DR/BC: Counting The Cost When Failure Is Not An Option

ReadyIf practice makes perfect and nobody is perfect, why practice? That hoary old joke might be funny about doctors, but when it comes to disaster recovery and business continuance, not practicing your recovery plans is a pretty good formula for failure. Not having a DR/BC plan is priceless, i.e. your business has just a 6% chance of survival following an outage.

Even if you manage to survive, the costs are not trivial: the cost of an unplanned data center outage has jumped 41% since 2010, to just over $7,900 per minute. Close to half — 43% — never reopen, and 51% close within two years.

However, several new studies indicate that something is rotten in the state of DR/BC. According to a new survey from Arbor Networks, Inc., 83% of businesses are not fully prepared for an online security incident. It gets worse: despite 77% of companies suffering an incident in the past two years, 38% still have no incident response plan in place. The survey offered some hope, in that the percentage of organizations that now have an incident response team and plan in place is set to rise above 80% in the next few years.

Although the results were slightly better, the findings from The Disaster Recovery Preparedness Council’s (DRPC) 2014 annual benchmark study found that 73% of respondent organizations worldwide are not taking adequate steps to protect their data and IT systems. According to participants, 78% have experienced outages of critical applications due to poor planning, testing, and technological deficiencies, and of that group, 63% say that losses ranged from a few thousand dollars to over $5M worth of critical applications failure, data center outages, and data loss. Approximately 28% of this group also said their organization lost datacenter functionality for up to weeks at a time.

More than 60% do not have a fully documented disaster recovery plan, and among the minority that do, 23% have never tested those plans. While a third test their plan only once or twice a year, two thirds of them do not pass their own DR tests.

“Without established documentation of a DR plan, most organizations can’t help but struggle when an outage or disaster occurs,” blogged DRPC’s Steve Kahan. “One of my past experiences with a data center fire that caused a major loss of business services dramatically demonstrated to me personally the difficulty of trying to recover critical applications without a fully documented plan. In the event of an outage, chaos ensues unless you’ve spelled out specific steps for who does what in a disaster scenario.”

A third new study just pours gasoline on the DR bonfire, showing that over 50% of companies never test their disaster recovery solution, although 28% test at least every 3 months. The study also found cost is still the highest priority when choosing a disaster recovery strategy, despite an increase in the shift from offsite backup to virtual standby methods. This demonstrates an increase in understanding behind the need for network resiliency, but limitations in budget mean companies still have to weigh up the cost against the benefits when deciding on their disaster recovery strategy.

Virtually every aspect of your business is vulnerable to disruption, noted Paige Poore, BCRS Director and CTO, IBM Global Business Continuity Management, in a recent blog. “Business and IT disruptions that result from business continuity and IT security failures will cost organizations an estimated average total of $19.6 million over the next 24 months.”

She was marking the annual global Business Continuity Awareness Week at the end of March, whose theme was Counting the Cost. It was designed to demonstrate the potential cost of not having an effective business continuity management system, even though it is proven to help organizations anticipate, prepare, respond and adapt to an ever changing risk environment.

DR Best Industry Practices

Steps to improve disaster preparedness, employing best industry practices, include:

  • building a comprehensive DR plan to recover applications, networks and business services, including primary and secondary sites;
  • defining recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical applications to set proper expectations and assumptions for management and staff; and,
  • automating frequent recovery testing for critical applications to validate their recovery capabilities within specified RTOs/RPOs.