Practical IT Research that Drives Measurable Results

Right-Size Enterprise
Disaster Recovery Capabilities

Info-Tech Research Group 1

 Executive Summary
• All organizations, needs some form of DR capabilities, or procedures and systems in place to
lead them back to operations after a disaster.

•Your organization must establish the DR it has, the DR it wants, and the DR it needs. Info-
Tech has looked at what other companies have done and will provide you with the do’s and
don’ts when tackling DR:
• Measure your organization’s current DR capabilities
• Get business buy-in to establish appropriate DR priorities
• Separate DR wants from DR needs
• Set relevant and realistic objectives for your organization’s DR capabilities
• Plan for the cost of realizing your chosen DR objectives

•All DR scoping projects are comprised of three phases, move through these phases in a
timely manner to reduce the time spent on planning your DR capability:
1. Determine the current DR capability which IT can provide
2. Know what DR capabilities the business wants
3. Align the business’ and IT’s DR priorities

Info-Tech Research Group 2

 Introduction
• All companies have some form of Disaster Recovery (DR) capability in place whether they
realize it or not. Depending on the size and needs of the company, DR capabilities can
range from having an employee backing up the company’s files once a month to having a
fully documented and tested plan in place.
• If the IT and the business side of an organization are in alignment with their DR desires,
needs, and priorities, then the current plan may be well-suited to the organization.
However, organizations rarely have proper DR capabilities in place.
• Many organizations make the mistake of having inappropriate DR capabilities. Having too
much DR capability means the organization is overspending and having too little means
the organization is still vulnerable in the event of a disaster. Make sure that DR capability
is a good fit with the organization’s actual needs.
• It is often hard to settle on what amount of DR capability your organization needs. This
solution set will walk you through the right-sizing phase of your DR project quickly and
will address all the relevant areas:
• The Basics
• Current DR Capabilities
• DR Wants and Needs
• Aligning IT and Business
• Case Studies
• Once the organization’s appropriate DR objectives are agreed upon, IT can begin
planning their development.
Info-Tech Research Group 3
 The Basics The Definition The Value DR vs. BC

Determining IT’s Current DR Capabilities

Finding and Validating the Business’ DR Wants

Aligning DR in IT and Business

Case Studies

Info-Tech Research Group 4

 Without some level of DR capability, the odds are
overwhelming that your business won’t survive a disaster
DR concerns the safety and restoration of an
organization’s technology infrastructure in the
event of a disaster. There should be some
level of disaster recovery in place at every
organization. DR will return the business to
normal operations after anything from a
natural disaster to a serious security breach.

Research shows:
 
• 6% of companies which suffer a
catastrophic data loss recover and
survive,
• 43% never reopen,
• 51% close within two years of
reopening. DR focuses on the recovery of IT
  services, systems, data facilities
Source: University of Texas and staff.

Info-Tech Research Group 5

Disaster Recovery focuses on IT, Business Continuity concerns
the entire company. Don’t confuse the two.
Business Continuity Disaster Recovery

•A set of procedures that •A subset of BC that

organizations can adopt in addresses the IT elements
an effort to minimize the of continuity such as data,
Business Continuity
impact that an outage has application, and
on all aspects of a business infrastructure recovery

•Incorporates organizational •Reactionary set of

and human resources issues procedures that take place
such as communications once a disaster has struck
plans and crisis management Disaster
Recovery •The IT side of an
•The business side of an organization is responsible
organization is responsible for its DR
for its Business Continuity

DR and BC initiatives should complement each other; a good DR plan relies on a good BC
plan and vice versa. Ensure that the DR and BC teams work closely together to ensure
success.

For more information on the differences between DR and BC, please refer to the note,
“Draw the Line Between Disaster Recovery and Business Continuity.”
Info-Tech Research Group 6
 Organizations attribute their failure to develop disaster
recovery capabilities to multiple factors
Organizations listed business buy-in, time, and money as the main reasons
why they had yet to develop their disaster recovery capabilities.

