Right size enterprise disaster recovery plans


Published on

All organizations need a Disaster Recovery (DR) plan, but many are unsure what is appropriate or how to scope the organization’s needs. Operating with an insufficient DR plan leaves organizations vulnerable to negative business impacts in the event of a disaster. Organizations can save time and money by properly scoping their DR plan.

The process of examining your DR plan can be broken down into a series of steps:

* Determine the current DR capability which IT can provide
* Know what DR capabilities the business wants
* Align the business’ and IT’s DR priorities

Use this Storyboard to begin the process of building your organization’s ultimate DR plan.

Published in: Technology, Business, Education
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Right size enterprise disaster recovery plans

  1. 1. Right-Size Enterprise <br />Disaster Recovery Capabilities<br />1<br />Info-Tech Research Group<br />
  2. 2. Info-Tech Research Group<br />2<br />Executive Summary<br /><ul><li> All organizations, needs some form of DR capabilities, or procedures and systems in place to lead them back to operations after a disaster.
  3. 3. Your organization must establish the DR it has, the DR it wants, and the DR it needs. Info-Tech has looked at what other companies have done and will provide you with the do’s and don’ts when tackling DR:
  4. 4. Measure your organization’s current DR capabilities
  5. 5. Get business buy-in to establish appropriate DR priorities
  6. 6. Separate DR wants from DR needs
  7. 7. Set relevant and realistic objectives for your organization’s DR capabilities
  8. 8. Plan for the cost of realizing your chosen DR objectives
  9. 9. All DR scoping projects are comprised of three phases, move through these phases in a timely manner to reduce the time spent on planning your DR capability:</li></ul>Determine the current DR capability which IT can provide<br />Know what DR capabilities the business wants<br />Align the business’ and IT’s DR priorities<br />
  10. 10. Introduction<br /><ul><li>All companies have some form of Disaster Recovery (DR) capability in place whether they realize it or not. Depending on the size and needs of the company, DR capabilities can range from having an employee backing up the company’s files once a month to having a fully documented and tested plan in place.
  11. 11. If the IT and the business side of an organization are in alignment with their DR desires, needs, and priorities, then the current plan may be well-suited to the organization. However, organizations rarely have proper DR capabilities in place.
  12. 12. Many organizations make the mistake of having inappropriate DR capabilities. Having too much DR capability means the organization is overspending and having too little means the organization is still vulnerable in the event of a disaster. Make sure that DR capability is a good fit with the organization’s actual needs.
  13. 13. It is often hard to settle on what amount of DR capability your organization needs. This solution set will walk you through the right-sizing phase of your DR project quickly and will address all the relevant areas:
  14. 14. The Basics
  15. 15. Current DR Capabilities
  16. 16. DR Wants and Needs
  17. 17. Aligning IT and Business
  18. 18. Case Studies
  19. 19. Once the organization’s appropriate DR objectives are agreed upon, IT can begin planning their development.</li></ul>Info-Tech Research Group<br />3<br />
  20. 20. Info-Tech Research Group<br />4<br />
  21. 21. Info-Tech Research Group<br />5<br />Without some level of DR capability, the odds are overwhelming that your business won’t survive a disaster<br />DR concerns the safety and restoration of an organization’s technology infrastructure in the event of a disaster. There should be some level of disaster recovery in place at every organization. DR will return the business to normal operations after anything from a natural disaster to a serious security breach.<br />Research shows:<br /> <br /><ul><li> 6% of companies which suffer a catastrophic data loss recover and survive,
  22. 22. 43% never reopen,
  23. 23. 51% close within two years of reopening.</li></ul> <br />Source: University of Texas<br />DR focuses on the recovery of IT services, systems, data facilities and staff.<br />
  24. 24. Info-Tech Research Group<br />6<br />Disaster Recovery focuses on IT, Business Continuity concerns the entire company. Don’t confuse the two.<br />Disaster Recovery<br /><ul><li>A subset of BC that addresses the IT elements of continuity such as data, application, and infrastructure recovery
  25. 25. Reactionary set of procedures that take place once a disaster has struck
  26. 26. The IT side of an organization is responsible for its DR</li></ul>Business Continuity<br /><ul><li>A set of procedures that organizations can adopt in an effort to minimize the impact that an outage has on all aspects of a business
