|Disaster Recovery Planning: Your Companys Business Insurance|
|Written by Jeff Godlewski, CDW Technology Specialist|
Though often overlooked by SMBs, implementing a DR plan is absolutely critical. Should a natural or man-made disaster render an organization’s data inaccessible, it is likely the business will have to close its doors for good. According to Gartner, two out of five businesses that experience a disaster go out of business within five years.
Protecting ourselves from the worst is human nature. Look no further than the various forms of insurance and protection we purchase for our cars, homes and health, as well as the constant struggle to safeguard our personal information each day, and you’ll see this is true. Shouldn’t business owners and IT managers treat their networks and critical infrastructure the same way? Despite the compelling imperative “protect your IT, or suffer the costly consequences,” the majority of small and medium-sized businesses (SMBs) under-invest in business continuity (BC) and disaster recovery (DR) planning, according to Gartner, Inc. Gartner estimates that only 35 percent of SMBs have a comprehensive disaster recovery plan in place and fewer than 10 percent of SMBs have crisis management, contingency, business recovery and business resumption plans.
Though often overlooked by SMBs, implementing a DR plan is absolutely critical. Should a natural or man-made disaster render an organization’s data inaccessible, it is likely the business will have to close its doors for good. According to Gartner, two out of five businesses that experience a disaster go out of business within five years. Moreover, Gartner found that 80 percent of mission-critical application service downtime is directly caused by people or processes failures – not disasters or technology failure – meaning that DR plans are critical not only in a relatively rare emergency, but also in the organization’s day-to-day functions.
Establish a Downtime Threshold
Determining the recovery point objective (RPO) and recovery time objective (RTO) should be the first objective when building a DR plan. The RPO dictates the allowable data loss, while the RTO is the amount of time you can afford for application downtime – the maximum tolerable outage. If a disaster occurs, how much time can your business afford to lose? An hour? A day? A week? An organization that requires immediate recovery time will need to budget significantly more funds for DR than an organization that can afford to be down for a few days or a week. In the same fashion, a tight RPO is expensive, but businesses must weigh preventative expenditures against the potentially exorbitant cost of significant data loss. Identifying the RPO and RTO will help you allocate the appropriate resources and move forward accordingly.
If a business has difficulty establishing the RPO and RTO, a business impact analysis (BIA) can help. The basic assumption behind a BIA is that every element of the organization relies upon the continued functioning of every other element, but some elements are more crucial than others. The BIA prioritizes mission-critical data and systems and helps the organization allocate the appropriate resources for each component in case of a cataclysmic event. The BIA can also show both IT managers and business owners how much money they could lose by not implementing a DR plan.
Build the Disaster Recovery Plan
When the RPO and RTO are established, you are ready to build a DR plan. As you build the plan, keep these best practices top of mind:
Test the Disaster Recovery Plan
Once the downtime threshold is established and the DR plan is in place, organizations should engage in periodic testing. Testing equals time and money, so the frequency with which an organization can test depends on the DR budget. As a benchmark, businesses should test no less than twice annually. If it is impossible to test the entire system more than twice a year, organizations should also periodically test the most critical applications and systems. Further, tests should be conducted during busy seasons and should be unannounced to all but a few personnel in order to simulate the urgency of a real disaster. Lastly, IT managers should review the process after each test to establish what worked and what did not, so any errors can be rectified.
An effective disaster recovery plan is critical to business survivability. Every year, one out of 500 data centers will experience a disaster so severe that 43 percent will be unable to recover, according to research from the McGladrey and Pullen accounting firm. Another 29 percent will be forced to close within two years. Disaster recovery is business insurance you just can’t afford to live without.