Business Continuity and Disaster Recovery - Which Comes First?

Nancy Valente, VP Enterprise Business Continuity, Freedom Mortgage
8
13
3
Nancy Valente, VP Enterprise Business Continuity, Freedom Mortgage

Nancy Valente, VP Enterprise Business Continuity, Freedom Mortgage

We have all heard the statistics – such as “93 percent of companies that lost their data center for ten or more days due to a disaster filed for bankruptcy within one year of the disaster”, and 60 percent of companies that lose their data shut down within six months of the disaster.

  You simply cannot build a meaningful disaster recovery plan without first knowing the business’s needs and priorities  

Data breaches, viruses and hardware/software failures - there is a lot to worry about regarding your company’s data and applications. The result of a major disruption affecting your data center is that there is a business disruption. What can your company tolerate regarding a disruption to their critical business functions?

Disaster Recovery is challenging and requires time, commitment to testing and tracking issues (and spending the time to actually fix them!) as well as maintenance of recovery documentation. The right recovery solution can save the company money while meeting the needs of the business.

The first step in choosing the right recovery strategy is to understand your RPO and RTO. Shorter RPOs and RTOs result in getting your business back up and running more quickly in a disaster.

■ Recovery Point Objective (RPO) is the minimum amount of data that is acceptable to lose in the event of a disaster (how old is the last copy of your data).

■ Recovery Time Objective (RTO) is the amount of time that is acceptable to recover applications in the event of a disaster (when your business gains access to recovered applications).

Below are some (of the many) recovery options available:

What if you don’t know what your RPO and RTO should be?

The decision can be costly if made without supporting data. IT organizations focus on the need for a disaster recovery (DR) plan. But disaster recovery starts with the business. You simply cannot build a meaningful disaster recovery plan without first knowing the business’s needs and priorities.

Begin by conducting a Business Impact Analysis (BIA). The BIA is a good starting point and will also be the foundation for yourBusiness Continuity Plan (BCP). A BIA identifies each area’s critical business processes and assesses the losses to the business should the business processes be disrupted. Once the business has identified their critical functions and the applications used, the impact(s) of not performing that business function is rated over time to determine the Recovery Time Objective (RTO). See the example below:

For each critical function, continue to rate the impact factors over time to determine which business functions are most important to your company. The applications will inherit the criticality of the business functions. In this way, the work you have done in your BIA to rate the impact over time can be used to categorize the applications into each RTO timeframe in an application recovery priority list. The result will be that by looking at the BIA output, you’ll see the lowest RTO required by the business – and can choose or adjust the IT recovery strategy to meet the business needs.

What if the business function’s RTO is shorter than the RTO capability of IT? This is where the BCP comes into play – the business must have documented workarounds for when the RTO for the business function and its dependencies (e.g. application) exceeds the RTO capability of IT.

Key Success Factors

• Have a data recovery strategy (which data to backup/replicate, how often) – identifying your RPO.
• Do a BIA to identify the business needs for application recovery prioritization and RTO.
• Management needs to ensure adequate internal resources for DR planning and testing.
• Document a Disaster Recovery Plan describing your company’s disaster recovery process.
• Regularly test DR plans and involve the business in testing.

Business Continuity and Disaster Recovery focus on different areas, but they come together during recovery testing and in an actual crisis. Do you know the answer to the question in the title yet? The answer is that Business Continuity Planning comes first to have the most cost-effective strategy meeting the business needs.

Read Also

Using

Using "The Box" for Disaster Recovery Planning

Eric J. Satterly, Vice Provost for Information Technology
Disaster Recovery: A Continuous Journey

Disaster Recovery: A Continuous Journey

Mathew Beall, VP of Infrastructure, First American Financial Corporation
Crisis and Incident Management for the 21st Century

Crisis and Incident Management for the 21st Century

Louis Grosskopf, General Manager, Business Continuity Software, Sungard Availability Services