This document discusses right-sizing disaster recovery capabilities for organizations. It recommends determining an organization's current disaster recovery capabilities, getting business buy-in to establish appropriate priorities, and separating wants from needs. The document outlines a three-phase process for disaster recovery scoping: 1) assess current IT capabilities, 2) establish and validate business wants, and 3) align IT capabilities with business needs. It provides tips for getting business buy-in and measuring the costs and impacts of downtime to help organizations determine appropriate recovery objectives.

1. Right-Size Enterprise Disaster Recovery Capabilities 1 Info-Tech Research Group

3. Your organization must establish the DR it has, the DR it wants, and the DR it needs. Info-Tech has looked at what other companies have done and will provide you with the do’s and don’ts when tackling DR:

4. Measure your organization’s current DR capabilities

5. Get business buy-in to establish appropriate DR priorities

6. Separate DR wants from DR needs

7. Set relevant and realistic objectives for your organization’s DR capabilities

8. Plan for the cost of realizing your chosen DR objectives

9. All DR scoping projects are comprised of three phases, move through these phases in a timely manner to reduce the time spent on planning your DR capability:Determine the current DR capability which IT can provide Know what DR capabilities the business wants Align the business’ and IT’s DR priorities

11. If the IT and the business side of an organization are in alignment with their DR desires, needs, and priorities, then the current plan may be well-suited to the organization. However, organizations rarely have proper DR capabilities in place.

12. Many organizations make the mistake of having inappropriate DR capabilities. Having too much DR capability means the organization is overspending and having too little means the organization is still vulnerable in the event of a disaster. Make sure that DR capability is a good fit with the organization’s actual needs.

13. It is often hard to settle on what amount of DR capability your organization needs. This solution set will walk you through the right-sizing phase of your DR project quickly and will address all the relevant areas:

14. The Basics

15. Current DR Capabilities

16. DR Wants and Needs

17. Aligning IT and Business

18. Case Studies

19. Once the organization’s appropriate DR objectives are agreed upon, IT can begin planning their development.Info-Tech Research Group 3

20. Info-Tech Research Group 4

22. 43% never reopen,

23. 51% close within two years of reopening. Source: University of Texas DR focuses on the recovery of IT services, systems, data facilities and staff.

25. Reactionary set of procedures that take place once a disaster has struck

27. Incorporates organizational and human resources issues such as communications plans and crisis management

28. The business side of an organization is responsible for its Business ContinuityBusiness Continuity Disaster Recovery DR and BC initiatives should complement each other; a good DR plan relies on a good BC plan and vice versa. Ensure that the DR and BC teams work closely together to ensure success. For more information on the differences between DR and BC, please refer to the note, “Draw the Line Between Disaster Recovery and Business Continuity.”

29. Info-Tech Research Group 7 Organizations attribute their failure to develop disaster recovery capabilities to multiple factors Organizations listed business buy-in, time, and money as the main reasons why they had yet to develop their disaster recovery capabilities. “Cost and always something else to do…” -VP in Public Administration “The organization didn't have an IS executive in place and it wasn't considered a company priority until recently. “ - VP in Wireless Telecom Carriers “3 blind monkeys - haven't seen a disaster, won't hear of a disaster, refuse to talk of a disaster. Strong plans have existed and been undermined over time due to lack of executive support. Some departments have maintained robust procedures, yet others are becoming weak links.“ -Manager in Publishing Industry

30. Info-Tech Research Group 8 No matter how lucky you are, disasters occur. Everyone is vulnerable and can benefit from some preparation. DR only becomes useful when all else has gone horribly wrong. “In business, the disaster isn't the act of God or fire that destroys property, but the loss of data and the inability to continue operations - THAT is the business disaster.“ -Manager in the Publishing Industry It would be best for an organization if the value of its DR capabilities is never truly realized. However, having DR ensures that an organization can (and knows how to) survive a disaster. If an organization invests a little now, it won’t lose nearly as much later. Unless you live in an impenetrable bubble, you will benefit from DR. Every organization that operates on the planet is at risk from one type of disaster or another. An organization will find DR valuable whenever the cost of losing its IT operations is greater than the cost of creating and maintaining its DR capabilities. “It’s a relatively cheap insurance policy.” - Director in Consulting

