This document presents a maturity model to assess the readiness of an organization's IT disaster recovery program. It defines five levels of maturity for IT disaster recovery from initial/ad hoc to optimized/resilient. The model evaluates three components: strategy, implementation, and exercise/maintenance. Each component contains capabilities used to measure the organization's maturity level. The model can be used to evaluate risk, develop roadmaps, and identify areas for improvement. Results can be presented using milestone, dashboard, or per-component models to visualize the current status and guide further development of the disaster recovery program.

1. IT Disaster Recovery
Readiness
MATURITY MODEL TO ASSESS YOUR IT DR PROGRAM

2. Maturity Model Purpose
 The purpose of this model is to help the reader in evaluating the current
status of his/her Disaster Recovery program.
 Beside that, below sample use-cases for this maturity model:
 Evaluate the current Risk level on business continuity in event of disaster.
 Anticipate a road-map or desire state for IT Disaster Recovery planning.
 business case input for Disaster Recovery initiative.
 Driver for Integration plan for multiple enterprise wide capabilities into
Disaster recovery planning.
 Use as scale to evaluate multiple capabilities or line of businesses against
each other in term of disaster recovery readiness.

3. Maturity levels Definition
Level Definition Description
1 Initial or Ad hoc minimal or ineffective recovery capabilities in-place.
2 Established or
Reactive
disaster recovery strategy in-place but lack proper capabilities
and handled on best-efforts bases.
3 Prepared or business
enabled
disaster recovery strategy in-place and align with business
demands.
4 Managed or
Proactive
disaster recovery managed as program where dedicated team
manage/maintain/validate various components of disaster
recovery program.
5 Optimized or
resilient
disaster recovery program complement & seamlessly
integrate with various enterprise wide practices (IT/none-IT)
and address growth requirement.
This Model has five levels of readiness or maturity for Disaster Recovery “DR” capabilities,
where level 0 “Non-existent” removed due to easiness of determining the same “lack of
recovery strategy or capabilities”.

4. Maturity Model Structure
 I have structured this model into three (3) main ITDR components (21 ITDR
capabilities), each of them measure different aspects of DR capabilities:
 ITDR Strategy (measure stakeholder engagement “reflected as Interest & Power”
in ITDR)
 ITDR Implementation (measure IT alignment with business demands)
 ITDR Exercise & Maintenance (measure the effectiveness “reflected on Success
rate & Credibility/Confidence level” of ITDR program)
 The outcome of overall review of these three ITDR components, will be
Maturity/Readiness level for Enterprise’s recovery capabilities in term of:
 Recovery likelihood
 Risk to business

5. Measuring Capabilities
 For each ITDR component, set of measuring capabilities identified to help
differentiating different maturity level:
ITDR Strategy ITDR Implementation ITDR Exercise &
Maintenance
ITDR Plan Recovery site setup & connectivity Support/SLA for ITDR infrastructure
ITDR Processes & Procedures
(BIA/RA)
Data Backup/Restore & Replication Backup/Restore testing & validation
ITDR Team , Roles, & Responsibilities Configuration synchronization Infrastructure Monitoring
Backup/Recovery practice DR Facility & User connectivity ITDR Training
ITDR Budget & fund ITDR Run-book or Play-book ITDR Infrastructure/Application/OS
Patching Practice
ITDR integration with Enterprise wide
practices
ITDR Infrastructure ITDR testing exercise
ITDR Road-map ITDR Failover/Failback
Implementation
ITDR Audit , Report & document
review.

6. ITDR Strategy Maturity
LEVEL TO CAPABILITY MAPPING

7. Level to capability Mapping
ITDRStrategy Level1 (Unaware) Level 2 (Neutral) Level 3 (Sponsor) Level 4 (Involved) Level 5 (Empower)
 Basic Backup/Recovery
Procedure documented.
 Lack of ITDR plan, processes
or procedures documented.
 Lack of BIA/RA Performed to
identify IT Critical services &
its RTO/RPO demands .
 Lack of ITDR Team structure
(best-efforts bases).
 Lack of dedicated Budget.
 Basic definition of critical
services documented (IT
point of view).
 Backup/Recovery Procedure
documented.
 One General Definition for
recovery strategy for all IT
services.
 High-level or Basic ITDR Plan
documented (usually as part
of IT procedures).
 Budget funded from other IT
initiatives.
 Partial recovery team
structure, but roles
responsibilities not clearly
defined (lack of ownership).
 Chaotic DR communication ,
declaration & escalation
structure ( lack of
governance structure)
 Business RTO/RPO defined
(through Business Impact
Analysis “BIA”).
 Backup/Recovery Procedure
documented & align with
defined RTO/RPO.
 ITDR Plan documented but
not reviewed or it is
reviewed but on best efforts
bases.
 ITDR BIA/RA processes &
procedures documented.
 Criticality-based recovery
strategy (ex. Replication for
critical services and restore
from backup for others).
 ITDR recovery strategy cover
both Failover/Failback.
 Lack of dedicated ITDR lead
identified but the “acting-
as” defined.
 Recovery team member
identified.
 ITDR communication,
declaration & escalation
structure documented.
 Level 3 (in addition to the
following).
 ITDR Plan Reviewed in
Frequent bases.
 KPI Defined for various IT DR
Plan components.
 ITDR Road-Map defined.
 ITDR Budget allocated.
 Recovery Strategy Defined
Per-service.
 ITDR Roles and
Responsibilities Defined.
 ITDR process automation
(BIA/RA) in-place.
 ITDR Plan cover full, partial
(multiple-services), &
service-level
Failover/Failback.
 ITDR planned as part of IT
budget & infrastructure
capacity planning.
 Level 4 (in addition to the
following).
 ITDR integrated with change
management process.
 ITDR Road-map integrated
with business plan/IT
strategy.
 ITDR Processes and
procedures integrated in
enterprise architect as well
 ITDR requirements collected
as part of business
requirements gathering for
any new IT initiative.
 ITDR Integrated with both
business continuity plan
(BCP) and Crisis
Management Plan (CMP) for
the enterprise.
 IT DR Roles &
Responsibilities integrated
as part of job description.
 (in case of insurance) IT DR
integrated with Enterprise
insurance plan.
 ITDR communication plan
align with enterprise
communication guidelines.
Indicator
Low (Power , Interest)
Stakeholder Engagement
High (Power, Interest )

