    Explain the costs associated with DR so the business can make informed decisions
    Costs associated with Disaster Recovery:
    Infrastructure investments (ranging from new hardware to redundant data centers)
    Software investments
    Training for IT staff
    Cost of educating and training end users
    Modifications to plan (to reflect any organizational changes, changes to software, infrastructure and business needs)
    One Time
    Despite feeling satisfied, survey results showed that organizations that dedicated a larger percent of their IT budget to DR actually had longer RPO and RTO averages, 35 hours and 44 hours respectively, than organizations who dedicated smaller percentages to DR, who had a RPO average of 25 hours and a RTO average of 32 hours. This goes to show that how money is spent is more important than how much money is spent.
    “One thing we’re only now realizing is the cost of the ripple effect. Controlling the costs of both a primary and secondary location, with data in both that needs to be aligned, can add up.”
    - Manager of IT in Public Services
  • 61. Info-Tech Research Group
  • 62. Info-Tech Research Group
    Misalignment between IT’s current capabilities and the business’ validated needs is a fixable problem
    If IT’s RPOs and RTOs are high than the business’ needs, then the organization is incurring a needless expense.
    If IT’s RPOs and RTOs are lower than business’ needs,
    then the organization is still very vulnerable.
    Often, IT will not have a DR budget big enough to meet all of the business’ DR needs. In those cases, IT and the business will have to work together to find the balance which, while not ideal, is good enough. Once business and IT have decided on the organization’s RPOs and RTOs , IT must determine what resources will be required; these include time, skills and money (for upfront and ongoing costs).
    “In our industry and IT sector, crisis happens anytime. Having a workable DR that can be executed within the aligned time that the business group agreed with IT, we can manage our expectation with our stakeholders and allocate resources to identify problems and resume business operation if gaps happen.”
    -Supervisor in Air Transportation
  • 63. Info-Tech Research Group
    Until IT and the business have agreed on DR goals, work cannot start on improving DR capabilities
    Establish Budget/Costs
    DR cannot be gifted with infinite resources, so organizations must put the resources that are available to their best use. Review the list of priorities the business side has generated and the options currently open to the organization and then distribute the budget in proportion to goals.
    The Cycle of Alignment
    Aligning IT and the business’ RTOs and RPOs can be a difficult task. Companies generally rotate through three phases before they can actually begin to create a DR Capability. Avoid getting stuck in the cycle.
    Accept or Reject
    Once the budget has been drafted and IT has an idea of what is attainable, share the knowledge once more with the business side. Once they see the realities available to them, they may want to re-think some of their decisions.
    Begin Building DR
    Once the situation is understood and the details are agreed upon, the real work will finally begin.
    Healthy Debate
    It is critical to keep the business side involved in forming the final RTOs and RPOs, though finding a set you both agree on may not be the easiest task.
    Minimize the time spent on aligning IT and the business’ wants to expedite the process. Ensure that the business and IT keep the lines of communication open and that both parties are willing to hear each other’s opinions.
  • 64. Info-Tech Research Group
    Use Info-Tech’s “Ideal RPO and RTO Calculator” tool to align your organization’s recovery objectives
    Use the “Comparison of Business and IT Recovery Objectives” tab. Enter both IT’s and the business’ RTOs and RPOs, examine the comparison, and then enter the compromise.
    IT can provide a set of RPOs and RTOs, and business wants another set of RPOs and RTOs, but what set does the organization need?
    This is not a rhetorical question; use Info-Tech’s tool to find an answer.
  • 65. Info-Tech Research Group
    Use the “Cost of Maintaining Recovery Objectives” tab to align your organization’s objectives
    Companies generally miscalculate the percent of their IT budget that will be spent on DR. According to our survey, actual costs average 30% more than organizations predict. Use this tool to determine the percent of the IT budget your organization should invest in DR.
  • 66. Info-Tech Research Group
    In this deck, you have:
    • assessed your organization’s current DR capabilities,
    • 67. obtained the business’ priorities,
    • 68. kept the business involved while IT balanced their wants and their costs, arriving at the organization’s needs,
    • 69. and learned the approximate budget those DR objectives require.
    These are the steps all organizations need to take when scoping their appropriate DR capabilities; follow them to lead your company to stable ground.
    The next phase of the DR project is the actual planning.
    It is time to get down to the details, answering questions like:
    Will your organization create its disaster recovery plan (DRP) in-house or will it outsource the creation?
    • If you decide to take the in-house route, it might help to know that: 75% of organizations create their plans in-house and, on average, plans take 9 months to complete.
    • 70. If you decide to outsource, it might help to know that: outsourcing plans is expensive, costing anywhere from $20,000 to hundreds of thousands of dollars.
    What facilities will your organization use for the DRP’s continual support?
    • After you have built your organization’s DR capability, you still need to sustain it. Determine if your DR capability should be hosted in-house, through a third party or through co-location facility.
    You have an idea of your goals and your budget, but you still need to decide where exactly you will be spending your time and money in order to make those goals a reality. Refer to the Appendix for more information on how an actual DRP can be broken down.
  • 71. Info-Tech Research Group
  • 72. Public Services organization begins to build its DR
    Info-Tech Research Group
  • 73. Government agency continually improves DR capability
    Info-Tech Research Group
  • 74. Consulting company knows how to maintain its DR capabilities
    Info-Tech Research Group
  • 75. Need additional support?
    Info-Tech goes beyond just providing research: You can either speak directly with an analyst or advisor and/or evaluate on-site consulting services to help your team achieve results.
    Trigger Point:The Basics
    Trigger Point:Current DR Capabilities
    Trigger Point:DR Wants & Needs
    Trigger Point:Aligning IT & Business
    The Definition
    Disaster Recovery vs.Business Continuity
    The Value
    What IT Provides
    Business Buy-In
    What Business & IT Want
    What Business & IT Need
    Balancing Costs
    Achieving Compromise
    Our Consulting & Advisory Services
    Our Consulting & Advisory Services
    Our Consulting & Advisory Services
    Our Consulting & Advisory Services
    Establishing common understanding
    Clarification of scope and responsibilities
    Business case development
    Assessing your IT Capability: DR Recovery Objective Alignment & Cost Tool
    Fostering Organizational Awareness
    and Readiness
    Business Impact Assessment
    DRBC Organizational Prioritization
    Commitment on Budget for DRBC Priority Areas
    Executive Roadmap & Timeline
    E-mail our Advisory Team to find out how we have helped other clients and get your Disaster Recovery initiative started today!
  • 76. Info-Tech Research Group
  • 77. Info-Tech Research Group
    What are the components of a disaster recovery plan?
    DRPs can be split into two main parts: Strategic and Tactical