Forrester Research and Disaster Recovery Journal have partnered to field a number of market studies in business continuity (BC) and disaster recovery (DR) in order to gather data for company comparison and benchmarking, guide research and publication of best practices and recommendations for the industry. This study, which focuses on DR preparedness, was first fielded in the fall of 2008 and then again in 2011, 2013, and 2016. We designed this year’s study specifically to determine:
- organizational confidence in DR preparations and preparedness
- market drivers fueling continued improvement in DR preparedness
- organizational practices regarding DR program governance, planning, plan maintenance, and testing
- how organizations provision and architect their data center recovery sites
- current recovery objectives and technology adoption
- the most common causes of disaster declarations and downtime and the cost of downtime.
Companies Enhancing DR Preparedness; Achievements Will Be a Mixed Bag
Since we first fielded this study in 2008, we have seen dramatic increases in the adoption of advanced replication technologies, sophisticated multi-site data center architectures and use of public cloud for storage, archival, and disaster recovery. Despite these technological advancements, only 38 percent of respondents feel very prepared they could recover their IT services in the event of a site failure or disaster event, and 42 percent rate themselves as prepared (see Figure 1).
As we’ll see in the rest of the study, while companies improve their preparedness levels, their service-level achievements in terms of delivering 24×7 services will not be in line with business expectations. Companies will be challenged by the lack of understanding around cost of downtime despite being a driver for DR investments, lack of maturity in core planning processes, out of date plans, and limited testing. It comes as no surprise that most organizations say improving DR at their firm is a critical priority. In this hyper-competitive world, the need to stay online 24×7 and improving availability of mission critical applications are the top drivers. (see Figure 2).
Considering investment in DR has declined from a monetary, personnel, and time standpoint – and that recovery time and recovery points have become more stringent – this assurance appears to be unrealistic.
DR Programs Report to a Variety of Leaders, And Not Always to a C-level Exec
One item of good news: only 4 percent of respondents reported lacking any kind of formal DR program. The bad news? Only 57 percent reported having a unified program which spanned the entire enterprise (see Figure 3). The remaining respondents said they have separate silos of DR planning or separate silos of DR planning those loosely coupled by a DR program director or equivalent. Sometimes, particularly for large enterprises consisting of acquired companies or have business units which essentially act as independent businesses, the loosely coupled silo approach is pragmatic. However, for many years there has been a movement toward a more practical federated model where overall governance, strategy, policy, processes, and standards are set by a strong corporate group while local planners can customize specific plans for their region or business unit. Our study also revealed:
- Many DR programs still report into the head of infrastructure and operations. According to our study, while 40 percent of DR programs report to the CIO and another 15 percent report to the CISO, 15 percent report into infrastructure and operations or a storage manager (see Figure 4). Reporting to infrastructure and operations is not surprising given this is where responsibilities for networking, storage, compute, and overall data center strategy and management reside. This approach does create challenges because it doesn’t always give the DR program director enough of an expansive view or the authority to ensure the resiliency of end-to-end IT services which support critical business functions.
- Most DR program heads do not report to C-level executives. 48 percent of the heads of DR programs report directly to a C-level executive (see Figure 5). The rest are one to three levels removed from a C-level executive. While this reporting structure is a positive step compared to what we found during the prior surveys, it still is a concern. If the DR program director doesn’t report directly to a C-level executive, they lack not only the authority to enforce certain requirements but the influence to affect more significant change – such as influencing data center strategy, security standards and compliance, enterprise architecture, application development and delivery, participation of application owners in DR drills and the testing regimen.
DR Strategy Encompasses Public Cloud Workloads
Public cloud adoption continues to increase significantly. According to Forrester Research, the public cloud infrastructure services business is estimated to grow to $122 billion by 2022. For cloud native workloads, firms use cloud providers’ native services such as replication across region or availability zone to improve disaster recovery and business continuity. Two-thirds (67 percent) of the respondents say they leverage different availability zones from the same cloud provider to improve recovery capabilities (see Figure 6). Ten percent of the respondents use multiple cloud providers to improve the overall resiliency of their business applications hosted in the hyper-scaler cloud environment. The rest (23 percent) – which have not included public cloud hosted applications into the DR program – operate with the assumption that either the cloud provider is responsible or resilience is a default feature for all cloud services. Clearly, this is a myth.
