November 21, 2022 By Brian Evans 3 min read

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly.

Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS) applications and managed infrastructure services. As a result, the lack of a formal DR program with an emphasis on the human side of recovery, updated documentation, planning for relevant scenarios and effective management of a disaster response is a risk for any organization

Disaster recovery planning lags behind

Forrester Research and the Disaster Recovery Journal recently conducted a joint survey to determine the state of DR practices and preparedness in 2022. They surveyed IT, DR and risk professionals globally and found that DR readiness is lagging.

A case in point: almost one-quarter of survey respondents only update DR plans once every two years or longer. 48% said they update DR plans annually. Business impact analysis (BIA) follows a similar update pattern, with fewer than 20% of respondents updating this aspect of a DR program every quarter or more frequently.

The consequences of these gaps can be severe. Uptime Institute’s 2022 Outage Analysis Report illustrates that over 60% of outages result in at least $100,000 in losses, up 39% from 2019, and outages that cost upwards of $1 million increased from 11% to 15% over that same period.

Business impact analysis: The DR program cornerstone

To stay in business during and after a disruptive event, a company must do more than allocate a small percentage of the budget to DR planning. Even the most minor outage can have serious consequences. A formal BIA is crucial to analyze disruptions in all IT systems, applications, services and processes along with their dependencies.

Companies should start by assigning an experienced cross-functional team to conduct the BIA. This team should analyze operational IT assets and activities and the effect a disruption might have. It’s also important to articulate the impacts of outages and downtime to leadership, to justify DR investments.

The key BIA objectives are to:

  • Identify and prioritize the criticality of IT systems, applications, services and processes
  • Determine recovery time objectives (RTOs), recovery point objectives (RPOs) and maximum acceptable outages (MAOs)
  • Conduct end-to-end analysis of information flows through internal and external processing environments and identify recovery options for all potential scenarios
  • Analyze the impact and cost of downtime over varying time periods.

Implementing the BIA objectives

According to the Disaster Recovery Journal’s glossary, an RTO is the period of time following an incident within which a product, service or activity must be resumed or resources must be recovered. The RTO spells out the time frame for the resumption after an outage in minutes, hours or days.

An RPO is a point in time when the information used by an activity must be restored to enable that activity to continue or resume. Some companies accept that if a disaster occurs, they will recover using the last backup. In many cases, that backup could be 24 hours old or older. IT systems, applications, services and processes that are not mission-critical generally tolerate that level of loss.

An MAO is the time it would take for the adverse impacts of outages to become unacceptable for the business. In other words, MAO is the maximum time between the outage occurring to when IT systems, applications, services and processes need to return to a state of providing acceptable service levels in order to prevent irrevocable harm to the business. Although recovery must have been completed and processing resumed within the MAO time frame, normal resiliency levels may not have been restored and the original site or equipment may not yet be operable.

The BIA identifies what your company has at risk and which IT systems, applications, services and processes are most critical. This helps prioritize risk management and recovery investments so that those responsible can create more effective DR procedures.

Disaster recovery should be a top-level concern

The cornerstone of a successful DR program is a BIA. But the foundational components of a program also require senior management sponsorship and weaving DR into the organizational culture, IT project life cycle, change management activities and new products or services.

Disasters are unpredictable by nature. However, companies are more agile and ready to respond after building an effective DR program. DR should be a top-level concern for all organizations, and resilient companies are resilient because they plan for disaster.

More from Data Protection

Third-party access: The overlooked risk to your data protection plan

2 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors.The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In this…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today