“Cost and always

something else to do…”
-VP in Public Administration

“The organization didn't

have an IS executive in
place and it wasn't
considered a company
priority until recently. “
- VP in Wireless Telecom
Carriers

“3 blind monkeys - haven't seen a disaster, won't hear of a disaster, refuse to

talk of a disaster. Strong plans have existed and been undermined over time
due to lack of executive support. Some departments have maintained robust
procedures, yet others are becoming weak links.“
Info-Tech Research Group -Manager in Publishing Industry 7
No matter how lucky you are, disasters occur. Everyone is
vulnerable and can benefit from some preparation.
DR only becomes useful when
all else has gone horribly
wrong.
It would be best for an organization if
the value of its DR capabilities is
never truly realized. However, having
DR ensures that an organization can
(and knows how to) survive a
disaster. If an organization invests a
little now, it won’t lose nearly as
much later.
“It’s a relatively cheap insurance
policy.”
- Director in Consulting
Info-Tech Research Group
“In business, the disaster isn't the act of
God or fire that destroys property, but
the loss of data and the inability to
continue operations - THAT is the
business disaster.“
-Manager in the Publishing Industry
Unless you live in an
impenetrable bubble, you will
benefit from DR.
Every organization that operates on the
planet is at risk from one type of
disaster or another. An organization will
find DR valuable whenever the cost of
losing its IT operations is greater than
the cost of creating and maintaining its
DR capabilities.
8
 Downtime costs money. If you know how much, then you
know how urgently the organization must avoid it.
There are several ways in which downtime may cost your organization money:
Loss of Revenue
If the organization is unable to sell product or fulfill orders, then it is losing revenue. This
could be the result of an interruption in the shipping process or of the channel through which
sales are made (building, website, etc.) being inaccessible to customers.

Loss of Productivity
The system is down, causing a production shift to stand around or "make work" to keep busy
rather than doing their normal jobs. Since staff still have to be paid, this time is considered a
loss.

Increased Labor Costs

Any additional work is going to require additional labor. This could be in the form of
overtime shifts or extra workers during regular shifts. Whatever the case, expenses are
going to increase and the organization is going to have to pay for these incremental costs.

Increased Operations Costs

If additional work has to be done in order to make up for lost time, then operating costs,
such as utility costs, are likely to increase. These expenses are separate from labor and have
more to do with keeping the company open longer or working at a higher capacity.

What costs are relevant, and to what degree they impact the organization, is dependent
upon the specific system that is down and its function within the business.
Info-Tech Research Group 9
There are three stages in DR Scoping; each is driven by a
different group of stakeholders
Step 1: Assess Current IT Capabilities
• Prior to creating DR capabilities, know what degree of DR capability IT currently has.
• Know when IT can bring systems back online and to what point IT can recover data.
• Understand the infrastructure that is currently used to support recovery abilities.
• Once you know what resources IT currently has, it’s easier to identify potential areas that
should be developed or cut in later steps.

Step 2: Establish and Validate the Business’ Wants

• The business side needs to be able to define when it wants systems back online and to what
point it wants data recovered.
• The validity of these wants can be established by asking these questions:
• What systems are most important to the business?
• Are there manual processes which can temporarily replace these systems?
• How much does downtime cost the business?

Step 3: Aligning IT’s Capabilities and the Business Needs

• Ensure that what IT provides and what the business side wants are aligned.
• Avoid discrepancies between the two groups; negotiate to find the right compromise.
• IT should be able to explain the costs of attaining various objectives.
• The business side should be able to explain the potential downtime costs various objectives
are meant prevent.
• Once both sides of the puzzle are understood, the organization can settle on a balance.

Info-Tech Research Group 10

 The Basics of DR

Current DR Capabilities What IT provides Business Buy-In

Finding and Validating the Business’ DR Wants

Aligning DR in IT and Business

Case Studies

Info-Tech Research Group 11

All organizations have some form of DR capability; determine
if you need to spend more time on DR

If the answer to any of the questions above is "No", your organization

needs to spend more time on DR.
The “DR Recovery Objective Alignment and Cost Tool” will walk you
through these questions and help you determine if you need to spend
Info-Tech Research Group
more time on DR. 12
The legend below appears on the slides ahead to remind you
of where you are in the DR scoping process.

1 2
Knowing IT’s existing ability to withstand and The business needs to be able to
recover from disaster provides a baseline communicate the amount of time and data it
from which all future DR enhancements can afford to loose in the event of a disaster
and/or downgrades can be made. in order to establish an initial target for DR
improvements.

3 4
Business desires must be validated by IT and the business must ensure that
balancing potential downtime losses with the capabilities are aligned with requirements and
cost of enhanced DR capabilities. that budgets are reasonable and can be
achieved.

