Moderator: Peter Burris
Analyst: David Floyer
In this post-9/11, post-Katrina era, businesses have at least begun discussing the degree to which their IT infrastructure in general and storage infrastructure in particular is ready to respond to a potential disaster. The Wikibon community observes that businesses frequently talk about the need for comprehensive disaster recovery but usually fail to fund that effort appropriately. More importantly, they often fail to fully engage in the planning process to ensure that the processes and programs for returning the business to acceptable operational mode are fully adopted by everyone concerned.
For IT organizations put in the position of having to initiate a disaster recovery planning process, we suggest four areas of focus:
- Develop a clear assessment of business impact,
- Gain full agreement of all stakeholders for the metrics for measuring, assessing, and communicating that business impact of a potential disaster,
- Develop all the skills for implementing the activities involved in preparing for and recovering from a disaster,
- Gain agreement on the level of investment in DR and the right set of returns adopted.
On each of these points, IT organizations must accept a secondary role and push business leaders to take responsibility for moving the planning and execution processes forward.
The business impact activities are critical. Business leaders must fully factor both the dollar volume impact of a disaster and the likelihood that the disaster will occur. To accomplish this, at least three groups must be fully vested in the planning process:
- Line-of-business leaders focused on revenue of their business operations along many dimensions including time,
- IT organizations that will need to quantify and categorize the technology infrastructure risks, and,
- Experts in facilities, who must provide clear guidance regarding the likelihood that an external event might impact the locations of IT and/or other business assets.
Other groups – compliance, the CXOs, and perhaps even the board of directors who will have to sign off on commitments regarding data security, quality and availability – may also be involved.
An increasingly popular technique for assessing business impact against multiple dimensions is triangulation. The business will triangulate the likely costs of a disaster as a function of volume of lost business and risk using internal estimates, assessments by third parties such as insurance companies, and other external resources such as its investment bank’s assessment of the likely impact of a disaster on the company’s capitalization.
The metrics used to optimize those decisions include Recovery Point Objective (RPO) and Recovery Time Objective (RTO). Neither of these metrics is sufficient, but both are necessary to drive the planning process.
Finally we note that allocating the dollars required to achieve the optimum level of disaster recovery preparedness and response is an ultimate test of the company’s commitment to forge high quality disaster recovery strategies. These dollars include out-of-pocket expenses for products and redundant resources, the willingness of business leaders to take time to practice appropriate DR techniques and approaches, and ultimately the degree to which full testing of different DR plans is allowed.
IT groups in organizations that talk disaster recovery preparedness and optimization and do not fund it should not be seduced by the opportunity to buy more technology or experiment with new products but instead force the business to lead the process as aggressively as possible. Organizations that need the highest degree of preparedness, particularly in the financial industry, are favoring three-node data center architectures – with two centers geographically close together linked by synchronous data connections backed up by a third, remote site (e.g., across the continent or the Atlantic) with asynchronous data backup – as a part of the solution.
Action Item: IT organizations should not attempt to lead planning efforts for disaster recovery but instead must not only accept but demand business leadership in this critically important domain. IT organizations should, however, immediately begin investigating the three-node data center architecture as a technical approach to provide the IT architecture that may be required for DR and establish strong relationships with facilities and other internal groups that will ultimately have to assess the probability and consequences of having to respond to a major disruption in the business.
Footnotes: