Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly.

Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS) applications and managed infrastructure services. As a result, the lack of a formal DR program with an emphasis on the human side of recovery, updated documentation, planning for relevant scenarios and effective management of a disaster response is a risk for any organization

Disaster Recovery Planning Lags Behind

Forrester Research and the Disaster Recovery Journal recently conducted a joint survey to determine the state of DR practices and preparedness in 2022. They surveyed IT, DR and risk professionals globally and found that DR readiness is lagging.

A case in point: almost one-quarter of survey respondents only update DR plans once every two years or longer. 48% said they update DR plans annually. Business impact analysis (BIA) follows a similar update pattern, with fewer than 20% of respondents updating this aspect of a DR program every quarter or more frequently.

The consequences of these gaps can be severe. Uptime Institute’s 2022 Outage Analysis Report illustrates that over 60% of outages result in at least $100,000 in losses, up 39% from 2019, and outages that cost upwards of $1 million increased from 11% to 15% over that same period.

Business Impact Analysis: The DR Program Cornerstone

To stay in business during and after a disruptive event, a company must do more than allocate a small percentage of the budget to DR planning. Even the most minor outage can have serious consequences. A formal BIA is crucial to analyze disruptions in all IT systems, applications, services and processes along with their dependencies.

Companies should start by assigning an experienced cross-functional team to conduct the BIA. This team should analyze operational IT assets and activities and the effect a disruption might have. It’s also important to articulate the impacts of outages and downtime to leadership, to justify DR investments.

The key BIA objectives are to:

  • Identify and prioritize the criticality of IT systems, applications, services and processes
  • Determine recovery time objectives (RTOs), recovery point objectives (RPOs) and maximum acceptable outages (MAOs)
  • Conduct end-to-end analysis of information flows through internal and external processing environments and identify recovery options for all potential scenarios
  • Analyze the impact and cost of downtime over varying time periods.

Implementing the BIA Objectives

According to the Disaster Recovery Journal’s glossary, an RTO is the period of time following an incident within which a product, service or activity must be resumed or resources must be recovered. The RTO spells out the time frame for the resumption after an outage in minutes, hours or days.

An RPO is a point in time when the information used by an activity must be restored to enable that activity to continue or resume. Some companies accept that if a disaster occurs, they will recover using the last backup. In many cases, that backup could be 24 hours old or older. IT systems, applications, services and processes that are not mission-critical generally tolerate that level of loss.

An MAO is the time it would take for the adverse impacts of outages to become unacceptable for the business. In other words, MAO is the maximum time between the outage occurring to when IT systems, applications, services and processes need to return to a state of providing acceptable service levels in order to prevent irrevocable harm to the business. Although recovery must have been completed and processing resumed within the MAO time frame, normal resiliency levels may not have been restored and the original site or equipment may not yet be operable.

The BIA identifies what your company has at risk and which IT systems, applications, services and processes are most critical. This helps prioritize risk management and recovery investments so that those responsible can create more effective DR procedures.

Disaster Recovery Should Be a Top-Level Concern

The cornerstone of a successful DR program is a BIA. But the foundational components of a program also require senior management sponsorship and weaving DR into the organizational culture, IT project life cycle, change management activities and new products or services.

Disasters are unpredictable by nature. However, companies are more agile and ready to respond after building an effective DR program. DR should be a top-level concern for all organizations, and resilient companies are resilient because they plan for disaster.

More from Data Protection

Millions Lost in Minutes — Mitigating Public-Facing Attacks

In recent years, many high-profile companies have suffered destructive cybersecurity breaches. These public-facing assaults cost organizations millions of dollars in minutes, from stock prices to media partnerships. Fast Company, Rockstar, Uber, Apple and more have all been victims of these costly and embarrassing attacks. The total average cost of a data breach has increased by 2.6% since 2021 and is now $4.35 million. Organizations that don't deploy zero trust security models also incur an average of $1 million more in…

How the Mac OS X Trojan Flashback Changed Cybersecurity

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that "it doesn't get PC viruses". But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we'll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…

How Do Data Breaches Impact Economic Instability?

Geopolitical conflict, inflation, job market pressure, rising debt — we've been hearing about economic headwinds for a while now. Could data breaches have anything to do with this? According to a recent IBM report, the average cost of a data breach has reached an all-time high. Like any other business liability, these costs must be absorbed somehow. Given the rising risk and costs, cyberattacks have undoubtedly evolved into market stressors. The magnitude of the problem might surprise you.  Despite the…

What Experts Had To Say About the 2022 Cost of a Data Breach Report

The 2022 Cost of a Data Breach report was eagerly anticipated by cybersecurity professionals and the technology industry as a whole. Following two years of increased remote work and other changes due to the pandemic, the report was an important benchmark on the lasting impact and future trends of data breaches.  Not surprisingly, this year's report made waves on social media, with many experts sharing key points and highlights with their followers.  Here are five key takeaways from experts about…