Info-Tech Research Group 13

 Business buy-in should be collected throughout the
project; it is crucial for establishing proper DR goals
•Without understanding where the business’
needs begin and end, IT will be blindly
assembling disaster recovery objectives.
•The organization will either waste money on
unneeded DR or, won’t be fully prepared for
disasters.
Buy-in is not as elusive as you might
imagine, but here are some tips just
in case:
•Many organizations have found that simply
explaining DR’s relevance to the business and
the company’s survivability goes a long way in
generating buy-in.
•If you have trouble getting buy-in from the
business group, try focusing on one key
individual. If you can win over a business
leader and have them champion DR to the rest
of the departments, then the process should be
much smoother.
Info-Tech Research Group
“We absolutely had difficulty getting buy-
in, no one has time for something that
may never happen. You just have to
explain it to them, and eventually
executives come around, however
reluctantly.”
– IT Director in Real Estate Development and
Operation
Case Study
A consulting company went so far as to place an
executive from the business side of the
organization in charge of the DR initiative in order
to get buy-in for the project from both IT and the
business. Due to his connections with other
business stakeholders and the relevance of the
project to IT, the executive was able to collect
input from both sides and build the
organization’s DR capabilities to the satisfaction
of all involved.
14
 You can’t know which direction your organization
should head in until you know where it stands.
Knowing what recovery infrastructure
and systems are in place is the first
step in understanding how your
organization can improve recovery
times. If you know what you currently
have, then it’s much easier to identify
what you still need. Moreover, a review
of your organizations’ resources may
also identify what can be cut, and
thereby save your organization from
some unnecessary expenses.
“Not having DR is like gambling on a
game you are certain to lose long-
term.”
-Director in Real Estate Property
Management
Info-Tech Research Group
Milestones on the
Path to Understanding
What is IT currently doing?
Are there multiple data centers? How often is data
backed up? What are the general practices around
storing data and fixing technology problems?
Whether IT realizes it or not, aspects of DR might
already be incorporated into their standard
operating procedures.
How do these practices translate into
measurable statistics?
Once IT recognizes what’s being done, it becomes
a matter of recording how effective those practices
are.
Recovery objectives, which are defined on the
on slide 17, are a useful metric for determining
effectiveness.
15
 Maybe you need to spend more time on DR. Here’s a
tool to find out.

“DRPs are never Answer a few simple questions in the “DR Recovery
completed; they’re always Objective Alignment and Cost Tool” and determine your
drafts as far as I’m organization’s current and recommended DR capability.
concerned.” Evaluation of Current DR Capability

– IT Director in Real Estate Purpose

This section is meant to collect some basic information concerning your organization's DR capabilities. Once you have completed the section, a suggestion should

Development and Operation appear below advising you to either continue with the assessment of your DR capabilities or not.

Instructions
1) Please answer the following questions by either choosing the most appropriate option from the drop-down box or by filling in the space provided.
2) Read the suggestion that appears in the highlighted box. If you decide to continue with the assessment, then click over to the next tab.

Question Response

This tool will assist you in For a given system (and ultimately for all systems) can IT articulate its RTO and RPO? Yes

defining which areas of

For a given system (and ultimately for all systems) has the business provided their RTO/RPO expectation? No

For a given system (and ultimately for all systems) has the business's RTO/RPO expectation been validated (backed by business and IT
No
rationale)?

your DR plan are For a given system (and ultimately for all systems) are IT's and the business's figures in alignment?

Please specify how your organization's current DR capability is delivered.

No

Third Party

insufficient for your How many departments does your organization have?

How many outages would you estimate your organization experiences a year?
5

organizational needs. Approximately how many hours did each outage last?

What's your annual revenue? $

2

25,000,000.00

What is your annual IT budget? $ 1,000,000.00

What percent of your annual IT budget is spent on DR? 5%

Which of the following operation schedules best matches your organization? 8 hrs/day, 5 days/week

Results

Yes. Based on your responses to our questions, we recommend you spend more time developing your organization's Disaster Recovery capabilities. For more
information on how much time and how many resources, please refer to the "DRP Costing" tool. The business should have some idea of what RTOs and RPOs
they want in order to know if the ones IT offers are at all close to what the organization needs. IT's objectives may be needlessly high, creating unnecessary
expenses, or they may be too low, putting the company in jeopardy in the event of a disaster. If the business does not validate the RTOs and RPOs they set, then
their objectives are no more than just guesswork. Some systems, while critical to the organization's operations, can be temporarily replaced by manual processes
and are therefore do not require really short RTOs. Other systems may cost a lot to backup, making the expense of a short RPO unjustifiable despite the cost of
losing the data. The business must consider these factors when constructing their objectives in order to make sure they are valid requests. IT and business should
have matching RTOs and RPOs. Misalignment between the two indicates that either IT needs to put more resources towards improving the organization's DR
capabilities, business needs to make more realistic objectives, or there needs to be some compromise between the two.

