Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly.

Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS) applications and managed infrastructure services. As a result, the lack of a formal DR program with an emphasis on the human side of recovery, updated documentation, planning for relevant scenarios and effective management of a disaster response is a risk for any organization

Disaster Recovery Planning Lags Behind

Forrester Research and the Disaster Recovery Journal recently conducted a joint survey to determine the state of DR practices and preparedness in 2022. They surveyed IT, DR and risk professionals globally and found that DR readiness is lagging.

A case in point: almost one-quarter of survey respondents only update DR plans once every two years or longer. 48% said they update DR plans annually. Business impact analysis (BIA) follows a similar update pattern, with fewer than 20% of respondents updating this aspect of a DR program every quarter or more frequently.

The consequences of these gaps can be severe. Uptime Institute’s 2022 Outage Analysis Report illustrates that over 60% of outages result in at least $100,000 in losses, up 39% from 2019, and outages that cost upwards of $1 million increased from 11% to 15% over that same period.

Business Impact Analysis: The DR Program Cornerstone

To stay in business during and after a disruptive event, a company must do more than allocate a small percentage of the budget to DR planning. Even the most minor outage can have serious consequences. A formal BIA is crucial to analyze disruptions in all IT systems, applications, services and processes along with their dependencies.

Companies should start by assigning an experienced cross-functional team to conduct the BIA. This team should analyze operational IT assets and activities and the effect a disruption might have. It’s also important to articulate the impacts of outages and downtime to leadership, to justify DR investments.

The key BIA objectives are to:

  • Identify and prioritize the criticality of IT systems, applications, services and processes
  • Determine recovery time objectives (RTOs), recovery point objectives (RPOs) and maximum acceptable outages (MAOs)
  • Conduct end-to-end analysis of information flows through internal and external processing environments and identify recovery options for all potential scenarios
  • Analyze the impact and cost of downtime over varying time periods.

Implementing the BIA Objectives

According to the Disaster Recovery Journal’s glossary, an RTO is the period of time following an incident within which a product, service or activity must be resumed or resources must be recovered. The RTO spells out the time frame for the resumption after an outage in minutes, hours or days.

An RPO is a point in time when the information used by an activity must be restored to enable that activity to continue or resume. Some companies accept that if a disaster occurs, they will recover using the last backup. In many cases, that backup could be 24 hours old or older. IT systems, applications, services and processes that are not mission-critical generally tolerate that level of loss.

An MAO is the time it would take for the adverse impacts of outages to become unacceptable for the business. In other words, MAO is the maximum time between the outage occurring to when IT systems, applications, services and processes need to return to a state of providing acceptable service levels in order to prevent irrevocable harm to the business. Although recovery must have been completed and processing resumed within the MAO time frame, normal resiliency levels may not have been restored and the original site or equipment may not yet be operable.

The BIA identifies what your company has at risk and which IT systems, applications, services and processes are most critical. This helps prioritize risk management and recovery investments so that those responsible can create more effective DR procedures.

Disaster Recovery Should Be a Top-Level Concern

The cornerstone of a successful DR program is a BIA. But the foundational components of a program also require senior management sponsorship and weaving DR into the organizational culture, IT project life cycle, change management activities and new products or services.

Disasters are unpredictable by nature. However, companies are more agile and ready to respond after building an effective DR program. DR should be a top-level concern for all organizations, and resilient companies are resilient because they plan for disaster.

More from Data Protection

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Meeting Today’s Complex Data Privacy Challenges

Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above? If you answered "all of the above," you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned…