Right size enterprise disaster recovery plans

Practical IT Research that Drives Measurable Results

Right-Size Enterprise

Disaster Recovery Capabilities

1Info-Tech Research Group

Info-Tech Research Group 2

Executive Summary

• All organizations, needs some form of DR capabilities, or procedures and systems in place to lead them back to operations after a disaster.

•Your organization must establish the DR it has, the DR it wants, and the DR it needs. Info-Tech has looked at what other companies have done and will provide you with the do’s and don’ts when tackling DR:

• Measure your organization’s current DR capabilities

• Get business buy-in to establish appropriate DR priorities

• Separate DR wants from DR needs

• Set relevant and realistic objectives for your organization’s DR capabilities

• Plan for the cost of realizing your chosen DR objectives

•All DR scoping projects are comprised of three phases, move through these phases in a timely manner to reduce the time spent on planning your DR capability:

1. Determine the current DR capability which IT can provide

2. Know what DR capabilities the business wants

3. Align the business’ and IT’s DR priorities

Introduction


• All companies have some form of Disaster Recovery (DR) capability in place whether they realize it or not. Depending on the size and needs of the company, DR capabilities can range from having an employee backing up the company’s files once a month to having a fully documented and tested plan in place.

• If the IT and the business side of an organization are in alignment with their DR desires, needs, and priorities, then the current plan may be well-suited to the organization. However, organizations rarely have proper DR capabilities in place.

• Many organizations make the mistake of having inappropriate DR capabilities. Having too much DR capability means the organization is overspending and having too little means the organization is still vulnerable in the event of a disaster. Make sure that DR capability is a good fit with the organization’s actual needs.

• It is often hard to settle on what amount of DR capability your organization needs. This solution set will walk you through the right-sizing phase of your DR project quickly and will address all the relevant areas:

• The Basics• Current DR Capabilities• DR Wants and Needs• Aligning IT and Business• Case Studies

• Once the organization’s appropriate DR objectives are agreed upon, IT can begin planning their development.

Determining IT’s Current DR Capabilities


Finding and Validating the Business’ DR Wants

The Basics The Definition The Value DR vs. BC

Aligning DR in IT and Business

Case Studies


Without some level of DR capability, the odds are

overwhelming that your business won’t survive a disaster

DR concerns the safety and restoration of anorganization’s technology infrastructure in theevent of a disaster. There should be somelevel of disaster recovery in place at everyorganization. DR will return the business tonormal operations after anything from anatural disaster to a serious security breach.

DR focuses on the recovery of IT services, systems, data facilities

and staff.

Disaster Recovery

IT Staff

IT Services

IT Systems

IT Data Facilities

Research shows:

• 6% of companies which suffer a catastrophic data loss recover and survive, • 43% never reopen,• 51% close within two years of reopening.

Source: University of Texas

Business Continuity


Disaster Recovery focuses on IT, Business Continuity concerns

the entire company. Don’t confuse the two.

DR and BC initiatives should complement each other; a good DR plan relies on a good BC plan and vice versa. Ensure that the DR and BC teams work closely together to ensure

success.

For more information on the differences between DR and BC, please refer to the note, “Draw the Line Between Disaster Recovery and Business Continuity.”

Business Continuity

•A set of procedures that organizations can adopt in an effort to minimize the impact that an outage has on all aspects of a business

•Incorporates organizational and human resources issues such as communications plans and crisis management

•The business side of an organization is responsible for its Business Continuity

Disaster Recovery

•A subset of BC that addresses the IT elements of continuity such as data, application, and infrastructure recovery

•Reactionary set of procedures that take place once a disaster has struck

•The IT side of an organization is responsible for its DR

Disaster Recovery

http://www.infotech.com/research/draw-the-line-between-disaster-recovery-and-business-continuity


Organizations attribute their failure to develop disaster

recovery capabilities to multiple factors

“3 blind monkeys - haven't seen a disaster, won't hear of a disaster, refuse to talk of a disaster. Strong plans have existed and been undermined over time due to lack of executive support. Some departments have maintained robust

procedures, yet others are becoming weak links.“-Manager in Publishing Industry

“The organization didn't have an IS executive in

place and it wasn't considered a company

priority until recently. “- VP in Wireless Telecom

Carriers

Organizations listed business buy-in, time, and money as the main reasons why they had yet to develop their disaster recovery capabilities.