31. Info-Tech Research Group 9 Downtime costs money. If you know how much, then you know how urgently the organization must avoid it. There are several ways in which downtime may cost your organization money: Loss of Revenue If the organization is unable to sell product or fulfill orders, then it is losing revenue. This could be the result of an interruption in the shipping process or of the channel through which sales are made (building, website, etc.) being inaccessible to customers. Loss of Productivity The system is down, causing a production shift to stand around or "make work" to keep busy rather than doing their normal jobs. Since staff still have to be paid, this time is considered a loss. Increased Labor Costs Any additional work is going to require additional labor. This could be in the form of overtime shifts or extra workers during regular shifts. Whatever the case, expenses are going to increase and the organization is going to have to pay for these incremental costs. Increased Operations Costs If additional work has to be done in order to make up for lost time, then operating costs, such as utility costs, are likely to increase. These expenses are separate from labor and have more to do with keeping the company open longer or working at a higher capacity. What costs are relevant, and to what degree they impact the organization, is dependent upon the specific system that is down and its function within the business.

33. Know when IT can bring systems back online and to what point IT can recover data.

34. Understand the infrastructure that is currently used to support recovery abilities.

36. The validity of these wants can be established by asking these questions:

37. What systems are most important to the business?

38. Are there manual processes which can temporarily replace these systems?

40. Avoid discrepancies between the two groups; negotiate to find the right compromise.

41. IT should be able to explain the costs of attaining various objectives.

42. The business side should be able to explain the potential downtime costs various objectives are meant prevent.

43. Once both sides of the puzzle are understood, the organization can settle on a balance.10

44. Info-Tech Research Group 11

45. Info-Tech Research Group 12 All organizations have some form of DR capability; determine if you need to spend more time on DR If the answer to any of the questions above is "No", your organization needs to spend more time on DR. The “DR Recovery Objective Alignment and Cost Tool” will walk you through these questions and help you determine if you need to spend more time on DR.

46. Info-Tech Research Group 13 The legend below appears on the slides ahead to remind you of where you are in the DR scoping process. 1 2 Knowing IT’s existing ability to withstand and recover from disaster provides a baseline from which all future DR enhancements and/or downgrades can be made. The business needs to be able to communicate the amount of time and data it can afford to loose in the event of a disaster in order to establish an initial target for DR improvements. 3 4 Business desires must be validated by balancing potential downtime losses with the cost of enhanced DR capabilities. IT and the business must ensure that capabilities are aligned with requirements and that budgets are reasonable and can be achieved.

50. Info-Tech Research Group Maybe you need to spend more time on DR. Here’s a tool to find out. Answer a few simple questions in the “DR Recovery Objective Alignment and Cost Tool” and determine your organization’s current and recommended DR capability. “DRPs are never completed; they’re always drafts as far as I’m concerned.” – IT Director in Real Estate Development and Operation This tool will assist you in defining which areas of your DR plan are insufficient for your organizational needs. 16

51. Info-Tech Research Group 17 RTO and RPO are the building blocks of DR Info-Tech Insight: Recovery Time Objective, or RTO, is the amount of time an organization can afford to have its systems down (e.g. the organization's systems can be down no longer than one hour). Recovery Point Objective, or RPO,is the point in time beyond which an organization cannot afford to lose information (e.g. the organization can afford to lose 24 hours data/processing) Off-site back up does NOT result in RTOs and RPOs of zero hour. Unless data is streamed to redundant facilities and simultaneously processed, outages can still occur. RTOs and RPOs are the metrics which set the level of your organization’s DR capability. RTOs and RPOs vary depending on the needs of the organization and the criticality of the system/data they are relevant to; they can range from less than an hour to more than a week.

52. Info-Tech Research Group 18 Organizations care more about reducing data loss than restoring system operations For most organizations, limiting data lost during a disaster is more important than minimizing downtime. This is likely because so much of a business’ day to day activities rely on the data. It’s cheaper and easier to support longer recovery objectives. The percent of the yearly IT budget that is spent on DR decreases as RTOs and RPOs increase.

