Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly.

Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS) applications and managed infrastructure services. As a result, the lack of a formal DR program with an emphasis on the human side of recovery, updated documentation, planning for relevant scenarios and effective management of a disaster response is a risk for any organization

Disaster recovery planning lags behind

Forrester Research and the Disaster Recovery Journal recently conducted a joint survey to determine the state of DR practices and preparedness in 2022. They surveyed IT, DR and risk professionals globally and found that DR readiness is lagging.

A case in point: almost one-quarter of survey respondents only update DR plans once every two years or longer. 48% said they update DR plans annually. Business impact analysis (BIA) follows a similar update pattern, with fewer than 20% of respondents updating this aspect of a DR program every quarter or more frequently.

The consequences of these gaps can be severe. Uptime Institute’s 2022 Outage Analysis Report illustrates that over 60% of outages result in at least $100,000 in losses, up 39% from 2019, and outages that cost upwards of $1 million increased from 11% to 15% over that same period.

Business impact analysis: The DR program cornerstone

To stay in business during and after a disruptive event, a company must do more than allocate a small percentage of the budget to DR planning. Even the most minor outage can have serious consequences. A formal BIA is crucial to analyze disruptions in all IT systems, applications, services and processes along with their dependencies.

Companies should start by assigning an experienced cross-functional team to conduct the BIA. This team should analyze operational IT assets and activities and the effect a disruption might have. It’s also important to articulate the impacts of outages and downtime to leadership, to justify DR investments.

The key BIA objectives are to:

• Identify and prioritize the criticality of IT systems, applications, services and processes
• Determine recovery time objectives (RTOs), recovery point objectives (RPOs) and maximum acceptable outages (MAOs)
• Conduct end-to-end analysis of information flows through internal and external processing environments and identify recovery options for all potential scenarios
• Analyze the impact and cost of downtime over varying time periods.

Implementing the BIA objectives

According to the Disaster Recovery Journal’s glossary, an RTO is the period of time following an incident within which a product, service or activity must be resumed or resources must be recovered. The RTO spells out the time frame for the resumption after an outage in minutes, hours or days.

An RPO is a point in time when the information used by an activity must be restored to enable that activity to continue or resume. Some companies accept that if a disaster occurs, they will recover using the last backup. In many cases, that backup could be 24 hours old or older. IT systems, applications, services and processes that are not mission-critical generally tolerate that level of loss.

An MAO is the time it would take for the adverse impacts of outages to become unacceptable for the business. In other words, MAO is the maximum time between the outage occurring to when IT systems, applications, services and processes need to return to a state of providing acceptable service levels in order to prevent irrevocable harm to the business. Although recovery must have been completed and processing resumed within the MAO time frame, normal resiliency levels may not have been restored and the original site or equipment may not yet be operable.

The BIA identifies what your company has at risk and which IT systems, applications, services and processes are most critical. This helps prioritize risk management and recovery investments so that those responsible can create more effective DR procedures.

Disaster recovery should be a top-level concern

The cornerstone of a successful DR program is a BIA. But the foundational components of a program also require senior management sponsorship and weaving DR into the organizational culture, IT project life cycle, change management activities and new products or services.

Disasters are unpredictable by nature. However, companies are more agile and ready to respond after building an effective DR program. DR should be a top-level concern for all organizations, and resilient companies are resilient because they plan for disaster.