Professional Documents
Culture Documents
Right-Size Enterprise
Disaster Recovery Capabilities
•Your organization must establish the DR it has, the DR it wants, and the DR it needs. Info-
Tech has looked at what other companies have done and will provide you with the do’s and
don’ts when tackling DR:
• Measure your organization’s current DR capabilities
• Get business buy-in to establish appropriate DR priorities
• Separate DR wants from DR needs
• Set relevant and realistic objectives for your organization’s DR capabilities
• Plan for the cost of realizing your chosen DR objectives
•All DR scoping projects are comprised of three phases, move through these phases in a
timely manner to reduce the time spent on planning your DR capability:
1. Determine the current DR capability which IT can provide
2. Know what DR capabilities the business wants
3. Align the business’ and IT’s DR priorities
Case Studies
Research shows:
• 6% of companies which suffer a
catastrophic data loss recover and
survive,
• 43% never reopen,
• 51% close within two years of
reopening. DR focuses on the recovery of IT
services, systems, data facilities
Source: University of Texas and staff.
DR and BC initiatives should complement each other; a good DR plan relies on a good BC
plan and vice versa. Ensure that the DR and BC teams work closely together to ensure
success.
For more information on the differences between DR and BC, please refer to the note,
“Draw the Line Between Disaster Recovery and Business Continuity.”
Info-Tech Research Group 6
Organizations attribute their failure to develop disaster
recovery capabilities to multiple factors
Organizations listed business buy-in, time, and money as the main reasons
why they had yet to develop their disaster recovery capabilities.
DR only becomes useful when “In business, the disaster isn't the act of
all else has gone horribly God or fire that destroys property, but
wrong. the loss of data and the inability to
continue operations - THAT is the
It would be best for an organization if business disaster.“
the value of its DR capabilities is -Manager in the Publishing Industry
never truly realized. However, having
DR ensures that an organization can
(and knows how to) survive a Unless you live in an
disaster. If an organization invests a impenetrable bubble, you will
little now, it won’t lose nearly as benefit from DR.
much later. Every organization that operates on the
planet is at risk from one type of
disaster or another. An organization will
“It’s a relatively cheap insurance
find DR valuable whenever the cost of
policy.”
- Director in Consulting losing its IT operations is greater than
the cost of creating and maintaining its
DR capabilities.
Info-Tech Research Group 8
Downtime costs money. If you know how much, then you
know how urgently the organization must avoid it.
There are several ways in which downtime may cost your organization money:
Loss of Revenue
If the organization is unable to sell product or fulfill orders, then it is losing revenue. This
could be the result of an interruption in the shipping process or of the channel through which
sales are made (building, website, etc.) being inaccessible to customers.
Loss of Productivity
The system is down, causing a production shift to stand around or "make work" to keep busy
rather than doing their normal jobs. Since staff still have to be paid, this time is considered a
loss.
What costs are relevant, and to what degree they impact the organization, is dependent
upon the specific system that is down and its function within the business.
Info-Tech Research Group 9
There are three stages in DR Scoping; each is driven by a
different group of stakeholders
Step 1: Assess Current IT Capabilities
• Prior to creating DR capabilities, know what degree of DR capability IT currently has.
• Know when IT can bring systems back online and to what point IT can recover data.
• Understand the infrastructure that is currently used to support recovery abilities.
• Once you know what resources IT currently has, it’s easier to identify potential areas that
should be developed or cut in later steps.
Case Studies
1 2
Knowing IT’s existing ability to withstand and The business needs to be able to
recover from disaster provides a baseline communicate the amount of time and data it
from which all future DR enhancements can afford to loose in the event of a disaster
and/or downgrades can be made. in order to establish an initial target for DR
improvements.
3 4
Business desires must be validated by IT and the business must ensure that
balancing potential downtime losses with the capabilities are aligned with requirements and
cost of enhanced DR capabilities. that budgets are reasonable and can be
achieved.
“DRPs are never Answer a few simple questions in the “DR Recovery
completed; they’re always Objective Alignment and Cost Tool” and determine your
drafts as far as I’m organization’s current and recommended DR capability.
concerned.” Evaluation of Current DR Capability
Development and Operation appear below advising you to either continue with the assessment of your DR capabilities or not.
Instructions
1) Please answer the following questions by either choosing the most appropriate option from the drop-down box or by filling in the space provided.