“Cost and always something else to do…”

-VP in Public Administration

Without organizational buy-in for DR, it is easy to let it fall off theorganization’s list of priorities and limit the time and money availableto the project.

Disasters are not just tornadoes and earthquakes; a simple poweroutage can have catastrophic effects on organizations if they lose amonth’s worth of data.

Organizations often think of the “disaster” in disaster recovery as anunlikely and far off event. Prioritizing DR becomes an issue becausethe organization thinks of it as planning for fiction rather than forreality.


No matter how lucky you are, disasters occur. Everyone is

vulnerable and can benefit from some preparation.

It would be best for an organization ifthe value of its DR capabilities isnever truly realized. However, havingDR ensures that an organization can(and knows how to) survive adisaster. If an organization invests alittle now, it won’t lose nearly asmuch later.

DR only becomes useful when all else has gone horribly

wrong.

Unless you live in an impenetrable bubble, you will

benefit from DR.

Every organization that operates on theplanet is at risk from one type ofdisaster or another. An organization willfind DR valuable whenever the cost oflosing its IT operations is greater thanthe cost of creating and maintaining itsDR capabilities.

“It’s a relatively cheap insurance policy.”

- Director in Consulting

“In business, the disaster isn't the act of God or fire that destroys property,

but the loss of data and the inability to continue operations - THAT is the

business disaster.“-Manager in the Publishing Industry


Downtime costs money. If you know how much, then you

know how urgently the organization must avoid it.

What costs are relevant, and to what degree they impact the organization, is dependent upon the specific system that is down and its function within the business.

There are several ways in which downtime may cost your organization money:

Loss of RevenueIf the organization is unable to sell product or fulfill orders, then it is losing revenue. This could be the result of an interruption in the shipping process or of the channel through which sales are made (building, website, etc.) being inaccessible to customers.

Loss of Productivity

The system is down, causing a production shift to stand around or "make work" to keep busy rather than doing their normal jobs. Since staff still have to be paid, this time is considered a loss.

Increased Operations Costs

If additional work has to be done in order to make up for lost time, then operating costs, such as utility costs, are likely to increase. These expenses are separate from labor and have more to do with keeping the company open longer or working at a higher capacity.

Increased Labor Costs

Any additional work is going to require additional labor. This could be in the form of overtime shifts or extra workers during regular shifts. Whatever the case, expenses are going to increase and the organization is going to have to pay for these incremental costs.


There are three stages in DR Scoping; each is driven by a

different group of stakeholders

Step 1: Assess Current IT Capabilities• Prior to creating DR capabilities, know what degree of DR capability IT currently has.

• Know when IT can bring systems back online and to what point IT can recover data.

• Understand the infrastructure that is currently used to support recovery abilities.

• Once you know what resources IT currently has, it’s easier to identify potential areas thatshould be developed or cut in later steps.

Step 2: Establish and Validate the Business’ Wants• The business side needs to be able to define when it wants systems back online and to whatpoint it wants data recovered.• The validity of these wants can be established by asking these questions:

• What systems are most important to the business?

• Are there manual processes which can temporarily replace these systems?

• How much does downtime cost the business?

Step 3: Aligning IT’s Capabilities and the Business Needs• Ensure that what IT provides and what the business side wants are aligned.

• Avoid discrepancies between the two groups; negotiate to find the right compromise.

• IT should be able to explain the costs of attaining various objectives.

• The business side should be able to explain the potential downtime costs various objectivesare meant prevent.• Once both sides of the puzzle are understood, the organization can settle on a balance.

The Basics of DR


Finding and Validating the Business’ DR Wants

Current DR Capabilities What IT provides Business Buy-In


Case Studies


All organizations have some form of DR capability; determine

if you need to spend more time on DR

If the answer to any of the questions above is "No", your organization needs to spend more time on DR.

The “DR Recovery Objective Alignment and Cost Tool” will walk you through these questions and help you determine if you need to spend

more time on DR.

http://www.infotech.com/research/dr-recovery-objective-alignment-and-cost-tool


The legend below appears on the slides ahead to remind you

of where you are in the DR scoping process.

Knowing IT’s existing ability to withstand and recover from disaster provides a baseline from which all future DR enhancements and/or downgrades can be made.

The business needs to be able to communicate the amount of time and data it can afford to loose in the event of a disaster in order to establish an initial target for DR improvements.

Business desires must be validated by balancing potential downtime losses with the cost of enhanced DR capabilities.

IT and the business must ensure that capabilities are aligned with requirements and that budgets are reasonable and can be achieved.

1 2

3 4


Business buy-in should be collected throughout the

project; it is crucial for establishing proper DR goals

•Without understanding where the business’needs begin and end, IT will be blindlyassembling disaster recovery objectives.

•The organization will either waste money onunneeded DR or, won’t be fully prepared fordisasters.

“We absolutely had difficulty getting buy-in, no one has time for something

that may never happen. You just have to explain it to them, and eventually executives come around, however

reluctantly.”– IT Director in Real Estate Development and

Operation

Case Study

A consulting company went so far as to place anexecutive from the business side of theorganization in charge of the DR initiative in orderto get buy-in for the project from both IT and thebusiness. Due to his connections with otherbusiness stakeholders and the relevance of theproject to IT, the executive was able to collectinput from both sides and build the organization’sDR capabilities to the satisfaction of all involved.

•Many organizations have found that simplyexplaining DR’s relevance to the business andthe company’s survivability goes a long way ingenerating buy-in.

•If you have trouble getting buy-in from thebusiness group, try focusing on one keyindividual. If you can win over a businessleader and have them champion DR to the restof the departments, then the process should bemuch smoother.

Buy-in is not as elusive as you might imagine, but here are some tips just in case:


You can’t know which direction your organization

should head in until you know where it stands.

Knowing what recovery infrastructureand systems are in place is the firststep in understanding how yourorganization can improve recoverytimes. If you know what you currentlyhave, then it’s much easier to identifywhat you still need. Moreover, a reviewof your organizations’ resources mayalso identify what can be cut, andthereby save your organization fromsome unnecessary expenses.

Milestones on thePath to Understanding

What is IT currently doing?

Are there multiple data centers? How often is databacked up? What are the general practices aroundstoring data and fixing technology problems?

Whether IT realizes it or not, aspects of DR mightalready be incorporated into their standardoperating procedures.

Once IT recognizes what’s being done, it becomesa matter of recording how effective those practicesare.

Recovery objectives, which are defined on theon slide 17, are a useful metric for determiningeffectiveness.

“Not having DR is like gambling on a game you are certain to lose long-

term.”-Director in Real Estate Property

Management

How do these practices translate into measurable statistics?


Maybe you need to spend more time on DR. Here’s a

tool to find out.

This tool will assist you indefining which areas ofyour DR plan areinsufficient for yourorganizational needs.

“DRPs are never completed; they’re always

drafts as far as I’m concerned.”

– IT Director in Real Estate Development and Operation

Answer a few simple questions in the “DR Recovery Objective Alignment and Cost Tool” and determine your organization’s current and recommended DR capability.

Evaluation of Current DR Capability

Question Response

For a given system (and ultimately for all systems) can IT articulate its RTO and RPO? Yes

For a given system (and ultimately for all systems) has the business provided their RTO/RPO expectation? No

For a given system (and ultimately for all systems) has the business's RTO/RPO expectation been validated (backed by business and IT

rationale)?No

For a given system (and ultimately for all systems) are IT's and the business's figures in alignment? No

Please specify how your organization's current DR capability is delivered. Third Party

How many departments does your organization have? 5

How many outages would you estimate your organization experiences a year? 6

Approximately how many hours did each outage last? 2

What's your annual revenue? 25,000,000.00$

What is your annual IT budget? 1,000,000.00$

What percent of your annual IT budget is spent on DR? 5%

Which of the following operation schedules best matches your organization? 8 hrs/day, 5 days/week

Results

Purpose

This section is meant to collect some basic information concerning your organization's DR capabilities. Once you have completed the section, a suggestion should

appear below advising you to either continue with the assessment of your DR capabilities or not.

Instructions

1) Please answer the following questions by either choosing the most appropriate option from the drop-down box or by filling in the space provided.

2) Read the suggestion that appears in the highlighted box. If you decide to continue with the assessment, then click over to the next tab.