8. ITDR Implementation Maturity
LEVEL TO CAPABILITY MAPPING

9. Level to capability Mapping
ITDRImplementation
Level1 (Siloed) Level 2 (best-
efforts)
Level 3 Level 4 (Improve) Level 5 (Value
Creator)
 Basic backup/restore
capability.
 Cold recovery site
capabilities.
 Lack of resiliency for DR site
connectivity.
 Shared and/or Low
Bandwidth DR link.
 Legacy or limited DR
infrastructure components
implement.
 Lack of user’s connectivity
planned.
 Advanced backup/restore
capability (restoration
testing capability in-place).
 Basic data replication
capability in-place.
 Warm recovery site
capabilities.
 Active/standby connectivity
for DR site.
 DR infrastructure
configuration is not up-to-
date (Manual Configuration
required in case of Disaster).
 Recovery procedure
documented at high-level
(lack of run-book concept).
 Most of user’s access
planned –in event of
disaster- based on remote
access (no dedicated DR
facility).
 Both Replication and
Backup/restore capabilities
in-place.
 Warm or hot recovery site
capabilities with highly
available connectivity.
 Most of DR infrastructure
configuration up-to-date.
 Per-service Disaster recovery
run-book in-place.
 Both remote access and
onsite access planned (DR
Facility secured).
 Technology support
recovery strategy in-place.
 Technology implementation
cover both failover/failback
demands.
 Both Main & Remote site
connectivity toward the
recovery site planned/
secured.
 Level 3 (in addition to the
following).
 Run-book maintained &
updated by owners.
 DNS load-balancing
techniques (Global service
Load Balancing)
implemented for seamless
DR Failover.
 Automated DR
Failover/Failback capability
in-place (software or
network based).
 DR Implementation support
full, partial (multiple-
services), & service-level
Failover/Failback.
 Level 4 (in addition to the
following).
 Technology/capability to
align/sync configuration
from Main site to recovery
site in-place and support
real-time synchronization.
 DR recovery site can expand
to permanent.
 DR Run-book automated for
both failover/failback
 capability to provide real-
time (RTO/RPO) calculation
for IT services.
 capability to integrate/feed
company’s BCP/CM platform
(in case of any).
 Users Recovery facility used
for day to day operation by
set of actual users.
 Tap backup/restore
capability implemented as
last restoration option.
 Advanced user connectivity
techniques planned in case
of disaster (ex. VDI).
Indicator
Low (Alignment , Added Value)
IT alignment with business
High (Alignment , Added Value)

