Common Disaster Recovery and Business Continuity Questions
- My IT provider keeps asking me to consider spending a lot of money on business continuity or at the very least a disaster recovery plan but why?
- What’s the difference between disaster recovery and business continuity and what should I focus on?
- Do I really need to worry and is this a necessary spend for the business?
- What’s the real-world impact and cost if I don’t do this?
These are all very good questions and the fact that you are here reading this article means you’ve already taken a step in the right direction. So, let’s start by providing some context about what disaster recovery and business continuity mean for your business.
Having a plan for business continuity is essential
Having some “plan” in place to protect your business in the event of a major disruption to BAU (business as usual) and day to day operations is essential. Almost every business requires some form of IT infrastructure to operate at a very basic level. Thus, it’s your IT provider’s responsibility to engage and encourage the business to build a framework of resilience in order to manage this risk.
The approach: a disaster recovery plan
At a minimum you should have disaster recovery in place. However, if you are looking for comprehensive coverage then you should include a business continuity plan on top of this. How this is achieved is usually decided based on the measure of a business’s expectation around recovery time objectives. As well as the associated cost to achieve the level of resilience required to deliver on these expectations. Simply put, the recovery time objective is: How long can my business afford to be in limbo whilst recovering from catastrophic failure until such time that supporting infrastructure and services are restored?
Disaster recovery
- This plan ensures that a business can recover to a fully operational state of BAU over a period.
- In other words, the business has a plan to recover data, infrastructure and services. All to a point in time that it was operating optimally before the failure occurred.
- There may be some loss of data from the point that the outage occurred and until recovery.
- The business may be able to operate in a very limited capacity during recovery. But it’s usually not able to return to 100% efficiency until infrastructure and services have been restored.
- The level of operational capability depends on the business requirements and proportionality the amount of financial investment in resilience.
Business continuity
- This plan ensures there is continuous business operation in the event of an infrastructure or service outage.
- In other words, the business has a plan to recover data, infrastructure and services in the event of catastrophic failure but also has the capability to continue operating optimally at capacity during an infrastructure or service outage.
- Data loss is unlikely from the point that the outage occurred and until recovery.
- The business can operate at full capacity during recovery and the impact of the outage is minimal while recovery takes place.
- The level of operational capability depends on the business requirements and proportionality the amount of financial investment in resilience.
But why?
For the same reason that you have insurance. It’s not “a matters of if”. It’s “a matter of when”. This is going to happen. Failure of components is inevitable, and you need to be prepared for it. It’s the responsibility of your IT provider to review this annually and work with you to achieve the resilience the business requires and if you haven’t addressed this then it would be prudent to have this discussion ASAP.
An annual review of the business recovery plan helps the decision makers to build a comprehensive report of the anticipated impact should failure occur. The plan should include steps to manage these risks and quantify how long it would take realistically, to recover from failure at various levels of the business. The initial review may seem daunting especially if you haven’t considered this before but it’s a necessity. At the most basic level, your business should have a disaster recovery plan. Once you have a routine, this will become easier, the budget will become more predictable and annual reviews will help the business to maintain or adjust anticipated levels of service as required.
Understanding the impact of a disaster
The bottom line is that you will only truly understand the impact and costs once you’ve performed a comprehensive review of your infrastructure and it’s hard to quantify exactly what the impact would be because each point of failure is a small component, of a much larger machine.
That being said, let’s consider a few scenarios.
- Your mail service has just gone down, you have no way of digitally responding to incoming communication and mails are being bounced back to clients who are getting frustrated. You are now at the mercy of your mail provider, must perform damage control and unfortunately have no choice but to wait until the provider is able to recover the service. The business has lost at least a days’ worth of revenue; your clients have contacted other vendors to expedite because you’ve been unable to respond, and you are still waiting for the outage to be resolved.
- The business has just had an internet outage. You’ve phoned the ISP, but they’ve told you a fibre connection in the street has been accidently cut and they expect it to be repaired in 3 weeks. With any luck you’ll be able to get another basic internet line in at great cost to the company if you expedite but it’s going to take at least another 3-6 days to make this happen and it’s not going to be fit for purpose.
- A file server in the comms room has just failed and it’s out of warranty. The vendor has no hardware replacement in stock and ETA on delivery of an emergency replacement server is 2-4 weeks. You’ve ordered a server and in the interim you’ve tried to redistribute internal services to manage what you can, but it’s never been planned for and turns out to be much more complicated that you anticipated. The business has now lost at least a weeks revenue because staff have been unable to access critical company data. Not to mention that the business has spent a lot of money trying to implement a temporary solution while waiting for the replacement server to arrive and subsequently has forgotten to factor in recovery time required to rebuild the infrastructure once you have the new hardware in hand.
The reality
Some business’s take this very seriously and some wait until it’s too late because they cannot truly quantify the loss of revenue vs the cost to implement the resilience required. Often being presented with the immediate cost to improve resilience without justification means that risk management falls by the wayside. So, it’s important that your IT provider can provide you with both the quantitative justification and the real-world impact of the “what if” scenarios in terms of your business infrastructure. What comes next is a business review of the cost of downtime relative to the cost of implementation followed by a decision on priority spend.
As a business you might not be concerned about losing a week of BAU but hopefully you are and you can see the logic and reason behind the need to invest in disaster recovery because it is just that. It’s an investment in the future of your business.