Yes. Based on your responses to our questions, we recommend you spend more time developing your organization's Disaster Recovery capabilities. For more

information on how much time and how many resources, please refer to the "DRP Costing" tool. The business should have some idea of what RTOs and RPOs

they want in order to know if the ones IT offers are at all close to what the organization needs. IT's objectives may be needlessly high, creating unnecessary

expenses, or they may be too low, putting the company in jeopardy in the event of a disaster. If the business does not validate the RTOs and RPOs they set, then

their objectives are no more than just guesswork. Some systems, while critical to the organization's operations, can be temporarily replaced by manual processes

and are therefore do not require really short RTOs. Other systems may cost a lot to backup, making the expense of a short RPO unjustifiable despite the cost of

losing the data. The business must consider these factors when constructing their objectives in order to make sure they are valid requests. IT and business should

have matching RTOs and RPOs. Misalignment between the two indicates that either IT needs to put more resources towards improving the organization's DR

capabilities, business needs to make more realistic objectives, or there needs to be some compromise between the two.




RTO and RPO are the building blocks of DR

Recovery Time Objective, or RTO, is the amount of time an organization can

afford to have its systems down (e.g. the organization's systems can be down no longerthan one hour).

Recovery Point Objective, or RPO, is the point in time beyond which an

organization cannot afford to lose information (e.g. the organization can afford to lose 24hours data/processing)

RTO

RPO

DR

RTOs and RPOs are the metrics which set the level of your organization’s DR capability.

RTOs and RPOs vary depending on the needs of the organization and the criticality of the system/data they are relevant to; they can range from less than an hour to more than a week.

Off-site back up does NOT result in RTOs and RPOs of zero hour. Unless data is streamed

to redundant facilities and simultaneously processed, outages can still occur.

Info-Tech Insight:


Organizations care more about reducing data loss

than restoring system operations

For most organizations, limiting data lost during a disaster is more important than minimizing downtime. This is likely because so much of a business’ day to day activities rely on the data.

It’s cheaper and easier to support longer recovery objectives. The percent of the yearly IT budget that is spent on DR decreases as RTOs and RPOs increase.


Shorter RTOs and RPOs provide greater protection,

but at a greater cost. The inverse also applies.

When an organization decreases its RPOs

and RTOs, it will need to increase its DR

budget to procure and maintain more

infrastructure and policies to support the

new objectives.

When an organization decides it can afford to

increase its RPOs and RTOs, it can decrease its DR budget because it needs to procure and

maintain less infrastructure and create fewer policies to support

the new objectives.

Disaster Point

1 Week RPO

1 DayRPO

1 Hour RPO

1 Week RTO

1 Day RTO

1 Hour RTO

Required Investment Increases as RPO Decreases

Required Investment Increases as RTO Decreases$$ $$ $$

“We must prepare for the worst and hope for the

best, but it is a balancing act as to how much you

spend on insurance.”-Manager in Chemical

Manufacturing


Case Studies



DR Wants and Needs What Business Wants What Business Needs

The Basics of DR


Even moderate business involvement will make DR

projects much more time effective

In emergencies, organizations need to get critical systems up and running as fast as

possible. The business side plays a key role in determining exactly which systems are

critical, and which are secondary.

In the next stage of DR scoping, IT will create a high level DR budget. Knowing what the business

side requires will allow IT to estimate their budgetary requirements for DR.

Business wants must still be validated to ensure that they are reasonable and that IT can deliver on

them.

Knowing IT’s DR capabilities is only part of proper DR scoping. The next step is knowing what DR

capabilities the business wants.

“A balance is needed between spend and potential impact - this depends on

business criticality and so it is entirely down to the business leaders to decide.

IT can assist in optimizing the DR solution so resources aren’t wasted.”

-Manager in Other Services


The Business Impact Assessment is an important

step in building proportionate DR capabilities

Business Impact Assessments (BIA) gauge the approximate costs and frequency of

system downtime. Systems are then prioritized in terms of criticality, allowing organizations tofocus attention and resources where they will be best spent. BIAs should be done beforeattempting to create any DR capabilities.

“We looked at descriptions of the divisions, what applications were used within them, and how they broke themselves down in regards to criticality with

timeframes listing their priorities. We didn’t worry about price at this point; it was just a matter of determining the levels of importance.”

- Senior Technical Support Specialist in the Government

DR

Current RTO

Current RPO

RPO that

Bus. wants

RTO that

Bus. wants

BIARPO that

Bus. Needs

RTO that

Bus. Needs


BIAs help the business side determine what DR

capabilities they actually need

How is the BIA used?