  27. 27. Incorporates organizational and human resources issues such as communications plans and crisis management
  28. 28. The business side of an organization is responsible for its Business Continuity</li></ul>Business Continuity<br />Disaster Recovery<br />DR and BC initiatives should complement each other; a good DR plan relies on a good BC plan and vice versa. Ensure that the DR and BC teams work closely together to ensure success.<br />For more information on the differences between DR and BC, please refer to the note, “Draw the Line Between Disaster Recovery and Business Continuity.”<br />
  29. 29. Info-Tech Research Group<br />7<br />Organizations attribute their failure to develop disaster recovery capabilities to multiple factors<br />Organizations listed business buy-in, time, and money as the main reasons why they had yet to develop their disaster recovery capabilities. <br />“Cost and always something else to do…”<br />-VP in Public Administration<br />“The organization didn't have an IS executive in place and it wasn't considered a company priority until recently. “<br />- VP in Wireless Telecom Carriers<br />“3 blind monkeys - haven't seen a disaster, won't hear of a disaster, refuse to talk of a disaster. Strong plans have existed and been undermined over time due to lack of executive support. Some departments have maintained robust procedures, yet others are becoming weak links.“<br />-Manager in Publishing Industry<br />
  30. 30. Info-Tech Research Group<br />8<br />No matter how lucky you are, disasters occur. Everyone is vulnerable and can benefit from some preparation.<br />DR only becomes useful when all else has gone horribly wrong.<br />“In business, the disaster isn't the act of God or fire that destroys property, but the loss of data and the inability to continue operations - THAT is the business disaster.“<br />-Manager in the Publishing Industry<br />It would be best for an organization if the value of its DR capabilities is never truly realized. However, having DR ensures that an organization can (and knows how to) survive a disaster. If an organization invests a little now, it won’t lose nearly as much later.<br />Unless you live in an impenetrable bubble, you will benefit from DR.<br />Every organization that operates on the planet is at risk from one type of disaster or another. An organization will find DR valuable whenever the cost of losing its IT operations is greater than the cost of creating and maintaining its DR capabilities. <br />“It’s a relatively cheap insurance policy.”<br />- Director in Consulting<br />
  31. 31. Info-Tech Research Group<br />9<br />Downtime costs money. If you know how much, then you know how urgently the organization must avoid it.<br />There are several ways in which downtime may cost your organization money:<br />Loss of Revenue<br />If the organization is unable to sell product or fulfill orders, then it is losing revenue. This could be the result of an interruption in the shipping process or of the channel through which sales are made (building, website, etc.) being inaccessible to customers. <br />Loss of Productivity<br />The system is down, causing a production shift to stand around or "make work" to keep busy rather than doing their normal jobs. Since staff still have to be paid, this time is considered a loss.<br />Increased Labor Costs<br />Any additional work is going to require additional labor. This could be in the form of overtime shifts or extra workers during regular shifts. Whatever the case, expenses are going to increase and the organization is going to have to pay for these incremental costs.<br />Increased Operations Costs<br />If additional work has to be done in order to make up for lost time, then operating costs, such as utility costs, are likely to increase. These expenses are separate from labor and have more to do with keeping the company open longer or working at a higher capacity. <br />What costs are relevant, and to what degree they impact the organization, is dependent upon the specific system that is down and its function within the business.<br />
  32. 32. Info-Tech Research Group<br />There are three stages in DR Scoping; each is driven by a different group of stakeholders<br />Step 1: Assess Current IT Capabilities<br /><ul><li>Prior to creating DR capabilities, know what degree of DR capability IT currently has.
  33. 33. Know when IT can bring systems back online and to what point IT can recover data.
  34. 34. Understand the infrastructure that is currently used to support recovery abilities.
  35. 35. Once you know what resources IT currently has, it’s easier to identify potential areas that should be developed or cut in later steps.</li></ul>Step 2: Establish and Validate the Business’ Wants<br /><ul><li>The business side needs to be able to define when it wants systems back online and to what point it wants data recovered.
  36. 36. The validity of these wants can be established by asking these questions:
  37. 37. What systems are most important to the business?
  38. 38. Are there manual processes which can temporarily replace these systems?
  39. 39. How much does downtime cost the business? </li></ul>Step 3: Aligning IT’s Capabilities and the Business Needs<br /><ul><li>Ensure that what IT provides and what the business side wants are aligned.
  40. 40. Avoid discrepancies between the two groups; negotiate to find the right compromise.
  41. 41. IT should be able to explain the costs of attaining various objectives.
  42. 42. The business side should be able to explain the potential downtime costs various objectives are meant prevent.
  43. 43. Once both sides of the puzzle are understood, the organization can settle on a balance.</li></ul>10<br />
  44. 44. Info-Tech Research Group<br />11<br />
  45. 45. Info-Tech Research Group<br />12<br />All organizations have some form of DR capability; determine if you need to spend more time on DR<br />If the answer to any of the questions above is "No", your organization needs to spend more time on DR. <br />The “DR Recovery Objective Alignment and Cost Tool” will walk you through these questions and help you determine if you need to spend more time on DR.<br />
  46. 46. Info-Tech Research Group<br />13<br />The legend below appears on the slides ahead to remind you of where you are in the DR scoping process.<br />1<br />2<br />Knowing IT’s existing ability to withstand and recover from disaster provides a baseline from which all future DR enhancements and/or downgrades can be made.<br />The business needs to be able to communicate the amount of time and data it can afford to loose in the event of a disaster in order to establish an initial target for DR improvements.<br />3<br />4<br />Business desires must be validated by balancing potential downtime losses with the cost of enhanced DR capabilities.<br />IT and the business must ensure that capabilities are aligned with requirements and that budgets are reasonable and can be achieved.<br />
  47. 47. Info-Tech Research Group<br />14<br />Business buy-in should be collected throughout the project; it is crucial for establishing proper DR goals<br />“We absolutely had difficulty getting buy-in, no one has time for something that may never happen. You just have to explain it to them, and eventually executives come around, however reluctantly.”<br /> – IT Director in Real Estate Development and Operation<br /><ul><li>Without understanding where the business’ needs begin and end, IT will be blindly assembling disaster recovery objectives.
  48. 48. The organization will either waste money on unneeded DR or, won’t be fully prepared for disasters.</li></ul>Buy-in is not as elusive as you might imagine, but here are some tips just in case:<br /><ul><li>Many organizations have found that simply explaining DR’s relevance to the business and the company’s survivability goes a long way in generating buy-in.
  49. 49. If you have trouble getting buy-in from the business group, try focusing on one key individual. If you can win over a business leader and have them champion DR to the rest of the departments, then the process should be much smoother.</li></li></ul><li>Info-Tech Research Group<br />15<br />You can’t know which direction your organization should head in until you know where it stands.<br />Milestones on the<br />Path to Understanding<br />Knowing what recovery infrastructure and systems are in place is the first step in understanding how your organization can improve recovery times. If you know what you currently have, then it’s much easier to identify what you still need. Moreover, a review of your organizations’ resources may also identify what can be cut, and thereby save your organization from some unnecessary expenses.<br />What is IT currently doing?<br />Are there multiple data centers? How often is data backed up? What are the general practices around storing data and fixing technology problems?<br />Whether IT realizes it or not, aspects of DR might already be incorporated into their standard operating procedures.<br />How do these practices translate into measurable statistics?<br />Once IT recognizes what’s being done, it becomes a matter of recording how effective those practices are. <br />Recovery objectives, which are defined on the on slide 17, are a useful metric for determining effectiveness. <br />“Not having DR is like gambling on a game you are certain to lose long-term.”<br />-Director in Real Estate Property Management<br />
  50. 50. Info-Tech Research Group<br />Maybe you need to spend more time on DR. Here’s a tool to find out.<br />Answer a few simple questions in the “DR Recovery Objective Alignment and Cost Tool” and determine your organization’s current and recommended DR capability.<br />“DRPs are never completed; they’re always drafts as far as I’m concerned.”<br />– IT Director in Real Estate Development and Operation<br />This tool will assist you in defining which areas of your DR plan are insufficient for your organizational needs.<br />16<br />
  51. 51. Info-Tech Research Group<br />17<br />RTO and RPO are the building blocks of DR<br />Info-Tech Insight:<br />Recovery Time Objective, or RTO, is the amount of time an organization can afford to have its systems down (e.g. the organization's systems can be down no longer than one hour).<br />Recovery Point Objective, or RPO,is the point in time beyond which an organization cannot afford to lose information (e.g. the organization can afford to lose 24 hours data/processing)<br />Off-site back up does NOT result in RTOs and RPOs of zero hour. Unless data is streamed to redundant facilities and simultaneously processed, outages can still occur. <br />RTOs and RPOs are the metrics which set the level of your organization’s DR capability.<br />RTOs and RPOs vary depending on the needs of the organization and the criticality of the system/data they are relevant to; they can range from less than an hour to more than a week. <br />
  52. 52. Info-Tech Research Group<br />18<br />Organizations care more about reducing data loss than restoring system operations<br />For most organizations, limiting data lost during a disaster is more important than minimizing downtime. This is likely because so much of a business’ day to day activities rely on the data.<br />It’s cheaper and easier to support longer recovery objectives. The percent of the yearly IT budget that is spent on DR decreases as RTOs and RPOs increase. <br />
  53. 53. Info-Tech Research Group<br />19<br />Shorter RTOs and RPOs provide greater protection, but at a greater cost. The inverse also applies.<br />When an organization decreases its RPOs and RTOs, it will need to increase its DR budget to procure and maintain more infrastructure and policies to support the new objectives.<br />When an organization decides it can afford to increase its RPOs and RTOs, it can decrease its DR budget because it needs to procure and maintain less infrastructure and create fewer policies to support the new objectives.<br />“We must prepare for the worst and hope for the best, but it is a balancing act as to how much you spend on insurance.”<br />-Manager in Chemical Manufacturing<br />Disaster Point<br />Required Investment Increases as RPO Decreases<br />Required Investment Increases as RTO Decreases<br />$$<br />$$<br />$<br />$<br />1 Week RPO<br />1 Day<br />RPO<br />1 Hour RPO<br />1 Week RTO<br />1 Day RTO<br />1 Hour RTO<br />
  54. 54. Info-Tech Research Group<br />20<br />
  55. 55. Info-Tech Research Group<br />21<br />Even moderate business involvement will make DR projects much more time effective<br />In emergencies, organizations need to get critical systems up and running as fast as possible. The business side plays a key role in determining exactly which systems are critical, and which are secondary. <br />“A balance is needed between spend and potential impact - this depends on business criticality and so it is entirely down to the business leaders to decide. IT can assist in optimizing the DR solution so resources aren’t wasted.”<br />-Manager in Other Services<br />
  56. 56. Info-Tech Research Group<br />22<br />The Business Impact Assessment is an important step in building proportionate DR capabilities<br />Business Impact Assessments (BIA) gauge the approximate costs and frequency of system downtime. Systems are then prioritized in terms of criticality, allowing organizations to focus attention and resources where they will be best spent. BIAs should be done before attempting to create any DR capabilities.<br />“We looked at descriptions of the divisions, what applications were used within them, and how they broke themselves down in regards to criticality with timeframes listing their priorities. We didn’t worry about price at this point; it was just a matter of determining the levels of importance.”<br />- Senior Technical Support Specialist in the Government<br />Current RTO<br />RTO that Bus. wants<br />RTO that Bus. Needs<br />DR<br />BIA<br />Current RPO<br />RPO that Bus. wants<br />RPO that Bus. Needs<br />
  57. 57. Info-Tech Research Group<br />23<br />BIAs help the business side determine what DR capabilities they actually need<br />How is the BIA used?<br />“People who haven’t created a DRP are just one disaster away from making the change.”<br />- Director in Consulting<br />
  58. 58. Info-Tech Research Group<br />24<br />The Business Impact Analysis tool is a fast way of figuring out how much downtime is costing you<br />You have read about the ways in which downtime can cost your organization money. The next step is to calculate how much money your organization actually loses to downtime.<br />In the “DR Recovery Objective Alignment and Cost Tool”, the “Business Impact Analysis” tab will tell you what kind of annual losses you can expect due to downtime, which will then be compared to the amount spent on DR. A large difference indicates there is a need for change.<br />
  59. 59. Info-Tech Research Group<br />25<br />While bigger budgets might not guarantee shorter RPOs and RTOs, they do raise DR satisfaction<br />Organizations that have dedicated a larger percent of their IT budget to DR were 44% more likely to have been more satisfied with their performance during an actual disaster than those with smaller DR budget percentages. <br />The organizations with larger budget percentageswere also 33% more likely to reach their RTOs and RPOs than less DR-endowed organizations.<br />
  60. 60. Info-Tech Research Group<br />26<br />Explain the costs associated with DR so the business can make informed decisions<br />Costs associated with Disaster Recovery:<br />Infrastructure investments (ranging from new hardware to redundant data centers)<br />Software investments<br />Training for IT staff<br />Cost of educating and training end users<br />Testing<br />Modifications to plan (to reflect any organizational changes, changes to software, infrastructure and business needs)<br />One Time <br />Costs<br />Ongoing<br />Costs<br />Despite feeling satisfied, survey results showed that organizations that dedicated a larger percent of their IT budget to DR actually had longer RPO and RTO averages, 35 hours and 44 hours respectively, than organizations who dedicated smaller percentages to DR, who had a RPO average of 25 hours and a RTO average of 32 hours. This goes to show that how money is spent is more important than how much money is spent.<br />“One thing we’re only now realizing is the cost of the ripple effect. Controlling the costs of both a primary and secondary location, with data in both that needs to be aligned, can add up.”<br />- Manager of IT in Public Services<br />
  61. 61. Info-Tech Research Group<br />27<br />
  62. 62. Info-Tech Research Group<br />28<br />Misalignment between IT’s current capabilities and the business’ validated needs is a fixable problem<br />If IT’s RPOs and RTOs are high than the business’ needs, then the organization is incurring a needless expense.<br />If IT’s RPOs and RTOs are lower than business’ needs, <br />then the organization is still very vulnerable.<br />Often, IT will not have a DR budget big enough to meet all of the business’ DR needs. In those cases, IT and the business will have to work together to find the balance which, while not ideal, is good enough. Once business and IT have decided on the organization’s RPOs and RTOs , IT must determine what resources will be required; these include time, skills and money (for upfront and ongoing costs). <br />“In our industry and IT sector, crisis happens anytime. Having a workable DR that can be executed within the aligned time that the business group agreed with IT, we can manage our expectation with our stakeholders and allocate resources to identify problems and resume business operation if gaps happen.”<br />-Supervisor in Air Transportation<br />
  63. 63. Info-Tech Research Group<br />29<br />Until IT and the business have agreed on DR goals, work cannot start on improving DR capabilities<br />Establish Budget/Costs<br />DR cannot be gifted with infinite resources, so organizations must put the resources that are available to their best use. Review the list of priorities the business side has generated and the options currently open to the organization and then distribute the budget in proportion to goals.<br />The Cycle of Alignment<br />Aligning IT and the business’ RTOs and RPOs can be a difficult task. Companies generally rotate through three phases before they can actually begin to create a DR Capability. Avoid getting stuck in the cycle. <br />Accept or Reject<br />Once the budget has been drafted and IT has an idea of what is attainable, share the knowledge once more with the business side. Once they see the realities available to them, they may want to re-think some of their decisions.<br />Begin Building DR<br />Once the situation is understood and the details are agreed upon, the real work will finally begin.<br />Healthy Debate<br /> It is critical to keep the business side involved in forming the final RTOs and RPOs, though finding a set you both agree on may not be the easiest task.<br />Minimize the time spent on aligning IT and the business’ wants to expedite the process. Ensure that the business and IT keep the lines of communication open and that both parties are willing to hear each other’s opinions. <br />