10. ITDR Exercise & Maintenance Maturity
LEVEL TO CAPABILITY MAPPING

11. Level to capability Mapping
ITDRExercise&Maintenance
Level1(Ineffective) Level 2 (Reactive) Level 3 (Effective) Level 4 (Proactive) Level 5 (Reliable)
 Basic restoration testing
conducted (usually done by
IT and application owner not
in the picture).
 Random testing cycle taken
place and cover only backup
restoration for critical
services.
 Lack of monitoring for
backup jobs/disaster
recovery link/infrastructure.
 Some DR infrastructure
components end-of-life/end-
of-support.
 Backup Restoration
conducted for critical
services and application
owner engaged.
 Support & maintenance
secured for DR
infrastructure.
 Backup job monitoring in-
place, but lack DR
infrastructure monitoring.
 Limited or Partial DR testing
exercise (usually due to
limitation DR infrastructure
capabilities or lack of
management approval).
 DR testing taken place out of
working hours.
 DR Application/OS patching
performed on best-efforts
bases.
 Backup restoration testing
conducted in frequent bases.
 Both Main & Recovery site
has same level of
monitoring.
 Both Main & Recovery site
has same level of
Application/OS Patching.
 DR testing include user-level
testing from DR facility.
 DR testing perfumed in form
of partial testing (cover
business critical
applications) and cover both
failover/failback.
 ITDR training program in-
place and individual aware
of their Roles &
Responsibilities.
 Test results and lessons
learned captured within post
exercise report.
 Conduct ITDR Training in
frequent bases.
 Level 3 (in addition to the
following).
 DR testing include run some
actual transactions from
recovery site.
 Test results and lessons
learned used to update the
ITDR Plan as well as services
RTO/RPO values.
 ITDR Plan, Policies &
Procedures reviewed in
frequent bases.
 Different ITDR testing
exercises performed (full,
Partial, table-top &
simulation).
 ITDR testing performed
during working hours.
 Level 4 (in addition to the
following).
 Unannounced ITDR testing
may take place during
business hours.
 ITDR testing/exercise has a
defined KPI.
 ITDR training is part of IT
employee induction
program.
 Established Capability to
communicate DR individuals
Roles & Responsibility in
event of disaster
declaration.
 Multiple DR communication
media capabilities.
 ITDR focal participate
effectively in overall
enterprise BCP and CMP
exercise.
 Regular audit performed for
ITDR program as well as
ITDR budget spending.
Indicator
Low (Success, Credible)
Program Effectiveness
High (Success, Credible)

12. ITDR Overall Maturity View
RISK & RECOVERY

13. Overall Maturity View
Level 1 Level 2 Level 3 Level 4 Level 5
ITDR
Strategy
Unaware Neutral Sponsor Involved Empower
ITDR
Implementation
Siloed best-efforts Consistent Improve Value Creator
ITDR Exercise &
Maintenance
Ineffective Reactive Effective Proactive Reliable
RISK
Catastrophic Significant Manageable Minor Limited (expected)
High (Unpredictable)
Risk to Business
Low (Predictable)
RECOVERY
No Recovery
Limited Recovery
(Depend on IT Team
Capabilities)
Mission-Critical
applications/services
Recovery but not all
RTO/RPO achieved
Mission-Critical
applications/services
Recovery with
RTO/RPO agreed
Full applications
/services Recovery
with RTO/RPO agreed
Low (high efforts)
Recovery Likelihood
High (low efforts)

14. Quantitative ITDR Maturity
Assessment
WEIGHTED MODEL

15. Maturity level Calculation
 To Provide Quantitative spin for the ITDR maturity readiness, ITDR measuring capabilities (refer
to slide 5) can be utilized for the same, where a weight assigned for each individual measuring
capability.
 these weights used to calculate individual ITDR component’s scoring, which in turn used to
calculate ITDR overall maturity scoring (as illustrated in next two slides).
Note: The assigned weight may differ depend on user point-of-view, however the overall weight distribution need to follow same logic (sum per ITDR component =100)

16. Maturity level Calculation (Cont.)
To add more granularity to the Maturity level calculation, another multiplier “completeness" drafted wherein
each ITDR capability evaluated/scored against the same Maturity levels used earlier (as shown below), then both
weight and completeness are used to calculate ITDR capability Score: Capability(n) Score = ((Capability(n)
Weight) X Completeness (%))
Then ITDR component scoring (ITDR Component Maturity) will be:
ITDR Component Score = Sum (Capability 1 score + Capability 2 score + … + Capability 7 score)

17. Maturity level Calculation (Cont.)
Once individual ITDR component scored, ITDR overall Maturing scoring will be:
ITDR Maturity = (Sum of “ITDR Strategy Capabilities Scoring” + Sum of “ITDR Implementation
capabilities Scoring” + Sum of “ITDR Exercise & Maintenance Capabilities Scoring” )/3
Finally, we can map the maturity scoring to our 5 Risk levels as shown below:

18. ITDR Maturity Presentation
MATURITY DASHBOARD

19. ITDR Executive Presentation
 There are a lot of methods to present the output(s) of any maturity model
depend on demands and audience, in coming slides I have added three models
for maturity profile representation:
 Milestone or state-based Model (can be used for Road-Map presentation).
 Maturity Dashboard (can be used to represent current state ITDR maturity).
 Per-component Model (can be used to provide a quick visual gab analysis per ITDR
component as well as areas of improvement).
 Other presentation method can be used as well to factor the risk level and
recovery likelihood, however In this presentation I am covering the previous
three only.

20. Milestone or state-based Model
2017
2018
2019
Green: available
Umber: Partially available
Red: Not available

21. Maturity Dashboard

22. Per-component Model

23. “
”
Finally I would highlight that this effort is a human product,
and like any other human products, it is a reflection of
his/her creator experience & knowledge, and will not reach
perfection. So if you find it useful feel free to use it,
otherwise send me your inputs (my contact below).
Bashar Al-Khatib
Bashar_khatis83@yahoo.com
https://www.linkedin.com/in/bashar-alkhatib-59861518/