Info-Tech Research Group 16

 RTO and RPO are the building blocks of DR

Recovery
RecoveryTime
TimeObjective,
Objective,or
orRTO,
RTO,isisthe amount of time an organization can
the amount of time an organization can
afford to have its systems down (e.g. the organization's systems can be down no longer
afford to have its systems down (e.g. the organization's systems can be down no longer
than one hour).
than one hour).
Recovery
Recovery PointPoint Objective,
Objective, or or RPO,
RPO, isis the point in time beyond which an
the point in time beyond which an
organization cannot afford to lose information (e.g. the organization can afford to lose 24
organization cannot afford to lose information (e.g. the organization can afford to lose 24
hours data/processing)
hours data/processing)

RTOs and RPOs are the metrics which set the

level of your organization’s DR capability.

RTOs and RPOs vary depending on the needs of

the organization and the criticality of the
system/data they are relevant to; they can
range from less than an hour to more than a
week.
Info-Tech Insight:
Off-site back up does NOT result in RTOs and RPOs of zero hour. Unless data is
streamed to redundant facilities and simultaneously processed, outages can still occur.
Info-Tech Research Group 17
 Organizations care more about reducing data loss
than restoring system operations

For most organizations,

limiting data lost during a
disaster is more important
than minimizing downtime.
This is likely because so
much of a business’ day to
day activities rely on the
data.

It’s cheaper and easier

to support longer
recovery objectives.
The percent of the
yearly IT budget that is
spent on DR decreases
as RTOs and RPOs
increase.

Info-Tech Research Group 18

 Shorter RTOs and RPOs provide greater protection,
but at a greater cost. The inverse also applies.

When an organization When an organization

decreases its RPOs decides it can afford to
“We must prepare for the
and RTOs, it will need to increase its RPOs and
worst and hope for the
increase its DR budget RTOs, it can decrease
best, but it is a balancing
to procure and maintain its DR budget because
act as to how much you
more infrastructure and it needs to procure and
spend on insurance.”
policies to support the maintain less
-Manager in Chemical
new objectives. infrastructure and create
Manufacturing
fewer policies to support
the new objectives.

$
Required Investment Increases
as RPO Decreases $$ Disaster $$ Required Investment Increases
as RTO Decreases $
Point

1 1 1 1 1 1
Week Day Hour Hour Day Week
RPO RPO RPO RTO RTO RTO
Info-Tech Research Group 19
 The Basics of DR

Determining IT’s Current DR Capabilities

DR Wants and Needs What Business Wants What Business Needs

Aligning DR in IT and Business

Case Studies

Info-Tech Research Group 20

 Even moderate business involvement will make DR
projects much more time effective
In emergencies, organizations need to get
critical systems up and running as fast as
possible. The business side plays a key role in
determining exactly which systems are
critical, and which are secondary.

“A balance is needed between spend and

potential impact - this depends on
business criticality and so it is entirely
down to the business leaders to decide.
IT can assist in optimizing the DR
solution so resources aren’t wasted.”
-Manager in Other Services
Info-Tech Research Group 21
 The Business Impact Assessment is an important
step in building proportionate DR capabilities

Business Impact Assessments (BIA) gauge the approximate costs and frequency of
system downtime. Systems are then prioritized in terms of criticality, allowing organizations to
focus attention and resources where they will be best spent. BIAs should be done before
attempting to create any DR capabilities.
“We looked at descriptions of the divisions, what applications were used within
them, and how they broke themselves down in regards to criticality with
timeframes listing their priorities. We didn’t worry about price at this point; it was
just a matter of determining the levels of importance.”
- Senior Technical Support Specialist in the Government
RTO RTO
Current that that
RTO Bus. Bus.
wants Needs

RPO
BIA
RPO
DR
Current that that
RPO Bus. Bus.
wants Needs

Info-Tech Research Group 22

 BIAs help the business side determine what DR
capabilities they actually need
How is the BIA used? Case Study
The business side of an organization wanted very
low recovery objectives, all within one hour of a
disaster. These recovery objectives would require
the organization to make an initial investment of
$1,000,000 to increase its infrastructure and pay
annual maintenance expenses of $100,000. IT felt
that the business’ expectations were too high and
that recovery objectives within 8 hours were more
suitable with an initial investment of $250,000
and an annual cost of $30,000.

