If you’re like many organizations, you have an inadequate disaster recovery (DR) program that leaves you vulnerable to risks such as loss of revenue, penalties and fines, not to mention the potential for negative impact to your business reputation due to downtime or data loss. Despite these risks, you’re likely having a difficult time justifying an adequate investment in DR to your senior management. You may feel like the only way you can attract management’s attention to this issue is to manually pull the plug on your data center on a regular basis.
This article will give you strategies for getting on the same page as senior management regarding DR. These strategies include:
- Striking the use of the term “disaster” from your vocabulary making sure management understands the ROI of IT recovery
- Speaking about DR the right way—in terms of risk mitigation
- Pointing management towards a specific solution
Are you having trouble selling DR to senior management?
One reason relates to common attitudes towards risk. While people are risk averse and willing to pay to mitigate risk, they do so only when their own money is at stake. When company money is on the line, they’re far more willing to take risks. As a senior analyst at Forrester Research has said, “Organizations are willing to accept far more risk than I would have ever thought possible.”
Another reason for this challenge is that organizations, like yours, believe they have a comprehensive DR program, when, in fact, their program is incomplete. Organizations often implement backup/recovery hardware and software but fail to consider the processes necessary to implement a full solution. This includes:
- Mapping business processes to all the supporting applications and IT systems so the DR plan protects the entire business process, rather than isolated applications.
- Developing complete recovery processes to ensure the data center is fully recoverable.
- Fully testing DR plans with end user and application stakeholder involvement.
- Pre-configuring and validating end-user access.
- Using the results of testing to optimize recovery plans.
- Implementing comprehensive processes for change management to sync recovery processes to changes in IT systems.
- Categorizing business criticality with application tiering.
- Educating and collaborating with management on tiering structures for better RTO and RPO outcomes and the business impact.
Having an inadequate DR plan can negatively impact your organization leading to:
- Interrupted service: During Hurricane Dorian in 2019, data centers throughout the Southeast U.S. and Canada experienced interruptions due to flooding.
- Lost sales and revenue: In 2019, American Airlines confirmed there was an issue with the Sabre flight reservation and booking system, used by several major airlines — including WestJet, Alaska Airlines, and JetBlue. Any type of downtime can cause millions of dollars in lost sales and revenue.
- High costs: 93 percent of companies without disaster recovery who suffer a major data disaster are out of business within one year, according to “The Ultimate Guide to Business Continuity and Disaster Recovery.”
- Potential supply chain disruptions: Disruptions to one partner can cause problems for partners up and down the supply chain, which means a company may not be able to deliver product due to events that occur around the world.
- Loss of reputation due to bad press about an outage: For example, on Feb. 7, 2019, Wells Fargo tweeted, “We’re experiencing a systems issue that is causing intermittent outages, and we’re working to restore services as soon as possible. We apologize for the inconvenience.” Many customers returned with tweets bashing the bank that affected Wells Fargo’s reputation and ultimately their business.
Despite these risks, many IT organizations continue to face significant challenges in persuading senior management to provide the budget necessary to implement comprehensive DR programs.
Strategies for lighting a fire under executives with regard to DR
So how can you get your executives to pay attention to DR so you can protect your organization from data center interruptions? The following strategies can help you achieve this goal:
Strike the term “disaster” from your vocabulary
When people think about disasters, they imagine low probability events, such as widespread regional outages caused by floods, earthquakes and acts of terrorism. Yet most downtime is caused by mundane events, including hardware failure, severe weather, human error, or power outages. In addition, there has also been a rise of malicious employee-based incidents and external security events causing havoc on IT environments. Senior management is far more likely to pay attention to high-probability events. By excising the word “disaster” from your vocabulary — and referring to this challenge as IT recovery — you can prevent senior management from seeing DR as something necessary only for unlikely events.
Refer to IT recovery in terms of risk mitigation
C-level executives understand the concept of risk and are comfortable thinking in terms of risk mitigation. Talk about the risk of losing thousands to hundreds of thousands of dollars in revenue due to the interruption of a mission critical application. One way to approach this would be:
- Identify all the risks.
- Prioritize them by probability and business impact, which is defined as the hours of downtime multiplied by the cost per hour of downtime. Remember that costs can vary seasonally. The cost of downtime may be greater when the organization is working on end-of-year financials or during peak holiday seasons.
- Ask executives to identify the risks they’re willing to mitigate versus the risks they are willing to accept (leave unmitigated).
- Work with executives to develop a program that starts with mitigating the highest-probability/highest-impact risks, but then evolves over time to address lower-probability events.
Explain the benefits of IT recovery
Make sure management understands the benefits they can achieve from IT recovery, including:
- Gain competitive advantage: A customer experiencing one frustrating event can easily move their business elsewhere.
- Generate more revenues: At the most basic level, faster recovery means your mission-critical, revenue-supporting applications stay, well, up. But you can also turn IT recovery into a revenue-generating mechanism. For example, an outsourcing customer charged one price for hosting an application-as-a-service, and a higher price for “DR”-ing that application.
- Meet supply chain demands: When your organization is part of a supply chain, your customers may demand to know what will happen if you go down. By implementing an IT recovery program, you can respond to these customer demands.