2) Read the suggestion that appears in the highlighted box. If you decide to continue with the assessment, then click over to the next tab.
Question Response
This tool will assist you in For a given system (and ultimately for all systems) can IT articulate its RTO and RPO? Yes
For a given system (and ultimately for all systems) has the business's RTO/RPO expectation been validated (backed by business and IT
No
rationale)?
your DR plan are For a given system (and ultimately for all systems) are IT's and the business's figures in alignment?
Third Party
insufficient for your How many departments does your organization have?
How many outages would you estimate your organization experiences a year?
5
organizational needs. Approximately how many hours did each outage last?
25,000,000.00
Which of the following operation schedules best matches your organization? 8 hrs/day, 5 days/week
Results
Yes. Based on your responses to our questions, we recommend you spend more time developing your organization's Disaster Recovery capabilities. For more
information on how much time and how many resources, please refer to the "DRP Costing" tool. The business should have some idea of what RTOs and RPOs
they want in order to know if the ones IT offers are at all close to what the organization needs. IT's objectives may be needlessly high, creating unnecessary
expenses, or they may be too low, putting the company in jeopardy in the event of a disaster. If the business does not validate the RTOs and RPOs they set, then
their objectives are no more than just guesswork. Some systems, while critical to the organization's operations, can be temporarily replaced by manual processes
and are therefore do not require really short RTOs. Other systems may cost a lot to backup, making the expense of a short RPO unjustifiable despite the cost of
losing the data. The business must consider these factors when constructing their objectives in order to make sure they are valid requests. IT and business should
have matching RTOs and RPOs. Misalignment between the two indicates that either IT needs to put more resources towards improving the organization's DR
capabilities, business needs to make more realistic objectives, or there needs to be some compromise between the two.
Recovery
RecoveryTime
TimeObjective,
Objective,or
orRTO,
RTO,isisthe amount of time an organization can
the amount of time an organization can
afford to have its systems down (e.g. the organization's systems can be down no longer
afford to have its systems down (e.g. the organization's systems can be down no longer
than one hour).
than one hour).
Recovery
Recovery PointPoint Objective,
Objective, or or RPO,
RPO, isis the point in time beyond which an
the point in time beyond which an
organization cannot afford to lose information (e.g. the organization can afford to lose 24
organization cannot afford to lose information (e.g. the organization can afford to lose 24
hours data/processing)
hours data/processing)
$
Required Investment Increases
as RPO Decreases $$ Disaster $$ Required Investment Increases
as RTO Decreases $
Point
1 1 1 1 1 1
Week Day Hour Hour Day Week
RPO RPO RPO RTO RTO RTO
Info-Tech Research Group 19
The Basics of DR
Case Studies
Business Impact Assessments (BIA) gauge the approximate costs and frequency of
system downtime. Systems are then prioritized in terms of criticality, allowing organizations to
focus attention and resources where they will be best spent. BIAs should be done before
attempting to create any DR capabilities.
“We looked at descriptions of the divisions, what applications were used within
them, and how they broke themselves down in regards to criticality with
timeframes listing their priorities. We didn’t worry about price at this point; it was
just a matter of determining the levels of importance.”
- Senior Technical Support Specialist in the Government
RTO RTO
Current that that
RTO Bus. Bus.
wants Needs
RPO
BIA
RPO
DR
Current that that
RPO Bus. Bus.
wants Needs
“Business Impact
Analysis” tab will tell
Enter Estimated
Financial Cost Factors Definition Dollar Costs from
These Factors
then be compared to Increased Labor Costs Any additional work is going to require additional labor. This could be in the form of overtime shifts or extra
Per Day workers during regular shifts. Whatever the case, expenses are going to increase and the organization is $0.00
the amount spent on going to have to pay for these incremental costs.
DR. A large
Total Financial Impact
difference indicates Total Dollar Impact Projected Outage Costs Per Day $180,000.00
change.
DR Spend Per Year $50,000.00
Your current spend on DR is significantly lower than your financial risks from downtime. You may be under spending on
your DR capability.
Despite feeling satisfied, survey results showed that organizations that dedicated a larger percent of their
IT budget to DR actually had longer RPO and RTO averages, 35 hours and 44 hours respectively,
than organizations who dedicated smaller percentages to DR, who had a RPO average of 25 hours
and a RTO average of 32 hours. This goes to show that how money is spent is more important than
how much money is spent.
“One thing we’re only now realizing is the cost of the ripple effect.
Controlling the costs of both a primary and secondary location, with
data in both that needs to be aligned, can add up.”
- Manager of IT in Public Services
Info-Tech Research Group 26
The Basics of DR
Achieving the
Aligning IT and Business Balancing Costs
Compromise
Case Studies
If IT’s RPOs and RTOs are high than If IT’s RPOs and RTOs are lower than
the business’ needs, then the business’ needs,
organization is incurring a needless then the organization is still very
expense. vulnerable.
Often, IT will not have a DR budget big enough to meet all of the business’ DR
needs. In those cases, IT and the business will have to work together to find
the balance which, while not ideal, is good enough. Once business and IT have
decided on the organization’s RPOs and RTOs , IT must determine what
resources will be required; these include time, skills and money (for upfront and
ongoing costs).
“In our industry and IT sector, crisis happens anytime. Having a workable DR
that can be executed within the aligned time that the business group agreed
with IT, we can manage our expectation with our stakeholders and allocate
resources to identify problems and resume business operation if gaps happen.”
-Supervisor in Air Transportation
another set of
objectives are compared to each other and to data collected from comparable companies in order to suggest the most suitable average RTO and RPO
that matches the current DR spend.
but what set 2) Fill in the blank spaces in the "Recovery Objectives that the Business Wants" columns with the RTOs and RPOs that the business wants for each
department.
does the
3) Review where the gaps exist between what IT is offering and what the business wants.
organization
Recovery
Current IT Recovery
Objectives that
Objectives
Business Wants
This is not a
to what the business wants. to what the business wants.
This department's RTO is being This department's RPO is being
rhetorical
2 Finance 20% 8-23 hours 8-23 hours 4-7 hours 2-3 hours under-delivered by IT according under-delivered by IT according
to what the business wants. to what the business wants.
This department's RTO is being This department's RPO is being
question; use 3 Human Resources 20% 4-7 hours 4-7 hours 8-23 hours 8-23 hours over-delivered by IT according to over-delivered by IT according to
what the business wants. what the business wants.
Info-Tech’s tool 4 Sales 20% 2-3 hours 2-3 hours 1 hour 1 hour
This department's RTO is being
under-delivered by IT according
This department's RPO is being
under-delivered by IT according
answer.
5 Customer Service 20% 4-7 hours 8-23 hours 2-3 hours 2-3 hours under-delivered by IT according under-delivered by IT according
to what the business wants. to what the business wants.
Purpose
This reporting page summarizes the costs associated with the recovery objectives that IT provides, those that the business wants
and the recovery objectives that best match the current spend on DR.
Instructions
30%
1) Review this sheet and present these findings along with the business impact analysis to the business side. Try to reach a
consensus on the recovery objectives that best suit the organization's needs.
2) Use the following tab to record these aligned recovery objectives.
Initial IT Capability
Weighted RPO 4-7 hours
Weighted RTO 4-7 hours
If the organization wanted to deploy their DR capability through another channel while maintaining their current
recovery objectives they would have to spend the following percents of their IT budgets on DR.
In-house 2.78%
Third Party 5.00%
Co- Location 2.50%
If the organization wanted to deploy their DR capability through another channel while offering the recovery objectives
that the business wants they would have to spend the following percents of their IT budgets on DR.
In-house 9.00%
Third Party 16.20%
Co- Location 8.10%
Recommended Recovery Objectives Based on Current Losses Due to Downtime from BIA Calculations
Weighted RPO 1 hour
Weighted RTO 1 hour
Based on the yearly financial losses projected in the BIA, the organization's ideal DR spend would vary as follows
(please be advised that these suggestions are the "ideal" spends, IT and the business still need to decide if these are
appropriate or financially feasible):
In-house 12.00%
Third Party 21.60%
Co- Location 10.80%
Trigger Point:
What IT Provides Business Buy-In
Current DR Capabilities
Assessing your IT Capability:
Our Consulting & Fostering Organizational Awareness
DR Recovery Objective Alignment
Advisory Services and Readiness
& Cost Tool
Trigger Point:
What Business & IT Want What Business & IT Need
DR Wants & Needs
Trigger Point:
Balancing Costs Achieving Compromise
Aligning IT & Business
E-mail our Advisory Team to find out how we have helped other clients and
get your Disaster Recovery initiative started today! 37
Appendix