IT performed a BIA and the business’

approximate losses per year due to downtime
amounted to $60,000. With this information, IT
was able to show the business that recovery
objectives of less than an hour were not needed
or financially justifiable for the organization.

“People who haven’t created a DRP

are just one disaster away from
making the change.”
- Director in Consulting
Info-Tech Research Group 23
 The Business Impact Analysis tool is a fast way of
figuring out how much downtime is costing you
You have read about the ways in which downtime can cost your organization
money. The next step is to calculate how much money your organization actually
loses to downtime.
Business Impact Analysis

In the “DR Recovery Purpose

Used to identify the approximate cost of downtime in a 24 hour period and over a year.

Objective Alignment Instructions

1. Complete this tool by entering in the estimated dollar costs per 24 hour period for each of the factors in the white cells below. Refer to the definitions for any

and Cost Tool”, the

clarification needed.
2. Your answers will be totaled in "Total Financial Impact" section below, an analysis of how appropriate your current DR spend is will also be presented (this
does not factor RTOs and RPOs into the calculation).

“Business Impact
Analysis” tab will tell
Enter Estimated
Financial Cost Factors Definition Dollar Costs from
These Factors

you what kind of Loss of Revenue Per

Day
If the organization is unable to sell product or fulfill orders due to the business unit being down, then the
organization is losing revenue. This could be the result of an interruption in the shipping process or of the $125,000.00

annual losses you

channel through which sales are made (building, website, etc) being inaccessible to customers.
Loss of Productivity The system is down, causing a production shift to stand around or "make work" to keep busy rather than
doing their normal jobs. Order entry staff can’t take orders if the phones are down or their online systems
can expect due to
Per Day
$45,000.00
aren’t available. Production staff can’t produce the product if the production line isn’t functioning. Since staff
still have to be paid, this time is considered a loss.

downtime, which will Increased Operating

Costs Per Day
If additional work has to be done in order to make up for lost time, then operating costs, such as utility costs,
are likely to increase. These expenses are separate from labor and have more to do with keeping the
company open longer or working at a higher capacity.
$10,000.00

then be compared to Increased Labor Costs Any additional work is going to require additional labor. This could be in the form of overtime shifts or extra
Per Day workers during regular shifts. Whatever the case, expenses are going to increase and the organization is $0.00

the amount spent on going to have to pay for these incremental costs.

DR. A large
Total Financial Impact

difference indicates Total Dollar Impact Projected Outage Costs Per Day $180,000.00

there is a need for

Total Projected Outage Costs Per Year $270,000.00

change.
DR Spend Per Year $50,000.00

Your current spend on DR is significantly lower than your financial risks from downtime. You may be under spending on
your DR capability.

Info-Tech Research Group 24

 While bigger budgets might not guarantee shorter
RPOs and RTOs, they do raise DR satisfaction
Organizations that have
dedicated a larger percent of
their IT budget to DR were
44% more likely to have
been more satisfied with
their performance during an
actual disaster than those
with smaller DR budget
percentages.

The organizations with

larger budget percentages
were also 33% more likely
to reach their RTOs and
RPOs than less DR-
endowed organizations.

Info-Tech Research Group 25

 Explain the costs associated with DR so the business
can make informed decisions
Costs associated with Disaster Recovery:

1)Infrastructure investments (ranging from new hardware to

One Time redundant data centers)
Costs 2)Software investments
3)Training for IT staff
4)Cost of educating and training end users
5)Testing
Ongoing
6)Modifications to plan (to reflect any organizational changes,
Costs
changes to software, infrastructure and business needs)

Despite feeling satisfied, survey results showed that organizations that dedicated a larger percent of their
IT budget to DR actually had longer RPO and RTO averages, 35 hours and 44 hours respectively,
than organizations who dedicated smaller percentages to DR, who had a RPO average of 25 hours
and a RTO average of 32 hours. This goes to show that how money is spent is more important than
how much money is spent.

“One thing we’re only now realizing is the cost of the ripple effect.
Controlling the costs of both a primary and secondary location, with
data in both that needs to be aligned, can add up.”
- Manager of IT in Public Services
Info-Tech Research Group 26
 The Basics of DR

Determining IT’s Current DR Capabilities

Finding and Validating Business’ DR Wants

Achieving the
Aligning IT and Business Balancing Costs
Compromise

Case Studies

Info-Tech Research Group 27

 Misalignment between IT’s current capabilities and
the business’ validated needs is a fixable problem

If IT’s RPOs and RTOs are high than If IT’s RPOs and RTOs are lower than
the business’ needs, then the business’ needs,
organization is incurring a needless then the organization is still very
expense. vulnerable.

