When it comes to disaster recovery IT gets it. Business execs don't. This article provides a detailed list of the elements to include in a business case to sell BC/DR to management.
Business Impact Analysis: First, it is crucial to conduct a Business Impact Analysis exercise. This identifies what the enterprise has at risk and which business applications and processes are most critical. The direct and indirect impact of business interruptions is assessed over time, resulting in requirements for recovery time and recovery point objectives.
Total cost of downtime: Work with your business stakeholders, legal and financial departments to document the total losses per day that your organisation would face if you were not capable of quick and timely application recovery. Keep in mind that disaster recovery and business continuance are nothing more than risk avoidance. Senior managers will have a clearer understanding when you can demonstrate how much risk they will be taking. The following points should be considered in order to know your downtime costs per hour and per day.
Number of employees affected
multiplied by hours out / hourly rate
Damage to reputation affects
- Financial markets
- Business partners
- Revenue recognition
- Cash flow
- Lost discounts (A/P)
- Payment guarantees
- Credit rating
- Temporary employees, equipment rental, overtime costs
- Extra shipping costs, travel expenses, legal obligations
- Direct loss
- Compensatory payments
- Lost future revenue
- Billing losses
Classify IT applications/data as per their respective criticality and importance from a business point of view.
Set appropriate recovery time objectives and recovery point objectives for all applications, aligned with recovery requirements finalised with business stakeholders.
Total Cost of high risk without DR/BC: Without proper BC/DR the risks of recovery from a disaster are very high and insurance costs are generally very high as compared to environments with BC/DR in place. The probability of disaster striking a business has grown in the last decade due to climate change (storms, floods, earthquakes) terror threats, power failures (e.g. North America power grid failures), hacker attacks on business intranets/websites and virus risks.
A detailed recovery plan should cover the following points:
- Develop and practice a contingency plan that includes a succession plan for the company CEO.
- Train backup employees to perform emergency tasks as the employees you count on to lead in an emergency will not always be available.
- Determine offsite crisis meeting places for top executives.
- Make sure that all employees and executives are involved in the exercises so that they have practice in responding to an emergency.
- Make exercises realistic enough to tap into employees' emotions so that you can see how they'll react when the situation becomes stressful.
- Practice crisis communication with employees, customers and the outside world.
- Invest in an alternate means of communication in case the phone networks go down.
- Form partnerships with local emergency response groups, i.e. fire-fighters, police and EMTs to establish a good working relationship. Let them become familiar with your company and site.
- Evaluate your company's performance during each test and work toward constant improvement. Continuity exercises should reveal weaknesses.
- Test your continuity plan regularly to reveal and accommodate changes. Technology, staff and facilities are in a constant state of flux at any company.
- Make sure recovery investment is spent in the right place to protect the most-critical business processes. Performing a BIA will aid in identifying business process and resource criticality, priority and dependencies, so that spending can be prioritised accordingly. In addition, data backup and off-site storage processes are vital to ensuring minimal data loss. When facilities are inaccessible, work-at-home programs offer an effective means for workspace recovery and employee productivity.
- Identify technologies suitable for BC/DR and analyse each technology's benefits vs. its cost. Based on this cost-benefit analysis, ensure that the most appropriate BC/DR technologies are adopted for critical and medium-low RTO/RPO applications.
Analyse and document the total BC/DR implementation costs as compared to risk and total downtime/disruption costs for each application/process to the business in the case of disaster.
Generally, following the below formula is a good indicator of investment impact for a BC/DR solution.
Impact of Investments = Total Cost of Disaster – [(Investments Required for BC/DR) – (Return/Benefits of Investments on BC/DR)]
A positive value for the Impact of Investment factor shows that the total return on investments on BC/DR is more that total cost of implementing a BC/DR solution. Where as negative value indicates that BC/DR investment doesn't make business sense for that particular organisation.
In conclusion, in my experience the total cost of loss due to a disaster and its related risks (in an enterprise business environment) are significantly more than the total cost of implementing a well-planned and prepared BC/DR solution. Once business executives and senior management realise the importance of having proper BC and DR plans, it is easier to extract funding for future projects. The foundation of BC/DR success will come from senior management sponsorship and participation in addition to building BC into enterprise culture by weaving processes into the life cycle of every project and change management process.
About the author: Bilal Mehdi is a senior consultant at Glasshouse Technologies (UK), a global provider of IT infrastructure services, with over 9 years experience in large systems, Storage and Database solution design.