Disaster Recovery Planning and Maintenance Remain Areas for Improvements
Conducting a business impact analysis (BIAs) is critical to identifying critical business functions, mapping all IT dependencies and interdependencies, and defining recovery objectives. Conducting a risk assessment is critical to understanding what specific steps you can take to mitigate the most probable, high impact risks, and then developing plans for the residual risks which remain. Together, the BIA and risk assessment are the core inputs into your business case for DR investment, your risk mitigation strategies, architecture, technology adoption, and your documented DR plans. Unfortunately, many organizations still fail to conduct and refresh these core planning functions with any sort of regularity (see Figure 7). Forrester recommends organizations aspire to continuous BIAs and risk assessments rather than treating these processes as one-time or periodic updates.
Most experts will agree that tests or exercises are the best way to ensure preparedness. In the past, survey results have returned disappointing results around organizations’ testing regimens. However, this iteration reveals some good news: 35 percent of organizations are now running a full test once a quarter or more frequently. Sixty-five percent of firms run a full test twice per year or more frequently (see Figure 8). As the rapid rate of business changes force changes in IT, it is critical for companies to update their plans continuously. This is something only 10 percent of organizations do today, a decrease from 14 percent in the prior study (see Figure 7).
Cyberattacks – An Increasing Cause of Business Outages
According to our study, 50 percent of organizations declared a “disaster” and failed over operations to their recovery site at least once during the last five years. This does not include organizations which likely had major disruptions of one or more systems but opted not to failover – a typical occurrence when organizations lack confidence on their capabilities. The main culprits for declared disasters which require full failover are IT failures, including hardware, or software failures. The next three most common causes of declared disasters are cyberattacks, followed by power failures, and network failures (see Figure 9).
We often most strongly associate “disaster” recovery with climactic events or human-made disasters such as terrorist events. The increasing number of ransomware attacks clearly indicates DR planners should take note of the impact of cyberattacks. Cyberattacks from ransomware attacks to DDoS attacks should not be treated as exclusively the domain of the security team. DR planners need to develop recovery options, workflows, and plans post-ransomware attacks as the recovery options are not the same as those are in rest of the disaster incidents. DR planning should account for any impact to the firm’s IT capabilities regardless of the source of the disruption or impact.
When we asked organizations which had declared a disaster to identify their biggest challenges or lessons learned from the event – mismatched business expectations with IT capabilities and insufficient testing and overall preparedness came out as the top two – proving once again that most DR preparedness deficiencies today can be traced back to a lack of maturing IT governance and process.
Many DR Program Owners Don’t Know Cost of Downtime
DR program owners consistently face the challenge of justifying the budget and investment for DR program. Executive leadership demand investment justification from DR program owners. When we asked organizations, which have declared a disaster in the last five years, to share the total cost to company from the last disaster, 38 percent of the respondents mentioned they are not aware of those figures. Not knowing the cost of downtime reveals the lack of connection between the DR program owners and the line of businesses (see Figure 10). Lack of engagement and understanding of business losses reduces the possibilities of getting the required budgets that will otherwise enable IT to invest into the right people, technology and process improvements. Interestingly, 41 percent of the respondents highlight the cost of downtime as the key driver to improve disaster recovery capability.
In the fall of 2019, Forrester Research and Disaster Recovery Journal (DRJ) conducted an online survey of a total of 80 respondents. The respondents are split into two different respondent groups – 30 DR leaders/program owners (DRJ members and Forrester clients) and 50 DR leaders provided by the panel from SurveyMonkey platform. The responses from the two surveys have been combined to draw analysis and conclusions.
In this survey:
- Fourteen percent of respondents were from companies which had 0 to 999 employees – what Forrester defines as small and medium businesses; 39 percent had 1,000 to 4,990 employees; 26 percent had 5,000 to 19,999 employees; and 21 percent had 20,000 or more employees.
- All respondents were decision-makers or influencers in regard to planning and purchasing technology and services related to disaster recovery.
- Respondents were from a variety of industries.
Part of the respondents of this study is a self-selected group of respondents (predominantly DRJ members and Forrester clients) and is therefore not random. These respondents are more sophisticated than the average. They read and participate in business continuity and disaster recovery publications, online discussions, etc. They have above-average knowledge of best practices and technology in BC/DR. The rest of the respondents are a qualified group of respondents who were randomly selected for responses by SurveyMonkey, the survey provider. With a combination of random and non-random responses, the survey is still a valuable tool in understanding where advanced users are today and where the industry is headed.