When it comes to concerns about disaster recovery, IT pros go with what they know; they focus on the technology and usually can figure out how to restore a particular dataset, server or application. However, when there’s a disaster that destroys data and applications across the business, it’s a totally different story. Restoring everything for everyone all at once is very unlikely unless you have unlimited time, massive IT resources and very deep pockets. No one has all three.
You need to first understand the impact a disaster can have on the business and prioritize recovery accordingly. This requires a discussion with business managers to define mission critical needs, because without understanding the impact and risk that unavailable apps and data cause to operating units, creating a Disaster Recovery plan that addresses continuity effectively just isn’t possible.
What’s your objective?
You’ll need this information to set recovery time (RTO) and recovery point (RPO) objectives for each workload based on what you learned from operating units. An RTO refers to the amount of time that can pass before a disruption unacceptably harms your business operations, such as application or services downtime. If you need the delivery of a service or resumption of a specific activity in three hours, your RTO will be three hours.
An RPO addresses how often your organization backs data up. Put another way, it’s how much data your company can afford to permanently lose before it causes real harm to your business. Like RTOs, RPOs should be based on business needs and the tolerance for loss of different data types.
By understanding your business objectives, you’ll be able to more easily create the right plan and back into recovery.
What’s the impact?
Conduct a business impact analysis (BIA) to assess all functions, related processes and their dependencies. Having a grasp on workflow and knowing exactly how disruption can hurt operations will help identify the potential for loss.
A BIA revolves around questions for application, department and line of business owners. They should be uniform to ensure responses can be effectively compared. It’s best to start with business areas first and technology later, for instance, speaking with the sales department rather than the specific owners of the customer relationship manager solution.
Here are some typical BIA questions and how they can be useful:
- What business functions do you use every day? This connects functions to vital technology.
- How long can you acceptably go without this function? This can create RTOs for backup data sets.
- What is the maximum period of disruption that can be tolerated for a specific function? This helps illustrate worst-case scenarios.
- Are there legal and compliance requirements that must be met for this function? Regulations don’t sleep, even during emergencies, so it’s important to understand your liability.
- How much data can you afford to lose? This can be measured in time and is useful for establishing RPOs for technology assets.
- Are there any legal or compliance requirements for this business function? It’s important to know if there are any outside influences on RPOs and RTOs.
Is it realistic?
Recovery objectives aren’t always realistic and it’s vital you have RTOs for specific workloads. Still, recovering a specific asset – be it a server, application or entire environment – can produce unpleasant surprises and take more time than expected. So, it’s important to test to ensure recoverability, which can help level-set recovery expectations amongst executives and users. This can also lend weight to your recovery plan and any related requests.
When it comes to getting operations back up and running, executives might want the speed of a sports car when your IT department only has the budget for a compact car. They might envision handling six-lanes of traffic but you know you’ve only got the capacity for three. You could have legacy equipment, cheap storage, limited staff — and your company’s decision makers need to be realistic about what is affordable.
Better to get the best RPOs and RTOs out of what you have and mitigate risk than remain vulnerable by putting off improvements as you wait for budget.
Are you ready?
It comes down to maximum tolerable period of disruption (MTPoD) – how long a recovery takes before the impact is materially greater than the loss of a few sales or handful of employee hours. Once you have a grasp on this for each of your services, apps and datasets, you can build tier out priorities and align them accordingly to your recovery process.
This, in turn, can also be used to enlist and align a provider specializing in cloud-based disaster recovery.
By doing so, you won’t need to wrangle over new investments because the disaster recovery as a service (DRaaS) provider should have some of the latest and greatest equipment and they’ll stay abreast of future technology developments. They can help create disaster recovery infrastructure based on your needs, conduct regular disaster recovery testing, proactively monitor for issues and provide 24/7 support.
And, of course, they’ll help you establish the right RTOs and RPOs for your business, and with a service level agreement backed by their considerable disaster recovery expertise, you’ll be sure to meet them.
Need a business impact analysis worksheet? How about a checklist for choosing a backup service provider? Here’s where you can find pricing!