Date post: | 15-Jul-2015 |
Category: |
Technology |
Upload: | info-tech-research-group |
View: | 2,304 times |
Download: | 4 times |
Practical IT Research that Drives Measurable Results
Right-Size Enterprise
Disaster Recovery Capabilities
1Info-Tech Research Group
Info-Tech Research Group 2
Executive Summary
• All organizations, needs some form of DR capabilities, or procedures and systems in place to lead them back to operations after a disaster.
•Your organization must establish the DR it has, the DR it wants, and the DR it needs. Info-Tech has looked at what other companies have done and will provide you with the do’s and don’ts when tackling DR:
• Measure your organization’s current DR capabilities
• Get business buy-in to establish appropriate DR priorities
• Separate DR wants from DR needs
• Set relevant and realistic objectives for your organization’s DR capabilities
• Plan for the cost of realizing your chosen DR objectives
•All DR scoping projects are comprised of three phases, move through these phases in a timely manner to reduce the time spent on planning your DR capability:
1. Determine the current DR capability which IT can provide
2. Know what DR capabilities the business wants
3. Align the business’ and IT’s DR priorities
Introduction
Info-Tech Research Group 3
• All companies have some form of Disaster Recovery (DR) capability in place whether they realize it or not. Depending on the size and needs of the company, DR capabilities can range from having an employee backing up the company’s files once a month to having a fully documented and tested plan in place.
• If the IT and the business side of an organization are in alignment with their DR desires, needs, and priorities, then the current plan may be well-suited to the organization. However, organizations rarely have proper DR capabilities in place.
• Many organizations make the mistake of having inappropriate DR capabilities. Having too much DR capability means the organization is overspending and having too little means the organization is still vulnerable in the event of a disaster. Make sure that DR capability is a good fit with the organization’s actual needs.
• It is often hard to settle on what amount of DR capability your organization needs. This solution set will walk you through the right-sizing phase of your DR project quickly and will address all the relevant areas:
• The Basics• Current DR Capabilities• DR Wants and Needs• Aligning IT and Business• Case Studies
• Once the organization’s appropriate DR objectives are agreed upon, IT can begin planning their development.
Determining IT’s Current DR Capabilities
Info-Tech Research Group 4
Finding and Validating the Business’ DR Wants
The Basics The Definition The Value DR vs. BC
Aligning DR in IT and Business
Case Studies
Info-Tech Research Group 5
Without some level of DR capability, the odds are
overwhelming that your business won’t survive a disaster
DR concerns the safety and restoration of anorganization’s technology infrastructure in theevent of a disaster. There should be somelevel of disaster recovery in place at everyorganization. DR will return the business tonormal operations after anything from anatural disaster to a serious security breach.
DR focuses on the recovery of IT services, systems, data facilities
and staff.
Disaster Recovery
IT Staff
IT Services
IT Systems
IT Data Facilities
Research shows:
• 6% of companies which suffer a catastrophic data loss recover and survive, • 43% never reopen,• 51% close within two years of reopening.
Source: University of Texas
Business Continuity
Info-Tech Research Group 6
Disaster Recovery focuses on IT, Business Continuity concerns
the entire company. Don’t confuse the two.
DR and BC initiatives should complement each other; a good DR plan relies on a good BC plan and vice versa. Ensure that the DR and BC teams work closely together to ensure
success.
For more information on the differences between DR and BC, please refer to the note, “Draw the Line Between Disaster Recovery and Business Continuity.”
Business Continuity
•A set of procedures that organizations can adopt in an effort to minimize the impact that an outage has on all aspects of a business
•Incorporates organizational and human resources issues such as communications plans and crisis management
•The business side of an organization is responsible for its Business Continuity
Disaster Recovery
•A subset of BC that addresses the IT elements of continuity such as data, application, and infrastructure recovery
•Reactionary set of procedures that take place once a disaster has struck
•The IT side of an organization is responsible for its DR
Disaster Recovery
Info-Tech Research Group 7
Organizations attribute their failure to develop disaster
recovery capabilities to multiple factors
“3 blind monkeys - haven't seen a disaster, won't hear of a disaster, refuse to talk of a disaster. Strong plans have existed and been undermined over time due to lack of executive support. Some departments have maintained robust
procedures, yet others are becoming weak links.“-Manager in Publishing Industry
“The organization didn't have an IS executive in
place and it wasn't considered a company
priority until recently. “- VP in Wireless Telecom
Carriers
Organizations listed business buy-in, time, and money as the main reasons why they had yet to develop their disaster recovery capabilities.
“Cost and always something else to do…”
-VP in Public Administration
Without organizational buy-in for DR, it is easy to let it fall off theorganization’s list of priorities and limit the time and money availableto the project.
Disasters are not just tornadoes and earthquakes; a simple poweroutage can have catastrophic effects on organizations if they lose amonth’s worth of data.
Organizations often think of the “disaster” in disaster recovery as anunlikely and far off event. Prioritizing DR becomes an issue becausethe organization thinks of it as planning for fiction rather than forreality.
Info-Tech Research Group 8
No matter how lucky you are, disasters occur. Everyone is
vulnerable and can benefit from some preparation.
It would be best for an organization ifthe value of its DR capabilities isnever truly realized. However, havingDR ensures that an organization can(and knows how to) survive adisaster. If an organization invests alittle now, it won’t lose nearly asmuch later.
DR only becomes useful when all else has gone horribly
wrong.
Unless you live in an impenetrable bubble, you will
benefit from DR.
Every organization that operates on theplanet is at risk from one type ofdisaster or another. An organization willfind DR valuable whenever the cost oflosing its IT operations is greater thanthe cost of creating and maintaining itsDR capabilities.
“It’s a relatively cheap insurance policy.”
- Director in Consulting
“In business, the disaster isn't the act of God or fire that destroys property,
but the loss of data and the inability to continue operations - THAT is the
business disaster.“-Manager in the Publishing Industry
Info-Tech Research Group 9
Downtime costs money. If you know how much, then you
know how urgently the organization must avoid it.
What costs are relevant, and to what degree they impact the organization, is dependent upon the specific system that is down and its function within the business.
There are several ways in which downtime may cost your organization money:
Loss of RevenueIf the organization is unable to sell product or fulfill orders, then it is losing revenue. This could be the result of an interruption in the shipping process or of the channel through which sales are made (building, website, etc.) being inaccessible to customers.
Loss of Productivity
The system is down, causing a production shift to stand around or "make work" to keep busy rather than doing their normal jobs. Since staff still have to be paid, this time is considered a loss.
Increased Operations Costs
If additional work has to be done in order to make up for lost time, then operating costs, such as utility costs, are likely to increase. These expenses are separate from labor and have more to do with keeping the company open longer or working at a higher capacity.
Increased Labor Costs
Any additional work is going to require additional labor. This could be in the form of overtime shifts or extra workers during regular shifts. Whatever the case, expenses are going to increase and the organization is going to have to pay for these incremental costs.
Info-Tech Research Group 10
There are three stages in DR Scoping; each is driven by a
different group of stakeholders
Step 1: Assess Current IT Capabilities• Prior to creating DR capabilities, know what degree of DR capability IT currently has.
• Know when IT can bring systems back online and to what point IT can recover data.
• Understand the infrastructure that is currently used to support recovery abilities.
• Once you know what resources IT currently has, it’s easier to identify potential areas thatshould be developed or cut in later steps.
Step 2: Establish and Validate the Business’ Wants• The business side needs to be able to define when it wants systems back online and to whatpoint it wants data recovered.• The validity of these wants can be established by asking these questions:
• What systems are most important to the business?
• Are there manual processes which can temporarily replace these systems?
• How much does downtime cost the business?
Step 3: Aligning IT’s Capabilities and the Business Needs• Ensure that what IT provides and what the business side wants are aligned.
• Avoid discrepancies between the two groups; negotiate to find the right compromise.
• IT should be able to explain the costs of attaining various objectives.
• The business side should be able to explain the potential downtime costs various objectivesare meant prevent.• Once both sides of the puzzle are understood, the organization can settle on a balance.
The Basics of DR
Info-Tech Research Group 11
Finding and Validating the Business’ DR Wants
Current DR Capabilities What IT provides Business Buy-In
Aligning DR in IT and Business
Case Studies
Info-Tech Research Group 12
All organizations have some form of DR capability; determine
if you need to spend more time on DR
If the answer to any of the questions above is "No", your organization needs to spend more time on DR.
The “DR Recovery Objective Alignment and Cost Tool” will walk you through these questions and help you determine if you need to spend
more time on DR.
Info-Tech Research Group 13
The legend below appears on the slides ahead to remind you
of where you are in the DR scoping process.
Knowing IT’s existing ability to withstand and recover from disaster provides a baseline from which all future DR enhancements and/or downgrades can be made.
The business needs to be able to communicate the amount of time and data it can afford to loose in the event of a disaster in order to establish an initial target for DR improvements.
Business desires must be validated by balancing potential downtime losses with the cost of enhanced DR capabilities.
IT and the business must ensure that capabilities are aligned with requirements and that budgets are reasonable and can be achieved.
1 2
3 4
Info-Tech Research Group 14
Business buy-in should be collected throughout the
project; it is crucial for establishing proper DR goals
•Without understanding where the business’needs begin and end, IT will be blindlyassembling disaster recovery objectives.
•The organization will either waste money onunneeded DR or, won’t be fully prepared fordisasters.
“We absolutely had difficulty getting buy-in, no one has time for something
that may never happen. You just have to explain it to them, and eventually executives come around, however
reluctantly.”– IT Director in Real Estate Development and
Operation
Case Study
A consulting company went so far as to place anexecutive from the business side of theorganization in charge of the DR initiative in orderto get buy-in for the project from both IT and thebusiness. Due to his connections with otherbusiness stakeholders and the relevance of theproject to IT, the executive was able to collectinput from both sides and build the organization’sDR capabilities to the satisfaction of all involved.
•Many organizations have found that simplyexplaining DR’s relevance to the business andthe company’s survivability goes a long way ingenerating buy-in.
•If you have trouble getting buy-in from thebusiness group, try focusing on one keyindividual. If you can win over a businessleader and have them champion DR to the restof the departments, then the process should bemuch smoother.
Buy-in is not as elusive as you might imagine, but here are some tips just in case:
Info-Tech Research Group 15
You can’t know which direction your organization
should head in until you know where it stands.
Knowing what recovery infrastructureand systems are in place is the firststep in understanding how yourorganization can improve recoverytimes. If you know what you currentlyhave, then it’s much easier to identifywhat you still need. Moreover, a reviewof your organizations’ resources mayalso identify what can be cut, andthereby save your organization fromsome unnecessary expenses.
Milestones on thePath to Understanding
What is IT currently doing?
Are there multiple data centers? How often is databacked up? What are the general practices aroundstoring data and fixing technology problems?
Whether IT realizes it or not, aspects of DR mightalready be incorporated into their standardoperating procedures.
Once IT recognizes what’s being done, it becomesa matter of recording how effective those practicesare.
Recovery objectives, which are defined on theon slide 17, are a useful metric for determiningeffectiveness.
“Not having DR is like gambling on a game you are certain to lose long-
term.”-Director in Real Estate Property
Management
How do these practices translate into measurable statistics?
Info-Tech Research Group 16
Maybe you need to spend more time on DR. Here’s a
tool to find out.
This tool will assist you indefining which areas ofyour DR plan areinsufficient for yourorganizational needs.
“DRPs are never completed; they’re always
drafts as far as I’m concerned.”
– IT Director in Real Estate Development and Operation
Answer a few simple questions in the “DR Recovery Objective Alignment and Cost Tool” and determine your organization’s current and recommended DR capability.
Evaluation of Current DR Capability
Question Response
For a given system (and ultimately for all systems) can IT articulate its RTO and RPO? Yes
For a given system (and ultimately for all systems) has the business provided their RTO/RPO expectation? No
For a given system (and ultimately for all systems) has the business's RTO/RPO expectation been validated (backed by business and IT
rationale)?No
For a given system (and ultimately for all systems) are IT's and the business's figures in alignment? No
Please specify how your organization's current DR capability is delivered. Third Party
How many departments does your organization have? 5
How many outages would you estimate your organization experiences a year? 6
Approximately how many hours did each outage last? 2
What's your annual revenue? 25,000,000.00$
What is your annual IT budget? 1,000,000.00$
What percent of your annual IT budget is spent on DR? 5%
Which of the following operation schedules best matches your organization? 8 hrs/day, 5 days/week
Results
Purpose
This section is meant to collect some basic information concerning your organization's DR capabilities. Once you have completed the section, a suggestion should
appear below advising you to either continue with the assessment of your DR capabilities or not.
Instructions
1) Please answer the following questions by either choosing the most appropriate option from the drop-down box or by filling in the space provided.
2) Read the suggestion that appears in the highlighted box. If you decide to continue with the assessment, then click over to the next tab.
Yes. Based on your responses to our questions, we recommend you spend more time developing your organization's Disaster Recovery capabilities. For more
information on how much time and how many resources, please refer to the "DRP Costing" tool. The business should have some idea of what RTOs and RPOs
they want in order to know if the ones IT offers are at all close to what the organization needs. IT's objectives may be needlessly high, creating unnecessary
expenses, or they may be too low, putting the company in jeopardy in the event of a disaster. If the business does not validate the RTOs and RPOs they set, then
their objectives are no more than just guesswork. Some systems, while critical to the organization's operations, can be temporarily replaced by manual processes
and are therefore do not require really short RTOs. Other systems may cost a lot to backup, making the expense of a short RPO unjustifiable despite the cost of
losing the data. The business must consider these factors when constructing their objectives in order to make sure they are valid requests. IT and business should
have matching RTOs and RPOs. Misalignment between the two indicates that either IT needs to put more resources towards improving the organization's DR
capabilities, business needs to make more realistic objectives, or there needs to be some compromise between the two.
Info-Tech Research Group 17
RTO and RPO are the building blocks of DR
Recovery Time Objective, or RTO, is the amount of time an organization can
afford to have its systems down (e.g. the organization's systems can be down no longerthan one hour).
Recovery Point Objective, or RPO, is the point in time beyond which an
organization cannot afford to lose information (e.g. the organization can afford to lose 24hours data/processing)
RTO
RPO
DR
RTOs and RPOs are the metrics which set the level of your organization’s DR capability.
RTOs and RPOs vary depending on the needs of the organization and the criticality of the system/data they are relevant to; they can range from less than an hour to more than a week.
Off-site back up does NOT result in RTOs and RPOs of zero hour. Unless data is streamed
to redundant facilities and simultaneously processed, outages can still occur.
Info-Tech Insight:
Info-Tech Research Group 18
Organizations care more about reducing data loss
than restoring system operations
For most organizations, limiting data lost during a disaster is more important than minimizing downtime. This is likely because so much of a business’ day to day activities rely on the data.
It’s cheaper and easier to support longer recovery objectives. The percent of the yearly IT budget that is spent on DR decreases as RTOs and RPOs increase.
Info-Tech Research Group 19
Shorter RTOs and RPOs provide greater protection,
but at a greater cost. The inverse also applies.
When an organization decreases its RPOs
and RTOs, it will need to increase its DR
budget to procure and maintain more
infrastructure and policies to support the
new objectives.
When an organization decides it can afford to
increase its RPOs and RTOs, it can decrease its DR budget because it needs to procure and
maintain less infrastructure and create fewer policies to support
the new objectives.
Disaster Point
1 Week RPO
1 DayRPO
1 Hour RPO
1 Week RTO
1 Day RTO
1 Hour RTO
Required Investment Increases as RPO Decreases
Required Investment Increases as RTO Decreases$$ $$ $$
“We must prepare for the worst and hope for the
best, but it is a balancing act as to how much you
spend on insurance.”-Manager in Chemical
Manufacturing
Aligning DR in IT and Business
Case Studies
Info-Tech Research Group 20
Determining IT’s Current DR Capabilities
DR Wants and Needs What Business Wants What Business Needs
The Basics of DR
Info-Tech Research Group 21
Even moderate business involvement will make DR
projects much more time effective
In emergencies, organizations need to get critical systems up and running as fast as
possible. The business side plays a key role in determining exactly which systems are
critical, and which are secondary.
In the next stage of DR scoping, IT will create a high level DR budget. Knowing what the business
side requires will allow IT to estimate their budgetary requirements for DR.
Business wants must still be validated to ensure that they are reasonable and that IT can deliver on
them.
Knowing IT’s DR capabilities is only part of proper DR scoping. The next step is knowing what DR
capabilities the business wants.
“A balance is needed between spend and potential impact - this depends on
business criticality and so it is entirely down to the business leaders to decide.
IT can assist in optimizing the DR solution so resources aren’t wasted.”
-Manager in Other Services
Info-Tech Research Group 22
The Business Impact Assessment is an important
step in building proportionate DR capabilities
Business Impact Assessments (BIA) gauge the approximate costs and frequency of
system downtime. Systems are then prioritized in terms of criticality, allowing organizations tofocus attention and resources where they will be best spent. BIAs should be done beforeattempting to create any DR capabilities.
“We looked at descriptions of the divisions, what applications were used within them, and how they broke themselves down in regards to criticality with
timeframes listing their priorities. We didn’t worry about price at this point; it was just a matter of determining the levels of importance.”
- Senior Technical Support Specialist in the Government
DR
Current RTO
Current RPO
RPO that
Bus. wants
RTO that
Bus. wants
BIARPO that
Bus. Needs
RTO that
Bus. Needs
Info-Tech Research Group 23
BIAs help the business side determine what DR
capabilities they actually need
How is the BIA used?
The BIA is used to help the business and IT determine the potential annual financial risks due to
downtime.
The RTOs and RPOs that the business wants may be unreasonably expensive to support, requiring DR
costs that significantly outweigh the potential downtime costs per year. The BIA provides the facts that enable the business and IT to reach consensus.
By determining the ideal RPOs and RTOs for the organization, IT can then begin the budget setting
process for the DR project.
“People who haven’t created a DRP are just one disaster away from
making the change.”- Director in Consulting
Case Study
The business side of an organization wanted verylow recovery objectives, all within one hour of adisaster. These recovery objectives would requirethe organization to make an initial investment of$1,000,000 to increase its infrastructure and payannual maintenance expenses of $100,000. IT feltthat the business’ expectations were too high andthat recovery objectives within 8 hours were moresuitable with an initial investment of $250,000and an annual cost of $30,000.
IT performed a BIA and the business’ approximatelosses per year due to downtime amounted to$60,000. With this information, IT was able toshow the business that recovery objectives of lessthan an hour were not needed or financiallyjustifiable for the organization.
Info-Tech Research Group 24
The Business Impact Analysis tool is a fast way of
figuring out how much downtime is costing you
You have read about the ways in which downtime can cost your organization money. The next step is to calculate how much money your organization actually
loses to downtime.
In the “DR Recovery Objective Alignment and Cost Tool”, the “Business Impact
Analysis” tab will tell you what kind of annual losses you can expect due to
downtime, which will then be compared to the amount spent on
DR. A large difference indicates there is a need for
change.
Business Impact Analysis
Financial Cost Factors Definition
Enter Estimated
Dollar Costs from
These Factors
Loss of Revenue Per
Day
If the organization is unable to sell product or fulfill orders due to the business unit being down, then the
organization is losing revenue. This could be the result of an interruption in the shipping process or of the
channel through which sales are made (building, website, etc) being inaccessible to customers. $125,000.00
Loss of Productivity
Per Day
The system is down, causing a production shift to stand around or "make work" to keep busy rather than
doing their normal jobs. Order entry staff can’t take orders if the phones are down or their online systems
aren’t available. Production staff can’t produce the product if the production line isn’t functioning. Since staff
still have to be paid, this time is considered a loss.
$45,000.00
Increased Operating
Costs Per Day
If additional work has to be done in order to make up for lost time, then operating costs, such as utility costs,
are likely to increase. These expenses are separate from labor and have more to do with keeping the
company open longer or working at a higher capacity. $10,000.00
Increased Labor Costs
Per Day
Any additional work is going to require additional labor. This could be in the form of overtime shifts or extra
workers during regular shifts. Whatever the case, expenses are going to increase and the organization is
going to have to pay for these incremental costs.
$0.00
Total Dollar Impact Projected Outage Costs Per Day $180,000.00
Total Projected Outage Costs Per Year $270,000.00
DR Spend Per Year $50,000.00
Purpose
Used to identify the approximate cost of downtime in a 24 hour period and over a year.
Instructions
1. Complete this tool by entering in the estimated dollar costs per 24 hour period for each of the factors in the white cells below. Refer to the definitions for any
clarification needed.
2. Your answers will be totaled in "Total Financial Impact" section below, an analysis of how appropriate your current DR spend is will also be presented (this
does not factor RTOs and RPOs into the calculation).
Total Financial Impact
Your current spend on DR is significantly lower than your financial risks from downtime. You may be under spending on
your DR capability.
Info-Tech Research Group 25
While bigger budgets might not guarantee shorter
RPOs and RTOs, they do raise DR satisfaction
Organizations that havededicated a larger percent oftheir IT budget to DR were44% more likely to havebeen more satisfied withtheir performance during anactual disaster than thosewith smaller DR budgetpercentages.
The organizations withlarger budget percentageswere also 33% more likelyto reach their RTOs andRPOs than less DR-endowed organizations.
Info-Tech Research Group 26
Explain the costs associated with DR so the business
can make informed decisions
Costs associated with Disaster Recovery:
1) Infrastructure investments (ranging from new hardware to redundant data centers)
2) Software investments3) Training for IT staff4) Cost of educating and training end users5) Testing6) Modifications to plan (to reflect any organizational
changes, changes to software, infrastructure and business needs)
One Time Costs
OngoingCosts
“One thing we’re only now realizing is the cost of the ripple effect. Controlling the costs of both a primary and secondary location, with
data in both that needs to be aligned, can add up.”- Manager of IT in Public Services
Despite feeling satisfied, survey results showed that organizations that dedicated a larger percent of their IT budget to DR actually had longer RPO and RTO averages, 35 hours and 44 hours
respectively, than organizations who dedicated smaller percentages to DR, who had a RPO average of 25 hours and a RTO average of 32 hours. This goes to show that how money is spent is more
important than how much money is spent.
Info-Tech Research Group 27
Determining IT’s Current DR Capabilities
Aligning IT and Business Balancing Costs Achieving the Compromise
Case Studies
The Basics of DR
Finding and Validating Business’ DR Wants
Info-Tech Research Group 28
Misalignment between IT’s current capabilities and
the business’ validated needs is a fixable problem
If IT’s RPOs and RTOs are high than the business’ needs, then the
organization is incurring a needless expense.
If IT’s RPOs and RTOs are lower than business’ needs,
then the organization is still very vulnerable.
Often, IT will not have a DR budget big enough to meet all of the business’ DR needs. In those cases, IT and the business will have to work together to find
the balance which, while not ideal, is good enough. Once business and IT have decided on the organization’s RPOs and RTOs , IT must determine what
resources will be required; these include time, skills and money (for upfront and ongoing costs).
“In our industry and IT sector, crisis happens anytime. Having a workable DR that can be executed within the aligned time that the business group agreed with IT, we can manage our expectation with our stakeholders and allocate
resources to identify problems and resume business operation if gaps happen.”-Supervisor in Air Transportation
Info-Tech Research Group 29
Healthy Debate
It is critical to keep the business side involved in forming the final RTOs and RPOs, though finding a set you both agree on may not be
the easiest task.
Accept or Reject
Once the budget has been drafted and IT has an idea of what is
attainable, share the knowledge once more with the business side.
Once they see the realities available to them, they may want to re-think
some of their decisions.
Establish Budget/Costs
DR cannot be gifted with infinite resources, so organizations must put the resources that are available to their best use. Review the list of priorities the business side has
generated and the options currently open to the organization and then distribute the budget in proportion
to goals.
Begin Building DR
Once the situation is understood and the details are agreed upon, the
real work will finally begin.
The Cycle of AlignmentAligning IT and the business’ RTOs and RPOs canbe a difficult task. Companies generally rotatethrough three phases before they can actuallybegin to create a DR Capability. Avoid gettingstuck in the cycle.
Until IT and the business have agreed on DR goals,
work cannot start on improving DR capabilities
Minimize the time spent on aligning IT and thebusiness’ wants to expedite the process. Ensurethat the business and IT keep the lines ofcommunication open and that both parties arewilling to hear each other’s opinions.
Info-Tech Research Group 30
Use Info-Tech’s “Ideal RPO and RTO Calculator” tool
to align your organization’s recovery objectives
IT can provide a set of RPOs and RTOs, and business wants another set of RPOs and RTOs, but what set does the organization need?
This is not a rhetorical question; use Info-Tech’s tool to find an answer.
Use the “Comparison of Business and IT Recovery Objectives” tab. Enter both IT’s and the business’ RTOs and
RPOs, examine the comparison, and then enter the compromise.
Comparison of Business and IT Recovery Objectives
WeightingRTO
(hours)
RPO
(hours)
RTO
(hours)
RPO
(hours)RTO Comparison RPO Comparison
1 Marketing 20% 4-7 hours 4-7 hours 2-3 hours 1 hour
This department's RTO is being
under-delivered by IT according
to what the business wants.
This department's RPO is being
under-delivered by IT according
to what the business wants.
2 Finance 20% 8-23 hours 8-23 hours 4-7 hours 2-3 hours
This department's RTO is being
under-delivered by IT according
to what the business wants.
This department's RPO is being
under-delivered by IT according
to what the business wants.
3 Human Resources 20% 4-7 hours 4-7 hours 8-23 hours 8-23 hours
This department's RTO is being
over-delivered by IT according to
what the business wants.
This department's RPO is being
over-delivered by IT according to
what the business wants.
4 Sales 20% 2-3 hours 2-3 hours 1 hour 1 hour
This department's RTO is being
under-delivered by IT according
to what the business wants.
This department's RPO is being
under-delivered by IT according
to what the business wants.
5 Customer Service 20% 4-7 hours 8-23 hours 2-3 hours 2-3 hours
This department's RTO is being
under-delivered by IT according
to what the business wants.
This department's RPO is being
under-delivered by IT according
to what the business wants.
Department
Current IT Recovery
Objectives
Recovery
Objectives that
Business Wants
Purpose
The purpose of this section is to record the RTOs and RPOs that IT can provide and that the business wants for every department. These recovery
objectives are compared to each other and to data collected from comparable companies in order to suggest the most suitable average RTO and RPO
that matches the current DR spend.
Instructions
1) Fill in the blank spaces in the "Current IT Recovery Objectives" columns with the RTOs and RPOs that IT can provide for each department.
2) Fill in the blank spaces in the "Recovery Objectives that the Business Wants" columns with the RTOs and RPOs that the business wants for each
department.
3) Review where the gaps exist between what IT is offering and what the business wants.
Info-Tech Research Group 31
Companies generally miscalculate the percent of their IT budget that will be spent on DR. According to our survey, actual costs average 30% more than organizations predict. Use this tool to determine the percent of the IT budget your organization should invest in DR.
Use the “Cost of Maintaining Recovery Objectives”
tab to align your organization’s objectives
30%
Costs of Maintaining Recovery Objectives
Initial IT Capability
Weighted RPO 4-7 hours
Weighted RTO 4-7 hours
Current Spend on DR is 5% of annual IT Budget
In-house 2.78%
Third Party 5.00%
Co- Location 2.50%
Initial Requests by Business
Weighted RPO 2-3 hours
Weighted RTO 2-3 hours
In-house 9.00%
Third Party 16.20%
Co- Location 8.10%
Recommended Recovery Objectives Based on Current Losses Due to Downtime from BIA Calculations
Weighted RPO 1 hour
Weighted RTO 1 hour
In-house 12.00%
Third Party 21.60%
Co- Location 10.80%
Purpose
This reporting page summarizes the costs associated with the recovery objectives that IT provides, those that the business wants
and the recovery objectives that best match the current spend on DR.
Instructions
1) Review this sheet and present these findings along with the business impact analysis to the business side. Try to reach a
consensus on the recovery objectives that best suit the organization's needs.
2) Use the following tab to record these aligned recovery objectives.
If the organization wanted to deploy their DR capability through another channel while maintaining their current
recovery objectives they would have to spend the following percents of their IT budgets on DR.
If the organization wanted to deploy their DR capability through another channel while offering the recovery objectives
that the business wants they would have to spend the following percents of their IT budgets on DR.
Based on the yearly financial losses projected in the BIA, the organization's ideal DR spend would vary as follows
(please be advised that these suggestions are the "ideal" spends, IT and the business still need to decide if these are
appropriate or financially feasible):
Info-Tech Research Group 32
Summary
The next phase of the DR project is the actual planning.
It is time to get down to the details, answering questions like:
Will your organization create its disaster recovery plan (DRP) in-house or will it outsource the creation?
•If you decide to take the in-house route, it might help to know that: 75% of organizations create their plans in-house and, on average, plans take 9 months to complete.
•If you decide to outsource, it might help to know that: outsourcing plans is expensive, costing anywhere from $20,000 to hundreds of thousands of dollars.
What facilities will your organization use for the DRP’s continual support?
•After you have built your organization’s DR capability, you still need to sustain it. Determine if your DR capability should be hosted in-house, through a third party or through co-location facility.
You have an idea of your goals and your budget, but you still need to decide where exactly you will be spending your time and money in order to make those goals a reality. Refer to the Appendix for more information on how an actual DRP can be broken down.
In this deck, you have:
• assessed your organization’s current DR capabilities,
• obtained the business’ priorities,
• kept the business involved while IT balanced their wants and their costs, arriving at the organization’s needs,
• and learned the approximate budget those DR objectives require.
These are the steps all organizations need to take when scoping their appropriate DR capabilities; follow them to lead your company to stable ground.
Info-Tech Research Group 33
Determining IT’s Current DR Capabilities
Aligning IT and Business
The Basics of DR
Finding and Validating Business’ DR Wants
Case StudiesBuilding the DR
CapabilityContinually
Improving DRMaintaining DR
Capability
Public Services organization begins to build its DR
Info-Tech Research Group 34
Current DR Capability
• The organization is only beginning to create its Disaster Recovery capabilities.
• The organization has seventeen locations it needs to maintain and one of its main priorities is to ensure that they all remain connected during an emergency.
• They brought in a consultant to do a BIA and help establish DR objectives for each system.
• Though they have just begun , they already have established a RPO of the previous night and a RTO of the next day for their most critical system.
Company Profile at a Glance
Industry Public Services
DR VendorsCombination of third-party and in-house.
Cost 5%-10% of IT budget
Business Involvement in DR Capability
• The business side was very involved in the creation of the organization’s DR capabilities.
• The DR project actually sprung out of the BC project the business side was currently doing.
DR Capability Put to the Test
• No real disasters as of yet, but they will continue to prepare for the worst.
DR Planning Experiences
• Vendors don’t always deliver on what they claim to be offering. Costs can add up fast on these kinds of projects if you don’t have a clear idea of what you want and how you are going to get it, and that goes double for when you’re dealing with vendors.
Government agency continually improves DR capability
Info-Tech Research Group 35
Current DR Capability
• Disaster Recovery is formally documented in the agency. There are binders at the DR site and with each of the managers. The DR plan also resides on an internal website for all staff to access.
• The current plan focuses on IT and business infrastructure. The next iterations of the plan will include more aspects of the business.
• The DR plan is tested rigorously every year. Also, when applications are reconfigured or new applications are acquired, tests are performed to ensure that no other parts of the DRP are affected.
Company Profile at a Glance
Industry Government
DR VendorsSunguard for BIA, actual DR creation was in-house
Cost $10M-$15M
Business Involvement in DR Capability
• The business was heavily involved in creating the Disaster Recovery capability in the organization.
• IT did not have to coerce the business to participate in the DR exercise.
DR Capability Put to the Test
• The current DR plan has gone through one real life test. An application was lost and the DR plan needed to be enacted in order to get the application running again.
DR Planning Experiences
• The current DR capability is regarded as being 40% done; it has taken 5 years and $5-10 Million to get this far. The agency estimates that the plan will take another 5 years and $5-10 Million to complete.
Consulting company knows how to maintain its DR capabilities
Info-Tech Research Group 36
Current DR Capability
• Disaster Recovery is formally documented both in binders and electronically.
• The DR plan is thoroughly tested in all kinds of ways. They have done simple tabletop tests, more complicated simulation tests, and even an actual recovery test.
• Different recovery objectives have been set depending upon the criticality of the systems; objectives range from two weeks to instantaneous recovery (through mirroring).
Company Profile at a Glance
Industry Consulting
DR VendorsCreated in-house, but supported on-site and off-site
Cost $50,000/year
Business Involvement in DR Capability
• The business side was involved in the DR creation as soon as DR’s importance was explained to them in relatable terms.
DR Capability Put to the Test
• Before they built their DR capabilities, the organization had a power outage. They lost connectivity to the outside world and failover didn’t turn on. That’s what inspired them to improve their DR. Now, the organization goes through outages unaffected.
DR Planning Experiences
• Make sure you know your objectives and priorities when building your DR capabilities, and don’t get tied up in all the little details. When you are talking about disaster recovery, you’re talking about survival, not about getting everything perfect.
37
Need additional support? Info-Tech goes beyond just providing research: You can either speak directly with an analyst
or advisor and/or evaluate on-site consulting services to help your team achieve results.
E-mail our Advisory Team to find out how we have helped other clients and
get your Disaster Recovery initiative started today!
The Definition
Establishing common
understanding
Disaster Recovery vs.
Business Continuity
Clarification of scope
and responsibilities
The Value
Business case
development
Trigger Point:The Basics
Our Consulting & Advisory Services
What IT Provides
Assessing your IT Capability:
DR Recovery Objective Alignment
& Cost Tool
Trigger Point:Current DR Capabilities
Our Consulting & Advisory Services
Business Buy-In
Fostering Organizational Awareness
and Readiness
What Business & IT Want
Business Impact Assessment
Trigger Point:DR Wants & Needs
Our Consulting & Advisory Services
What Business & IT Need
DRBC Organizational Prioritization
Balancing Costs
Commitment on Budget
for DRBC Priority Areas
Trigger Point:Aligning IT & Business
Our Consulting & Advisory Services
Achieving Compromise
Executive Roadmap & Timeline
Info-Tech Research Group 39
What are the components of a disaster recovery plan?
DRPs can be split into two main parts: Strategic and Tactical
The Strategic Components The Tactical Components
1. Disaster Recovery Policies & Management Procedures2. Disaster Recovery Time Objectives (RTO) & Recovery Point Objectives (RPO)3. Disaster Recovery Goals, Assumptions, & Strategies4. Disaster Recovery Communications Plan5. Disaster Recovery Team Roles & Responsibilities6. Disaster Assessment Procedures7. Disaster Declaration Authority & Declaration Procedures8. DR Command Center & Recovery Logistics Management
1. Disaster Recovery Technical Overview2. Vendor & Corporate Contacts3. “How To” Recovery Procedures for “Critical” Services, Systems, & Data4. Security Incident Response Procedures5. “Return to Normal Operations” Procedures