Often, IT will not have a DR budget big enough to meet all of the business’ DR
needs. In those cases, IT and the business will have to work together to find
the balance which, while not ideal, is good enough. Once business and IT have
decided on the organization’s RPOs and RTOs , IT must determine what
resources will be required; these include time, skills and money (for upfront and
ongoing costs).
“In our industry and IT sector, crisis happens anytime. Having a workable DR
that can be executed within the aligned time that the business group agreed
with IT, we can manage our expectation with our stakeholders and allocate
resources to identify problems and resume business operation if gaps happen.”
-Supervisor in Air Transportation

Info-Tech Research Group 28

 Until IT and the business have agreed on DR goals,
work cannot start on improving DR capabilities
The Cycle of Alignment
Aligning IT and the business’ RTOs and RPOs can
Establish Budget/Costs be a difficult task. Companies generally rotate
through three phases before they can actually
DR cannot be gifted with infinite
resources, so organizations must put begin to create a DR Capability. Avoid getting
the resources that are available to stuck in the cycle.
their best use. Review the list of
priorities the business side has
generated and the options currently
open to the organization and then
distribute the budget in proportion
to goals. Accept or Reject
Once the budget has been drafted Begin Building DR
and IT has an idea of what is Once the situation is understood and
attainable, share the knowledge the details are agreed upon, the real
once more with the business side. work will finally begin.
Once they see the realities available
to them, they may want to re-think
Healthy Debate some of their decisions.
It is critical to keep the business
side involved in forming the final
RTOs and RPOs, though finding a Minimize the time spent on aligning IT and the
set you both agree on may not be business’ wants to expedite the process. Ensure
the easiest task.
that the business and IT keep the lines of
communication open and that both parties are
willing to hear each other’s opinions.

Info-Tech Research Group 29

 Use Info-Tech’s “Ideal RPO and RTO Calculator” tool
to align your organization’s recovery objectives
Use the “Comparison of Business and IT Recovery
Objectives” tab. Enter both IT’s and the business’ RTOs and
IT can provide a RPOs, examine the comparison, and then enter the
set of RPOs and compromise.
RTOs, and Comparison of Business and IT Recovery Objectives

business wants Purpose

The purpose of this section is to record the RTOs and RPOs that IT can provide and that the business wants for every department. These recovery

another set of
objectives are compared to each other and to data collected from comparable companies in order to suggest the most suitable average RTO and RPO
that matches the current DR spend.

RPOs and RTOs, Instructions

1) Fill in the blank spaces in the "Current IT Recovery Objectives" columns with the RTOs and RPOs that IT can provide for each department.

but what set 2) Fill in the blank spaces in the "Recovery Objectives that the Business Wants" columns with the RTOs and RPOs that the business wants for each
department.

does the
3) Review where the gaps exist between what IT is offering and what the business wants.

organization
Recovery
Current IT Recovery
Objectives that
Objectives
Business Wants

need? Department Weighting

RTO
(hours)
RPO
(hours)
RTO
(hours)
RPO
(hours)
RTO Comparison RPO Comparison

This department's RTO is being This department's RPO is being

1 Marketing 20% 4-7 hours 4-7 hours 2-3 hours 1 hour under-delivered by IT according under-delivered by IT according

This is not a
to what the business wants. to what the business wants.
This department's RTO is being This department's RPO is being

rhetorical
2 Finance 20% 8-23 hours 8-23 hours 4-7 hours 2-3 hours under-delivered by IT according under-delivered by IT according
to what the business wants. to what the business wants.
This department's RTO is being This department's RPO is being
question; use 3 Human Resources 20% 4-7 hours 4-7 hours 8-23 hours 8-23 hours over-delivered by IT according to over-delivered by IT according to
what the business wants. what the business wants.

Info-Tech’s tool 4 Sales 20% 2-3 hours 2-3 hours 1 hour 1 hour
This department's RTO is being
under-delivered by IT according
This department's RPO is being
under-delivered by IT according

to find an to what the business wants.

This department's RTO is being
to what the business wants.
This department's RPO is being

answer.
5 Customer Service 20% 4-7 hours 8-23 hours 2-3 hours 2-3 hours under-delivered by IT according under-delivered by IT according
to what the business wants. to what the business wants.