The BIA is used to help the business and IT determine the potential annual financial risks due to

downtime.

The RTOs and RPOs that the business wants may be unreasonably expensive to support, requiring DR

costs that significantly outweigh the potential downtime costs per year. The BIA provides the facts that enable the business and IT to reach consensus.

By determining the ideal RPOs and RTOs for the organization, IT can then begin the budget setting

process for the DR project.

“People who haven’t created a DRP are just one disaster away from

making the change.”- Director in Consulting

Case Study

The business side of an organization wanted verylow recovery objectives, all within one hour of adisaster. These recovery objectives would requirethe organization to make an initial investment of$1,000,000 to increase its infrastructure and payannual maintenance expenses of $100,000. IT feltthat the business’ expectations were too high andthat recovery objectives within 8 hours were moresuitable with an initial investment of $250,000and an annual cost of $30,000.

IT performed a BIA and the business’ approximatelosses per year due to downtime amounted to$60,000. With this information, IT was able toshow the business that recovery objectives of lessthan an hour were not needed or financiallyjustifiable for the organization.


The Business Impact Analysis tool is a fast way of

figuring out how much downtime is costing you

You have read about the ways in which downtime can cost your organization money. The next step is to calculate how much money your organization actually

loses to downtime.

In the “DR Recovery Objective Alignment and Cost Tool”, the “Business Impact

Analysis” tab will tell you what kind of annual losses you can expect due to

downtime, which will then be compared to the amount spent on

DR. A large difference indicates there is a need for

change.

Business Impact Analysis

Financial Cost Factors Definition

Enter Estimated

Dollar Costs from

These Factors

Loss of Revenue Per

Day

If the organization is unable to sell product or fulfill orders due to the business unit being down, then the

organization is losing revenue. This could be the result of an interruption in the shipping process or of the

channel through which sales are made (building, website, etc) being inaccessible to customers. $125,000.00

Loss of Productivity

Per Day

The system is down, causing a production shift to stand around or "make work" to keep busy rather than

doing their normal jobs. Order entry staff can’t take orders if the phones are down or their online systems

aren’t available. Production staff can’t produce the product if the production line isn’t functioning. Since staff

still have to be paid, this time is considered a loss.

$45,000.00

Increased Operating

Costs Per Day

If additional work has to be done in order to make up for lost time, then operating costs, such as utility costs,

are likely to increase. These expenses are separate from labor and have more to do with keeping the

company open longer or working at a higher capacity. $10,000.00

Increased Labor Costs

Per Day

Any additional work is going to require additional labor. This could be in the form of overtime shifts or extra

workers during regular shifts. Whatever the case, expenses are going to increase and the organization is

going to have to pay for these incremental costs.

$0.00

Total Dollar Impact Projected Outage Costs Per Day $180,000.00

Total Projected Outage Costs Per Year $270,000.00

DR Spend Per Year $50,000.00

Purpose

Used to identify the approximate cost of downtime in a 24 hour period and over a year.

Instructions

1. Complete this tool by entering in the estimated dollar costs per 24 hour period for each of the factors in the white cells below. Refer to the definitions for any

clarification needed.

2. Your answers will be totaled in "Total Financial Impact" section below, an analysis of how appropriate your current DR spend is will also be presented (this

does not factor RTOs and RPOs into the calculation).

Total Financial Impact

Your current spend on DR is significantly lower than your financial risks from downtime. You may be under spending on

your DR capability.





While bigger budgets might not guarantee shorter

RPOs and RTOs, they do raise DR satisfaction

Organizations that havededicated a larger percent oftheir IT budget to DR were44% more likely to havebeen more satisfied withtheir performance during anactual disaster than thosewith smaller DR budgetpercentages.

The organizations withlarger budget percentageswere also 33% more likelyto reach their RTOs andRPOs than less DR-endowed organizations.


