I had the pleasure recently to present to a group of IT and business leaders on the topic of disaster recovery. Based on some of the questions and feedback from the group, I thought I would add some comments on this topic on the blog.
First, a fair number of attendees commented that they were having a hard time explaining the need for disaster recovery, or obtaining the necessary resources (either staff time, money, or both) to implement a solution. Of the attendees, only a handful reported they had completed the implementation of a disaster recovery solution. I think these are common problems for many organizations that are otherwise properly focused on meeting the computing needs of their user community. Disasters generally happen infrequently enough that they do not remain a focus of senior management. Instead, most businesses focus on servicing their customer base and generating revenue, and addressing the day to day issues that get in the way of these things.
Second, one of the attendees properly emphasized that IT staff are an important part of the planning equation. Without qualified and available staff, a disaster recovery system will not produce the desired outcome – a timely and successful recovery, no matter how expensive the system itself costs.
Third, at least one attendee indicated that they had implemented a solution with a service provider, but the solution was incomplete for the organization’s recovery needs. This is also a common problem for organizations that have significant changes in their systems over time, but disaster recovery is not included in the new system acquisition process.
Disaster recovery as a concept should not be introduced as an IT project, in spite of the fact that there are important IT components to any disaster recovery plan. Instead, disaster recovery is a mindset. It should appear on the checklist of items to consider for organizational decisions, along with other considerations like “how will this project generate revenue?” and “how will this project impact our commitment to protecting customer data?”
Disaster recovery solutions are more than just another virtual server or service. Disaster recovery is another insurance policy against the uncertainty of life. Organizations routinely purchase liability insurance, acts and omissions insurance, and other insurance policies on the basis that unanticipated negative events will inevitably occur. System failures, computer viruses, and other environmental failures are inevitable, even if rare. Disaster recovery solutions are a hedge against these unfortunate events.
Risk assessments for information systems help organizations to quantify their exposure to the unknown, and to estimate the potential impact to the organization if a threat is realized. Risk assessments also provide an orderly way to prioritize system recoveries, so that a disaster recovery solution focuses on mitigating the largest risks to the most critical information systems. As was pointed out at the presentation, payroll systems often seem the most critical systems, but the mitigations for the unexpected failure of a payroll system may not be a computer solution at all. Instead, the organization may elect to simply pay employees cash based on their last pay check, and reconcile payments once the payroll system is available again.