By Stephanie Baskerville on April 06, 2017

Disaster Recovery Plan – 4 Myths Debunked!

 

Any time a natural disaster or major IT outage occurs, it increases executive awareness and internal pressure to create a Disaster Recovery Plan. Similarly, industry and government-driven regulations are placing more focus on business continuity – and therefore a Disaster Recovery Plan by extension. Customers are also demanding that organizations provide evidence that they have a workable Disaster Recovery Plan before agreeing to do business.

Traditional Disaster Recovery Plan templates are onerous and result in a lengthy, dense plan that might satisfy auditors, but is not effective in a crisis. Similarly, the myth that a Disaster Recovery Plan is only for major disasters and should be risk-based leaves organizations vulnerable to more common incidents. The increased use of Cloud computing partners and managed service providers means you may depend on them to meet recovery timeline objectives.

Therefore, it is important to create an effective Disaster Recovery Plan by following a structured process to discover current capabilities and define business requirements for continuity, not by completing a one-size-fits-all traditional Disaster Recovery Plan template. This includes:

  • Defining appropriate objectives for maximum downtime and data loss based on business impact.
  • Creating a Disaster Recovery  project roadmap to close the gaps between your current DR capabilities and recovery objectives.
  • Documenting an incident response plan based on a tabletop planning walkthrough that captures all of the steps from event detection to datacentre recovery.

 

What is a Disaster Recovery Plan?

A disaster recovery plan is part of an overall business continuity plan. A disaster recovery plan consists of a set of procedures and supporting information that enables an organization to restore its IT services (e.g. applications and infrastructure) as part of an overall business continuity plan (BCP). An effective Disaster Recovery Plan is critical in reducing recovery time and the cost of downtime. If you don’t have an effective disaster recovery plan when a failure occurs, you will face extended downtime and exponentially rising costs due to confusion and lack of documented processes.

In addition to an IT Disaster Recovery Plan, an overall BCP also includes BCP for each business unit and crisis management plan:

1. IT Disaster Recovery Plan:

A plan to restore IT services (e.g. applications and infrastructure) following a disruption. This includes:

  • Identifying critical applications and dependencies.
  • Defining an appropriate (desired) recovery timeline based on a business impact analysis.
  • Creating a step-by-step incident response plan.

2. BCP for Each Business Unit:

A set of plans to resume business processes for each business unit.

3. Crisis Management Plan:

A set of processes to manage a wide range of crises, from health and safety incidents to business disruptions to reputational damage. This includes emergency response plans, crisis communication plans, and the steps to invoke BC/DR plans when applicable.

 

Why have a Disaster Recovery Plan?

1. Potential Lost Revenue without a Disaster Recovery Plan

The impact of downtime increases significantly over time, as illustrated for lost revenue in the graph to the left. An up-to-date and tested Disaster Recovery Plan will significantly increase the consistency of your ability to recover and is critical to minimizing downtime and business impact.

If you do not have an existing Disaster Recovery Plan, your organization is gambling on being able to define and implement a recovery strategy during a time of crisis. At the very least, this means extended downtime – potentially weeks or months – and substantial business impact.

2. Cost of Downtime has been hugely increasing

The list below is the cost of downtime for the Fortune 1000 according to IDC’s 2015 report, Fortune 1000 Best Practice Metrics Quantified.

  • Cost of unplanned apps downtime per year: $1.25B to $2.5B
  • Cost of critical apps failure per hour: $500,000 to $1M
  • Cost of infrastructure failure per hour: $100,000
  • 35% reported to have recovered within 12 hours.
  • 17% of infrastructure failures took more than 24 hours to recover.
  • 13% of application failures took more than 24 hours to recover.

The cost of downtime is rising across the board, and not just for organizations that traditionally depend on IT (e.g. e-commerce). For example, downtime cost increases since 2010 include:

  • Hospitality: 129% increase
  • Transportation: 108% increase
  • Media organizations: 104% increase

 

Debunking 4 Disaster Recovery Plan myths!

Disaster Recovery Plan Myth 1

Myth #1: Disaster Recovery Plans need to focus on major events such as natural disasters and other highly destructive incidents such as fire and flood.

Reality: The most common threats to service continuity are hardware and software failures, network outages and power outages.

Forty-five percent of service interruptions that went beyond maximum downtime guidelines set by the business were caused by software and hardware issues. Only 12% of incidents were caused by major destructive events.

Does this mean I don’t need to worry about natural disasters? No. It means Disaster Recovery planning needs to focus on overall service continuity, not just major disasters. If you ignore the more common, but less dramatic causes of service interruptions, you will suffer the proverbial “death from a thousand cuts.”

 

Disaster Recovery Plan Myth 2

Myth #2: Effective Disaster Recovery Plans start with identifying and evaluating potential risks.

Reality: Disaster Recovery is not about mitigating risks; it’s about ensuring service continuity.

The common “by-the-book” approach is to identify risks, assess probability, and then build a plan to mitigate those risks. Here’s why the risk approach is ineffective:

  • Unless you can foresee the future, odds are that you won’t think of every incident that might occur. If you think of 20 risks, it will be the 21st that gets you.
  • If you take risk assessment to an extreme level to try to guard against that unforeseen 21st risk, you can quickly get into unrealistic and cartoonish scenarios and much more costly solutions.
  • The traditional risk-assessment process for Disaster Recovery planning is time consuming, often has little immediate value, and delays more effective actions (e.g. process and technology enhancements).

Failure happens regardless of your risk profile; thus, it is important to strive for overall resiliency that will enable you to recover regardless of the specific risk or incident.

 

DRP-myth3

Myth #3: Disaster Recovery Plans are a separate entity from normal day-to-day operations.

Reality: The goal of Disaster Recovery is to maintain service continuity and that starts with day-to-day service management.

If a tornado takes out your datacentre, it’s an obvious Disaster Recovery scenario. Where processes often break down is in less obvious DR scenarios (e.g. hardware/software issues) when it’s not clear when to move from service management procedures to DR procedures.

Extending service management processes to account for disaster scenarios helps you ensure more timely and appropriate responses and meet recovery timeline requirements. Organizations that account for disasters in their service management processes (e.g. severity definitions, escalation rules) are much more successful at meeting Recovery Time Objectives (RTO) and Recovery Point Objective (RPO) requirements.

 

Disaster Recovery Plan Myth 4

Myth #4: Disaster Recovery is our managed service provider’s responsibility.

Reality: You can’t assume that Disaster Recovery services are part of your managed services agreement. The same is true for Cloud partners.

Your managed services provider and Cloud partners will probably be able to and happy to provide you with Disaster Recovery services. However, it’s your responsibility to ensure that you have an agreement in place for your disaster recovery scenarios. Talk to your provider/partner to ensure you have the adequate Disaster Recovery services.

 

Develop your Disaster Recovery Plan

Disaster Recovery Plans can sound scary and overwhelming. Our team will be happy to walk you through what Disaster Recovery Plans involve and how your Plan can help you with your organization’s service continuity. Contact us today to have all your questions answered.

 

Related:

Published by Stephanie Baskerville April 6, 2017