- Meet regulatory and compliance requirements: Many laws and regulations require organizations to implement risk mitigation policies, practices and procedures. An IT recovery program enables you to meet these requirements.
- Meet SLAs: Many business agreements include SLAs that specify penalties for non-compliance or non-performance. An IT recovery plan helps organizations avoid these penalties.
- Meet fiduciary duties: C-level executives have a fiduciary responsibility to implement practices and programs which protect their business. CFOs must be responsible stewards of their shareholder’s assets. C-level executives can go to jail or receive personal fines if they don’t comply with these requirements. Thus, C-level executives’ roles require them to think about IT recovery.
Point management to a specific solution: It may work best to not simply focus on the fact that management needs to spend more on IT recovery, but rather to recommend which applications require an active recovery plan. To simplify the implementation process, think about selectively cloud IT recovery just as you would any other business processes.
Should you perform IT recovery in-house or outsource? A checklist:
Outsourcing can play a key role in implementing your IT recovery process and to help you determine whether this is the appropriate course for your organization, ask yourself the following questions:
- Do you face any regulations that would prohibit outsourcing? Even if such regulations exist, you may be able to outsource strategically. Look at your organization and determine whether you have any tasks you are permitted to outsource. By offloading these tasks, you can focus internal resources on areas that are highly regulated.
- Do you fear loss of control? Some cloud service providers are viewed as taking control away from your organization’s IT department, which may cause concern about whether you are truly protected. If you are concerned with loss of control, select a cloud service provider that operates as an extension of your IT organization under your guidelines.
- Are you concerned about increased risk? By employing an outside party to provide IT services, you may be concerned that you are letting another group of individuals access your data and systems. To mitigate this risk, make sure the outsourced service provider has safeguards to protect information against unauthorized access or false manipulation during creation, transmission, storage and retrieval operations involving third parties. Also, be sure the outsourcer understands and addresses your compliance requirements.
- Do you want to lower TCO for your IT recovery program? With traditional DR solutions on premises, you will need to purchase hardware, software and other elements according to a 1-to-1 scale for your production datacenter as well as for when you need to purchase more as your data grows. The overall total cost of ownership for an outsourced DR solution — including the program, hardware, and recovery software — is significantly lower than for in-house solutions. Lower hardware and software costs result from the outsourced provider’s ability to achieve economies of scale when acquiring technology for use by a large number of customers as well as specialized expertise in implementing and maintaining these solutions. Outsourced service providers can reduce program costs by investing in automation technologies, including libraries and templates of run books and procedures, which dramatically reduce the time it takes to develop procedures. At the same time, the expertise, pre-developed procedures, and automation outsourced service providers deliver improved IT recovery program effectiveness.
- Program Costs
- application mapping
- procedure development
- test planning and execution
- post-test analysis
- recovery lifecycle management
- MRP costs
- Annual Hardware Costs
- networking equipment
- hardware maintenance management and monitoring
- MRP costs
- DR Software Costs
- backup software
- backup software maintenance
- backup appliances
- disaster recovery
- management and monitoring
- backup space and power
- Do you really want to develop IT recovery as a core competency? Many organizations find having in-house staff perform IT recovery diverts valuable IT resources from supporting the organization’s core business activities. Faced with the high costs and substantial staff necessary to design and implement an IT recovery plan, many organizations are turning to managed service providers to perform these tasks rather than do so in-house.
With considerable expertise specifically devoted to IT recovery, cloud service providers can help you achieve the following:
- Speed: DRaaS provides much faster, automated and more reliable recovery options than traditional DR approaches with years of DR expertise.
- Lower cost and enhanced reliability: Many IT services traditionally performed on-premises are now available as-a-service eliminating the additional costs to invest in infrastructure and capital expenses.
- Improved administration: Lowers the administrative burden placed on IT and frees up team members to handle tasks that provide greater business value.
- Seamless redundancy and scalability: Provide peace of mind with no loose ends to chase or worry about. Services provide cost-effective redundancy for all critical business information systems, but also enables routine validation testing.
- Global standardized solution: With one provider, one technology, one solution with global accessibility from one interface.
- Are you confident you are recoverable? Given the risks you have identified, can you prove to the board you are recoverable? Usually, the best way to provide this proof is through regular testing or third-party audits (for companies in highly regulated industries).
Testing, essential to ensure a DR plan works properly, can take days to manually adjust and retest, shutting down both production and recovery sites. According to research, on average, organizations of all sizes take about 50 hours for test planning while setting up and tearing down the test environment takes anywhere from 80 hours for a small organization to 768 hours for a large enterprise. Testing also requires a sizable team for test planning, startup testing, ongoing testing and setup and teardown of the environment. Other research has found this team ranges from approximately up to 13 engineers to meet the needs of a small business to 103 engineers for a large enterprise.
Organizations must address IT recovery by creating a comprehensive program that encompasses people, processes, and technology.
Following the strategies outlined in this article will enable you to justify the investment in IT recovery to senior management. Looking into a cloud solution provider can make it easier for you to point management to a specific, proven and comprehensive solution.