  64. 64. Info-Tech Research Group<br />30<br />Use Info-Tech’s “Ideal RPO and RTO Calculator” tool to align your organization’s recovery objectives<br />Use the “Comparison of Business and IT Recovery Objectives” tab. Enter both IT’s and the business’ RTOs and RPOs, examine the comparison, and then enter the compromise.<br />IT can provide a set of RPOs and RTOs, and business wants another set of RPOs and RTOs, but what set does the organization need?<br />This is not a rhetorical question; use Info-Tech’s tool to find an answer.<br />
  65. 65. Info-Tech Research Group<br />31<br />Use the “Cost of Maintaining Recovery Objectives” tab to align your organization’s objectives<br />Companies generally miscalculate the percent of their IT budget that will be spent on DR. According to our survey, actual costs average 30% more than organizations predict. Use this tool to determine the percent of the IT budget your organization should invest in DR. <br />30%<br />
  66. 66. Info-Tech Research Group<br />32<br />Summary<br />In this deck, you have:<br /><ul><li> assessed your organization’s current DR capabilities,
  67. 67. obtained the business’ priorities,
  68. 68. kept the business involved while IT balanced their wants and their costs, arriving at the organization’s needs,
  69. 69. and learned the approximate budget those DR objectives require.</li></ul>These are the steps all organizations need to take when scoping their appropriate DR capabilities; follow them to lead your company to stable ground.<br />The next phase of the DR project is the actual planning. <br />It is time to get down to the details, answering questions like:<br />Will your organization create its disaster recovery plan (DRP) in-house or will it outsource the creation? <br /><ul><li>If you decide to take the in-house route, it might help to know that: 75% of organizations create their plans in-house and, on average, plans take 9 months to complete.
  70. 70. If you decide to outsource, it might help to know that: outsourcing plans is expensive, costing anywhere from $20,000 to hundreds of thousands of dollars.</li></ul>What facilities will your organization use for the DRP’s continual support? <br /><ul><li>After you have built your organization’s DR capability, you still need to sustain it. Determine if your DR capability should be hosted in-house, through a third party or through co-location facility. </li></ul>You have an idea of your goals and your budget, but you still need to decide where exactly you will be spending your time and money in order to make those goals a reality. Refer to the Appendix for more information on how an actual DRP can be broken down.<br />
  71. 71. Info-Tech Research Group<br />33<br />
  72. 72. Public Services organization begins to build its DR<br />Info-Tech Research Group<br />34<br />
  73. 73. Government agency continually improves DR capability <br />Info-Tech Research Group<br />35<br />
  74. 74. Consulting company knows how to maintain its DR capabilities<br />Info-Tech Research Group<br />36<br />
  75. 75. Need additional support? <br />Info-Tech goes beyond just providing research: You can either speak directly with an analyst or advisor and/or evaluate on-site consulting services to help your team achieve results.<br />Trigger Point:The Basics<br />Trigger Point:Current DR Capabilities<br />Trigger Point:DR Wants & Needs<br />Trigger Point:Aligning IT & Business<br />The Definition<br />Disaster Recovery vs.Business Continuity<br />The Value<br />What IT Provides<br />Business Buy-In<br />What Business & IT Want<br />What Business & IT Need<br />Balancing Costs<br />Achieving Compromise<br />Our Consulting & Advisory Services<br />Our Consulting & Advisory Services<br />Our Consulting & Advisory Services<br />Our Consulting & Advisory Services<br />Establishing common understanding<br />Clarification of scope and responsibilities<br />Business case development<br />Assessing your IT Capability: DR Recovery Objective Alignment & Cost Tool <br />Fostering Organizational Awareness <br />and Readiness<br />Business Impact Assessment<br />DRBC Organizational Prioritization <br />Commitment on Budget for DRBC Priority Areas<br />Executive Roadmap & Timeline<br />E-mail our Advisory Team to find out how we have helped other clients and get your Disaster Recovery initiative started today!<br />37<br />
  76. 76. Info-Tech Research Group<br />38<br />Appendix<br />
  77. 77. Info-Tech Research Group<br />39<br />What are the components of a disaster recovery plan?<br />DRPs can be split into two main parts: Strategic and Tactical<br />