November 21, 2022 By Brian Evans 3 min read

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly.

Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS) applications and managed infrastructure services. As a result, the lack of a formal DR program with an emphasis on the human side of recovery, updated documentation, planning for relevant scenarios and effective management of a disaster response is a risk for any organization

Disaster recovery planning lags behind

Forrester Research and the Disaster Recovery Journal recently conducted a joint survey to determine the state of DR practices and preparedness in 2022. They surveyed IT, DR and risk professionals globally and found that DR readiness is lagging.

A case in point: almost one-quarter of survey respondents only update DR plans once every two years or longer. 48% said they update DR plans annually. Business impact analysis (BIA) follows a similar update pattern, with fewer than 20% of respondents updating this aspect of a DR program every quarter or more frequently.

The consequences of these gaps can be severe. Uptime Institute’s 2022 Outage Analysis Report illustrates that over 60% of outages result in at least $100,000 in losses, up 39% from 2019, and outages that cost upwards of $1 million increased from 11% to 15% over that same period.

Business impact analysis: The DR program cornerstone

To stay in business during and after a disruptive event, a company must do more than allocate a small percentage of the budget to DR planning. Even the most minor outage can have serious consequences. A formal BIA is crucial to analyze disruptions in all IT systems, applications, services and processes along with their dependencies.

Companies should start by assigning an experienced cross-functional team to conduct the BIA. This team should analyze operational IT assets and activities and the effect a disruption might have. It’s also important to articulate the impacts of outages and downtime to leadership, to justify DR investments.

The key BIA objectives are to:

  • Identify and prioritize the criticality of IT systems, applications, services and processes
  • Determine recovery time objectives (RTOs), recovery point objectives (RPOs) and maximum acceptable outages (MAOs)
  • Conduct end-to-end analysis of information flows through internal and external processing environments and identify recovery options for all potential scenarios
  • Analyze the impact and cost of downtime over varying time periods.

Implementing the BIA objectives

According to the Disaster Recovery Journal’s glossary, an RTO is the period of time following an incident within which a product, service or activity must be resumed or resources must be recovered. The RTO spells out the time frame for the resumption after an outage in minutes, hours or days.

An RPO is a point in time when the information used by an activity must be restored to enable that activity to continue or resume. Some companies accept that if a disaster occurs, they will recover using the last backup. In many cases, that backup could be 24 hours old or older. IT systems, applications, services and processes that are not mission-critical generally tolerate that level of loss.

An MAO is the time it would take for the adverse impacts of outages to become unacceptable for the business. In other words, MAO is the maximum time between the outage occurring to when IT systems, applications, services and processes need to return to a state of providing acceptable service levels in order to prevent irrevocable harm to the business. Although recovery must have been completed and processing resumed within the MAO time frame, normal resiliency levels may not have been restored and the original site or equipment may not yet be operable.

The BIA identifies what your company has at risk and which IT systems, applications, services and processes are most critical. This helps prioritize risk management and recovery investments so that those responsible can create more effective DR procedures.

Disaster recovery should be a top-level concern

The cornerstone of a successful DR program is a BIA. But the foundational components of a program also require senior management sponsorship and weaving DR into the organizational culture, IT project life cycle, change management activities and new products or services.

Disasters are unpredictable by nature. However, companies are more agile and ready to respond after building an effective DR program. DR should be a top-level concern for all organizations, and resilient companies are resilient because they plan for disaster.

More from Data Protection

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today