53. Info-Tech Research Group 19 Shorter RTOs and RPOs provide greater protection, but at a greater cost. The inverse also applies. When an organization decreases its RPOs and RTOs, it will need to increase its DR budget to procure and maintain more infrastructure and policies to support the new objectives. When an organization decides it can afford to increase its RPOs and RTOs, it can decrease its DR budget because it needs to procure and maintain less infrastructure and create fewer policies to support the new objectives. “We must prepare for the worst and hope for the best, but it is a balancing act as to how much you spend on insurance.” -Manager in Chemical Manufacturing Disaster Point Required Investment Increases as RPO Decreases Required Investment Increases as RTO Decreases $$ $$ $ $ 1 Week RPO 1 Day RPO 1 Hour RPO 1 Week RTO 1 Day RTO 1 Hour RTO

54. Info-Tech Research Group 20

55. Info-Tech Research Group 21 Even moderate business involvement will make DR projects much more time effective In emergencies, organizations need to get critical systems up and running as fast as possible. The business side plays a key role in determining exactly which systems are critical, and which are secondary. “A balance is needed between spend and potential impact - this depends on business criticality and so it is entirely down to the business leaders to decide. IT can assist in optimizing the DR solution so resources aren’t wasted.” -Manager in Other Services

56. Info-Tech Research Group 22 The Business Impact Assessment is an important step in building proportionate DR capabilities Business Impact Assessments (BIA) gauge the approximate costs and frequency of system downtime. Systems are then prioritized in terms of criticality, allowing organizations to focus attention and resources where they will be best spent. BIAs should be done before attempting to create any DR capabilities. “We looked at descriptions of the divisions, what applications were used within them, and how they broke themselves down in regards to criticality with timeframes listing their priorities. We didn’t worry about price at this point; it was just a matter of determining the levels of importance.” - Senior Technical Support Specialist in the Government Current RTO RTO that Bus. wants RTO that Bus. Needs DR BIA Current RPO RPO that Bus. wants RPO that Bus. Needs

57. Info-Tech Research Group 23 BIAs help the business side determine what DR capabilities they actually need How is the BIA used? “People who haven’t created a DRP are just one disaster away from making the change.” - Director in Consulting

58. Info-Tech Research Group 24 The Business Impact Analysis tool is a fast way of figuring out how much downtime is costing you You have read about the ways in which downtime can cost your organization money. The next step is to calculate how much money your organization actually loses to downtime. In the “DR Recovery Objective Alignment and Cost Tool”, the “Business Impact Analysis” tab will tell you what kind of annual losses you can expect due to downtime, which will then be compared to the amount spent on DR. A large difference indicates there is a need for change.

59. Info-Tech Research Group 25 While bigger budgets might not guarantee shorter RPOs and RTOs, they do raise DR satisfaction Organizations that have dedicated a larger percent of their IT budget to DR were 44% more likely to have been more satisfied with their performance during an actual disaster than those with smaller DR budget percentages. The organizations with larger budget percentageswere also 33% more likely to reach their RTOs and RPOs than less DR-endowed organizations.

60. Info-Tech Research Group 26 Explain the costs associated with DR so the business can make informed decisions Costs associated with Disaster Recovery: Infrastructure investments (ranging from new hardware to redundant data centers) Software investments Training for IT staff Cost of educating and training end users Testing Modifications to plan (to reflect any organizational changes, changes to software, infrastructure and business needs) One Time Costs Ongoing Costs Despite feeling satisfied, survey results showed that organizations that dedicated a larger percent of their IT budget to DR actually had longer RPO and RTO averages, 35 hours and 44 hours respectively, than organizations who dedicated smaller percentages to DR, who had a RPO average of 25 hours and a RTO average of 32 hours. This goes to show that how money is spent is more important than how much money is spent. “One thing we’re only now realizing is the cost of the ripple effect. Controlling the costs of both a primary and secondary location, with data in both that needs to be aligned, can add up.” - Manager of IT in Public Services

61. Info-Tech Research Group 27

62. Info-Tech Research Group 28 Misalignment between IT’s current capabilities and the business’ validated needs is a fixable problem If IT’s RPOs and RTOs are high than the business’ needs, then the organization is incurring a needless expense. If IT’s RPOs and RTOs are lower than business’ needs, then the organization is still very vulnerable. Often, IT will not have a DR budget big enough to meet all of the business’ DR needs. In those cases, IT and the business will have to work together to find the balance which, while not ideal, is good enough. Once business and IT have decided on the organization’s RPOs and RTOs , IT must determine what resources will be required; these include time, skills and money (for upfront and ongoing costs). “In our industry and IT sector, crisis happens anytime. Having a workable DR that can be executed within the aligned time that the business group agreed with IT, we can manage our expectation with our stakeholders and allocate resources to identify problems and resume business operation if gaps happen.” -Supervisor in Air Transportation

63. Info-Tech Research Group 29 Until IT and the business have agreed on DR goals, work cannot start on improving DR capabilities Establish Budget/Costs DR cannot be gifted with infinite resources, so organizations must put the resources that are available to their best use. Review the list of priorities the business side has generated and the options currently open to the organization and then distribute the budget in proportion to goals. The Cycle of Alignment Aligning IT and the business’ RTOs and RPOs can be a difficult task. Companies generally rotate through three phases before they can actually begin to create a DR Capability. Avoid getting stuck in the cycle. Accept or Reject Once the budget has been drafted and IT has an idea of what is attainable, share the knowledge once more with the business side. Once they see the realities available to them, they may want to re-think some of their decisions. Begin Building DR Once the situation is understood and the details are agreed upon, the real work will finally begin. Healthy Debate It is critical to keep the business side involved in forming the final RTOs and RPOs, though finding a set you both agree on may not be the easiest task. Minimize the time spent on aligning IT and the business’ wants to expedite the process. Ensure that the business and IT keep the lines of communication open and that both parties are willing to hear each other’s opinions.

64. Info-Tech Research Group 30 Use Info-Tech’s “Ideal RPO and RTO Calculator” tool to align your organization’s recovery objectives Use the “Comparison of Business and IT Recovery Objectives” tab. Enter both IT’s and the business’ RTOs and RPOs, examine the comparison, and then enter the compromise. IT can provide a set of RPOs and RTOs, and business wants another set of RPOs and RTOs, but what set does the organization need? This is not a rhetorical question; use Info-Tech’s tool to find an answer.

65. Info-Tech Research Group 31 Use the “Cost of Maintaining Recovery Objectives” tab to align your organization’s objectives Companies generally miscalculate the percent of their IT budget that will be spent on DR. According to our survey, actual costs average 30% more than organizations predict. Use this tool to determine the percent of the IT budget your organization should invest in DR. 30%

67. obtained the business’ priorities,

68. kept the business involved while IT balanced their wants and their costs, arriving at the organization’s needs,

71. Info-Tech Research Group 33

72. Public Services organization begins to build its DR Info-Tech Research Group 34

73. Government agency continually improves DR capability Info-Tech Research Group 35

74. Consulting company knows how to maintain its DR capabilities Info-Tech Research Group 36

75. Need additional support? Info-Tech goes beyond just providing research: You can either speak directly with an analyst or advisor and/or evaluate on-site consulting services to help your team achieve results. Trigger Point:The Basics Trigger Point:Current DR Capabilities Trigger Point:DR Wants & Needs Trigger Point:Aligning IT & Business The Definition Disaster Recovery vs.Business Continuity The Value What IT Provides Business Buy-In What Business & IT Want What Business & IT Need Balancing Costs Achieving Compromise Our Consulting & Advisory Services Our Consulting & Advisory Services Our Consulting & Advisory Services Our Consulting & Advisory Services Establishing common understanding Clarification of scope and responsibilities Business case development Assessing your IT Capability: DR Recovery Objective Alignment & Cost Tool Fostering Organizational Awareness and Readiness Business Impact Assessment DRBC Organizational Prioritization Commitment on Budget for DRBC Priority Areas Executive Roadmap & Timeline E-mail our Advisory Team to find out how we have helped other clients and get your Disaster Recovery initiative started today! 37

76. Info-Tech Research Group 38 Appendix

77. Info-Tech Research Group 39 What are the components of a disaster recovery plan? DRPs can be split into two main parts: Strategic and Tactical