Business Continuity and Disaster Recovery - Which Comes First?
We have all heard the statistics – such as “93 percent of companies that lost their data center for ten or more days due to a disaster filed for bankruptcy within one year of the disaster”, and 60 percent of companies that lose their data shut down within six months of the disaster.
You simply cannot build a meaningful disaster recovery plan without first knowing the business’s needs and priorities
Data breaches, viruses and hardware/software failures - there is a lot to worry about regarding your company’s data and applications. The result of a major disruption affecting your data center is that there is a business disruption. What can your company tolerate regarding a disruption to their critical business functions?
Disaster Recovery is challenging and requires time, commitment to testing and tracking issues (and spending the time to actually fix them!) as well as maintenance of recovery documentation. The right recovery solution can save the company money while meeting the needs of the business.
The first step in choosing the right recovery strategy is to understand your RPO and RTO. Shorter RPOs and RTOs result in getting your business back up and running more quickly in a disaster.
■ Recovery Point Objective (RPO) is the minimum amount of data that is acceptable to lose in the event of a disaster (how old is the last copy of your data).
■ Recovery Time Objective (RTO) is the amount of time that is acceptable to recover applications in the event of a disaster (when your business gains access to recovered applications).
Below are some (of the many) recovery options available:
For most companies using tape backup, their RPO is 24 hours (because they do a backup nightly) and the RTO might be 48-72 hours or longer, because that’s how long it would take to recall the tapes, recover the data, and bring the applications back up. Tapes can be reliable and cost effective but are considered old technology and have many potential issues
Using storage devices providing block level storage (e.g. SAN) with synchronous replication, you must have a secondary data center with additional servers to send the replicated data (which will become your primary data center in a disaster). With additional hardware requirements and monthly bandwidth costs to move the data, this can result in high costs but a lower RPO and RTO.
DRaaS / Cloud Solution
Disaster Recovery as a Service uses a cloud provider’s computers, networking and storage to act as the target site for replication and recovery of your company’s critical data and applications. This provides a lot of freedom, including replicating to/from multiple sites (regardless of architecture) and some solutions have great scalability. Costs for this type of solution are higher, but costs will be known and can be budgeted. In this type of solution RPO can be measured in seconds and RTO in minutes, and testing is simplified.
What if you don’t know what your RPO and RTO should be?
The decision can be costly if made without supporting data. IT organizations focus on the need for a disaster recovery (DR) plan. But disaster recovery starts with the business. You simply cannot build a meaningful disaster recovery plan without first knowing the business’s needs and priorities.
Begin by conducting a Business Impact Analysis (BIA). The BIA is a good starting point and will also be the foundation for yourBusiness Continuity Plan (BCP). A BIA identifies each area’s critical business processes and assesses the losses to the business should the business processes be disrupted. Once the business has identified their critical functions and the applications used, the impact(s) of not performing that business function is rated over time to determine the Recovery Time Objective (RTO). See the example below:
For each critical function, continue to rate the impact factors over time to determine which business functions are most important to your company. The applications will inherit the criticality of the business functions. In this way, the work you have done in your BIA to rate the impact over time can be used to categorize the applications into each RTO timeframe in an application recovery priority list. The result will be that by looking at the BIA output, you’ll see the lowest RTO required by the business – and can choose or adjust the IT recovery strategy to meet the business needs.
What if the business function’s RTO is shorter than the RTO capability of IT? This is where the BCP comes into play – the business must have documented workarounds for when the RTO for the business function and its dependencies (e.g. application) exceeds the RTO capability of IT.
Key Success Factors
• Have a data recovery strategy (which data to backup/replicate, how often) – identifying your RPO.
• Do a BIA to identify the business needs for application recovery prioritization and RTO.
• Management needs to ensure adequate internal resources for DR planning and testing.
• Document a Disaster Recovery Plan describing your company’s disaster recovery process.
• Regularly test DR plans and involve the business in testing.
Business Continuity and Disaster Recovery focus on different areas, but they come together during recovery testing and in an actual crisis. Do you know the answer to the question in the title yet? The answer is that Business Continuity Planning comes first to have the most cost-effective strategy meeting the business needs.