Explain the costs associated with DR so the business

can make informed decisions

Costs associated with Disaster Recovery:

1) Infrastructure investments (ranging from new hardware to redundant data centers)

2) Software investments3) Training for IT staff4) Cost of educating and training end users5) Testing6) Modifications to plan (to reflect any organizational

changes, changes to software, infrastructure and business needs)

One Time Costs

OngoingCosts

“One thing we’re only now realizing is the cost of the ripple effect. Controlling the costs of both a primary and secondary location, with

data in both that needs to be aligned, can add up.”- Manager of IT in Public Services

Despite feeling satisfied, survey results showed that organizations that dedicated a larger percent of their IT budget to DR actually had longer RPO and RTO averages, 35 hours and 44 hours

respectively, than organizations who dedicated smaller percentages to DR, who had a RPO average of 25 hours and a RTO average of 32 hours. This goes to show that how money is spent is more

important than how much money is spent.



Aligning IT and Business Balancing Costs Achieving the Compromise

Case Studies

The Basics of DR

Finding and Validating Business’ DR Wants


Misalignment between IT’s current capabilities and

the business’ validated needs is a fixable problem

If IT’s RPOs and RTOs are high than the business’ needs, then the

organization is incurring a needless expense.

If IT’s RPOs and RTOs are lower than business’ needs,

then the organization is still very vulnerable.

Often, IT will not have a DR budget big enough to meet all of the business’ DR needs. In those cases, IT and the business will have to work together to find

the balance which, while not ideal, is good enough. Once business and IT have decided on the organization’s RPOs and RTOs , IT must determine what

resources will be required; these include time, skills and money (for upfront and ongoing costs).

“In our industry and IT sector, crisis happens anytime. Having a workable DR that can be executed within the aligned time that the business group agreed with IT, we can manage our expectation with our stakeholders and allocate

resources to identify problems and resume business operation if gaps happen.”-Supervisor in Air Transportation


Healthy Debate

It is critical to keep the business side involved in forming the final RTOs and RPOs, though finding a set you both agree on may not be

the easiest task.

Accept or Reject

Once the budget has been drafted and IT has an idea of what is

attainable, share the knowledge once more with the business side.

Once they see the realities available to them, they may want to re-think

some of their decisions.

Establish Budget/Costs

DR cannot be gifted with infinite resources, so organizations must put the resources that are available to their best use. Review the list of priorities the business side has

generated and the options currently open to the organization and then distribute the budget in proportion

to goals.

Begin Building DR

Once the situation is understood and the details are agreed upon, the

real work will finally begin.

The Cycle of AlignmentAligning IT and the business’ RTOs and RPOs canbe a difficult task. Companies generally rotatethrough three phases before they can actuallybegin to create a DR Capability. Avoid gettingstuck in the cycle.

Until IT and the business have agreed on DR goals,

work cannot start on improving DR capabilities

Minimize the time spent on aligning IT and thebusiness’ wants to expedite the process. Ensurethat the business and IT keep the lines ofcommunication open and that both parties arewilling to hear each other’s opinions.


Use Info-Tech’s “Ideal RPO and RTO Calculator” tool

to align your organization’s recovery objectives

IT can provide a set of RPOs and RTOs, and business wants another set of RPOs and RTOs, but what set does the organization need?

This is not a rhetorical question; use Info-Tech’s tool to find an answer.

Use the “Comparison of Business and IT Recovery Objectives” tab. Enter both IT’s and the business’ RTOs and

RPOs, examine the comparison, and then enter the compromise.

Comparison of Business and IT Recovery Objectives

WeightingRTO

(hours)

RPO

(hours)

RTO

(hours)

RPO

(hours)RTO Comparison RPO Comparison

1 Marketing 20% 4-7 hours 4-7 hours 2-3 hours 1 hour

This department's RTO is being

under-delivered by IT according

to what the business wants.

This department's RPO is being



2 Finance 20% 8-23 hours 8-23 hours 4-7 hours 2-3 hours







3 Human Resources 20% 4-7 hours 4-7 hours 8-23 hours 8-23 hours


over-delivered by IT according to

what the business wants.


over-delivered by IT according to

what the business wants.

4 Sales 20% 2-3 hours 2-3 hours 1 hour 1 hour







5 Customer Service 20% 4-7 hours 8-23 hours 2-3 hours 2-3 hours







Department

Current IT Recovery

Objectives

Recovery

Objectives that

Business Wants

Purpose

The purpose of this section is to record the RTOs and RPOs that IT can provide and that the business wants for every department. These recovery

objectives are compared to each other and to data collected from comparable companies in order to suggest the most suitable average RTO and RPO

that matches the current DR spend.

Instructions

1) Fill in the blank spaces in the "Current IT Recovery Objectives" columns with the RTOs and RPOs that IT can provide for each department.

2) Fill in the blank spaces in the "Recovery Objectives that the Business Wants" columns with the RTOs and RPOs that the business wants for each

department.

3) Review where the gaps exist between what IT is offering and what the business wants.


Companies generally miscalculate the percent of their IT budget that will be spent on DR. According to our survey, actual costs average 30% more than organizations predict. Use this tool to determine the percent of the IT budget your organization should invest in DR.

Use the “Cost of Maintaining Recovery Objectives”

tab to align your organization’s objectives

30%

Costs of Maintaining Recovery Objectives

Initial IT Capability

Weighted RPO 4-7 hours

Weighted RTO 4-7 hours

Current Spend on DR is 5% of annual IT Budget

In-house 2.78%

Third Party 5.00%

Co- Location 2.50%

Initial Requests by Business

Weighted RPO 2-3 hours

Weighted RTO 2-3 hours

In-house 9.00%

Third Party 16.20%

Co- Location 8.10%

Recommended Recovery Objectives Based on Current Losses Due to Downtime from BIA Calculations

Weighted RPO 1 hour

Weighted RTO 1 hour

In-house 12.00%

Third Party 21.60%

Co- Location 10.80%

Purpose

This reporting page summarizes the costs associated with the recovery objectives that IT provides, those that the business wants

and the recovery objectives that best match the current spend on DR.

Instructions

1) Review this sheet and present these findings along with the business impact analysis to the business side. Try to reach a

consensus on the recovery objectives that best suit the organization's needs.

2) Use the following tab to record these aligned recovery objectives.

If the organization wanted to deploy their DR capability through another channel while maintaining their current

recovery objectives they would have to spend the following percents of their IT budgets on DR.

If the organization wanted to deploy their DR capability through another channel while offering the recovery objectives

that the business wants they would have to spend the following percents of their IT budgets on DR.

Based on the yearly financial losses projected in the BIA, the organization's ideal DR spend would vary as follows

(please be advised that these suggestions are the "ideal" spends, IT and the business still need to decide if these are

appropriate or financially feasible):


Summary

The next phase of the DR project is the actual planning.

It is time to get down to the details, answering questions like:

Will your organization create its disaster recovery plan (DRP) in-house or will it outsource the creation?

•If you decide to take the in-house route, it might help to know that: 75% of organizations create their plans in-house and, on average, plans take 9 months to complete.

•If you decide to outsource, it might help to know that: outsourcing plans is expensive, costing anywhere from $20,000 to hundreds of thousands of dollars.

What facilities will your organization use for the DRP’s continual support?

•After you have built your organization’s DR capability, you still need to sustain it. Determine if your DR capability should be hosted in-house, through a third party or through co-location facility.

You have an idea of your goals and your budget, but you still need to decide where exactly you will be spending your time and money in order to make those goals a reality. Refer to the Appendix for more information on how an actual DRP can be broken down.

In this deck, you have:

• assessed your organization’s current DR capabilities,

• obtained the business’ priorities,

• kept the business involved while IT balanced their wants and their costs, arriving at the organization’s needs,

• and learned the approximate budget those DR objectives require.

These are the steps all organizations need to take when scoping their appropriate DR capabilities; follow them to lead your company to stable ground.



Aligning IT and Business

The Basics of DR

Finding and Validating Business’ DR Wants

Case StudiesBuilding the DR

CapabilityContinually

Improving DRMaintaining DR

Capability

Public Services organization begins to build its DR


Current DR Capability

• The organization is only beginning to create its Disaster Recovery capabilities.

• The organization has seventeen locations it needs to maintain and one of its main priorities is to ensure that they all remain connected during an emergency.

• They brought in a consultant to do a BIA and help establish DR objectives for each system.

• Though they have just begun , they already have established a RPO of the previous night and a RTO of the next day for their most critical system.

Company Profile at a Glance

Industry Public Services

DR VendorsCombination of third-party and in-house.

Cost 5%-10% of IT budget

Business Involvement in DR Capability

• The business side was very involved in the creation of the organization’s DR capabilities.

• The DR project actually sprung out of the BC project the business side was currently doing.

DR Capability Put to the Test

• No real disasters as of yet, but they will continue to prepare for the worst.

DR Planning Experiences

• Vendors don’t always deliver on what they claim to be offering. Costs can add up fast on these kinds of projects if you don’t have a clear idea of what you want and how you are going to get it, and that goes double for when you’re dealing with vendors.

Government agency continually improves DR capability



• Disaster Recovery is formally documented in the agency. There are binders at the DR site and with each of the managers. The DR plan also resides on an internal website for all staff to access.

• The current plan focuses on IT and business infrastructure. The next iterations of the plan will include more aspects of the business.

• The DR plan is tested rigorously every year. Also, when applications are reconfigured or new applications are acquired, tests are performed to ensure that no other parts of the DRP are affected.


Industry Government

DR VendorsSunguard for BIA, actual DR creation was in-house

Cost $10M-$15M


• The business was heavily involved in creating the Disaster Recovery capability in the organization.

• IT did not have to coerce the business to participate in the DR exercise.


• The current DR plan has gone through one real life test. An application was lost and the DR plan needed to be enacted in order to get the application running again.


• The current DR capability is regarded as being 40% done; it has taken 5 years and $5-10 Million to get this far. The agency estimates that the plan will take another 5 years and $5-10 Million to complete.

Consulting company knows how to maintain its DR capabilities



• Disaster Recovery is formally documented both in binders and electronically.

• The DR plan is thoroughly tested in all kinds of ways. They have done simple tabletop tests, more complicated simulation tests, and even an actual recovery test.

• Different recovery objectives have been set depending upon the criticality of the systems; objectives range from two weeks to instantaneous recovery (through mirroring).


Industry Consulting

DR VendorsCreated in-house, but supported on-site and off-site

Cost $50,000/year


• The business side was involved in the DR creation as soon as DR’s importance was explained to them in relatable terms.


• Before they built their DR capabilities, the organization had a power outage. They lost connectivity to the outside world and failover didn’t turn on. That’s what inspired them to improve their DR. Now, the organization goes through outages unaffected.


• Make sure you know your objectives and priorities when building your DR capabilities, and don’t get tied up in all the little details. When you are talking about disaster recovery, you’re talking about survival, not about getting everything perfect.

37

Need additional support? Info-Tech goes beyond just providing research: You can either speak directly with an analyst

or advisor and/or evaluate on-site consulting services to help your team achieve results.

E-mail our Advisory Team to find out how we have helped other clients and

get your Disaster Recovery initiative started today!

The Definition

Establishing common

understanding

Disaster Recovery vs.

Business Continuity

Clarification of scope

and responsibilities

The Value

Business case

development

Trigger Point:The Basics

Our Consulting & Advisory Services

What IT Provides

Assessing your IT Capability:

DR Recovery Objective Alignment

& Cost Tool

Trigger Point:Current DR Capabilities


Business Buy-In

Fostering Organizational Awareness

and Readiness

What Business & IT Want

Business Impact Assessment

Trigger Point:DR Wants & Needs


What Business & IT Need

DRBC Organizational Prioritization

Balancing Costs

Commitment on Budget

for DRBC Priority Areas

Trigger Point:Aligning IT & Business


Achieving Compromise

Executive Roadmap & Timeline

mailto:[email protected]?subject=Right Signing Your Enterprise DR Plans


Appendix


What are the components of a disaster recovery plan?

DRPs can be split into two main parts: Strategic and Tactical

The Strategic Components The Tactical Components

1. Disaster Recovery Policies & Management Procedures2. Disaster Recovery Time Objectives (RTO) & Recovery Point Objectives (RPO)3. Disaster Recovery Goals, Assumptions, & Strategies4. Disaster Recovery Communications Plan5. Disaster Recovery Team Roles & Responsibilities6. Disaster Assessment Procedures7. Disaster Declaration Authority & Declaration Procedures8. DR Command Center & Recovery Logistics Management

1. Disaster Recovery Technical Overview2. Vendor & Corporate Contacts3. “How To” Recovery Procedures for “Critical” Services, Systems, & Data4. Security Incident Response Procedures5. “Return to Normal Operations” Procedures

Date post:	15-Jul-2015
Category:	Technology
Upload:	info-tech-research-group
View:	2,304 times
Download:	4 times

Right size enterprise disaster recovery plans

Technology