Info-Tech Research Group 30

 Use the “Cost of Maintaining Recovery Objectives”
tab to align your organization’s objectives
Companies generally miscalculate the percent of their IT budget that will be
spent on DR. According to our survey, actual costs average 30% more than
organizations predict. Use this tool to determine the percent of the IT budget
your organization should invest in DR.

Costs of Maintaining Recovery Objectives

Purpose
This reporting page summarizes the costs associated with the recovery objectives that IT provides, those that the business wants
and the recovery objectives that best match the current spend on DR.

Instructions

30%
1) Review this sheet and present these findings along with the business impact analysis to the business side. Try to reach a
consensus on the recovery objectives that best suit the organization's needs.
2) Use the following tab to record these aligned recovery objectives.

Initial IT Capability
Weighted RPO 4-7 hours
Weighted RTO 4-7 hours

Current Spend on DR is 5% of annual IT Budget

If the organization wanted to deploy their DR capability through another channel while maintaining their current
recovery objectives they would have to spend the following percents of their IT budgets on DR.
In-house 2.78%
Third Party 5.00%
Co- Location 2.50%

Initial Requests by Business

Weighted RPO 2-3 hours
Weighted RTO 2-3 hours

If the organization wanted to deploy their DR capability through another channel while offering the recovery objectives
that the business wants they would have to spend the following percents of their IT budgets on DR.
In-house 9.00%
Third Party 16.20%
Co- Location 8.10%

Recommended Recovery Objectives Based on Current Losses Due to Downtime from BIA Calculations
Weighted RPO 1 hour
Weighted RTO 1 hour

Based on the yearly financial losses projected in the BIA, the organization's ideal DR spend would vary as follows
(please be advised that these suggestions are the "ideal" spends, IT and the business still need to decide if these are
appropriate or financially feasible):
In-house 12.00%
Third Party 21.60%
Co- Location 10.80%

Info-Tech Research Group 31

 Summary
In this deck, you have:
• assessed your organization’s current DR capabilities,
• obtained the business’ priorities,
• kept the business involved while IT balanced their wants and their costs, arriving at the
organization’s needs,
• and learned the approximate budget those DR objectives require.
These are the steps all organizations need to take when scoping their appropriate DR
capabilities; follow them to lead your company to stable ground.
The next phase of the DR project is the actual planning.
It is time to get down to the details, answering questions like:
Will your organization create its disaster recovery plan (DRP) in-house or will it outsource the creation?
•If you decide to take the in-house route, it might help to know that: 75% of organizations create
their plans in-house and, on average, plans take 9 months to complete.
•If you decide to outsource, it might help to know that: outsourcing plans is expensive, costing
anywhere from $20,000 to hundreds of thousands of dollars.
What facilities will your organization use for the DRP’s continual support?
•After you have built your organization’s DR capability, you still need to sustain it. Determine if your
DR capability should be hosted in-house, through a third party or through co-location facility.
You have an idea of your goals and your budget, but you still need to decide where exactly you will be
spending your time and money in order to make those goals a reality. Refer to the Appendix for more
information on how an actual DRP can be broken down.
Info-Tech Research Group 32
 The Basics of DR

Determining IT’s Current DR Capabilities

Finding and Validating Business’ DR Wants

Aligning IT and Business

Building the DR Continually Maintaining DR

Case Studies
Capability Improving DR Capability

Info-Tech Research Group 33

 Public Services organization begins to build its DR
Company Profile at a Glance
Industry Public Services
Combination of third-party
DR Vendors
and in-house.
Cost 5%-10% of IT budget
Current DR Capability
• The organization is only beginning to create its
Disaster Recovery capabilities.
• The organization has seventeen locations it needs
to maintain and one of its main priorities is to
ensure that they all remain connected during an
emergency.
• They brought in a consultant to do a BIA and
help establish DR objectives for each system.
• Though they have just begun , they already have
established a RPO of the previous night and a
RTO of the next day for their most critical
system.
Info-Tech Research Group
DR Planning Experiences
• Vendors don’t always deliver on what they claim
to be offering. Costs can add up fast on these
kinds of projects if you don’t have a clear idea of
what you want and how you are going to get it,
and that goes double for when you’re dealing
with vendors.
Business Involvement in DR
Capability
• The business side was very involved in the
creation of the organization’s DR capabilities.
• The DR project actually sprung out of the BC
project the business side was currently doing.
DR Capability Put to the Test
• No real disasters as of yet, but they will continue
to prepare for the worst.
34
 Government agency continually improves DR capability
Company Profile at a Glance
Industry Government
Sunguard for BIA, actual DR
DR Vendors
creation was in-house
Cost $10M-$15M
Current DR Capability
• Disaster Recovery is formally documented in the
agency. There are binders at the DR site and with
each of the managers. The DR plan also resides
on an internal website for all staff to access.
• The current plan focuses on IT and business
infrastructure. The next iterations of the plan will
include more aspects of the business.
• The DR plan is tested rigorously every year. Also,
when applications are reconfigured or new
applications are acquired, tests are performed to
ensure that no other parts of the DRP are
affected.
Info-Tech Research Group
DR Planning Experiences
• The current DR capability is regarded as being
40% done; it has taken 5 years and $5-10 Million
to get this far. The agency estimates that the plan
will take another 5 years and $5-10 Million to
complete.
Business Involvement in DR
Capability
• The business was heavily involved in creating the
Disaster Recovery capability in the organization.
• IT did not have to coerce the business to
participate in the DR exercise.
DR Capability Put to the Test
• The current DR plan has gone through one real
life test. An application was lost and the DR plan
needed to be enacted in order to get the
application running again.
35
Consulting company knows how to maintain its DR capabilities
Company Profile at a Glance
Industry Consulting
Created in-house, but
DR Vendors
supported on-site and off-site
Cost $50,000/year
Current DR Capability
• Disaster Recovery is formally documented both
in binders and electronically.
• The DR plan is thoroughly tested in all kinds of
ways. They have done simple tabletop tests, more
complicated simulation tests, and even an actual
recovery test.
• Different recovery objectives have been set
depending upon the criticality of the systems;
objectives range from two weeks to
instantaneous recovery (through mirroring).
Info-Tech Research Group
DR Planning Experiences
• Make sure you know your objectives and
priorities when building your DR capabilities,
and don’t get tied up in all the little details. When
you are talking about disaster recovery, you’re
talking about survival, not about getting
everything perfect.
Business Involvement in DR
Capability
• The business side was involved in the DR
creation as soon as DR’s importance was
explained to them in relatable terms.
DR Capability Put to the Test
• Before they built their DR capabilities, the
organization had a power outage. They lost
connectivity to the outside world and failover
didn’t turn on. That’s what inspired them to
improve their DR. Now, the organization goes
through outages unaffected.
36
 Need additional support?
Info-Tech goes beyond just providing research: You can either speak directly with an analyst
or advisor and/or evaluate on-site consulting services to help your team achieve results.

Trigger Point: Disaster Recovery vs.

The Definition The Value
The Basics Business Continuity

Our Consulting & Establishing common Business case Clarification of scope

Advisory Services understanding development and responsibilities

Trigger Point:
What IT Provides Business Buy-In
Current DR Capabilities
Assessing your IT Capability:
Our Consulting & Fostering Organizational Awareness
DR Recovery Objective Alignment
Advisory Services and Readiness
& Cost Tool

Trigger Point:
What Business & IT Want What Business & IT Need
DR Wants & Needs

Our Consulting &

Business Impact Assessment DRBC Organizational Prioritization
Advisory Services

Trigger Point:
Balancing Costs Achieving Compromise
Aligning IT & Business

Our Consulting & Commitment on Budget

Executive Roadmap & Timeline
Advisory Services for DRBC Priority Areas

E-mail our Advisory Team to find out how we have helped other clients and
get your Disaster Recovery initiative started today! 37
 Appendix

Info-Tech Research Group 38

 What are the components of a disaster recovery plan?
DRPs can be split into two main parts: Strategic and Tactical
The Strategic Components The Tactical Components

1. Disaster Recovery Policies & 1. Disaster Recovery Technical Overview

Management Procedures 2. Vendor & Corporate Contacts
2. Disaster Recovery Time Objectives 3. “How To” Recovery Procedures for
(RTO) & Recovery Point Objectives (RPO) “Critical” Services, Systems, & Data
3. Disaster Recovery Goals, Assumptions, 4. Security Incident Response Procedures
& Strategies 5. “Return to Normal Operations”
4. Disaster Recovery Communications Procedures
Plan
5. Disaster Recovery Team Roles &
Responsibilities
6. Disaster Assessment Procedures
7. Disaster Declaration Authority &
Declaration Procedures
8. DR Command Center & Recovery
Logistics Management

Info-Tech Research Group 39