Many organizations are challenged by this discovery phase. First of all, assessing the sheer volume of applications used in various departments can be daunting. In addition, business staff may not agree on which applications are mission-critical until they see the risks actually quantified in the business-impact analysis. Furthermore, it can be difficult to quantify the intangible results of negative media coverage and loss of reputation, but these results can have a long-lasting impact on profitability.
Where are the gaps?
Once mission-critical systems are defined, the organization should next analyze the gaps between the business needs and current recovery mechanisms. The in-house IT staff and outside technology vendors should be able to provide insight about current capabilities and recovery options specific to particular applications.
The Midwest hospital, for instance, learned that restoring the EMR would take 48 to 50 hours under current conditions, whereas the recovery-time objective was no more than two hours, and ideally near zero. Obviously, the gap was unacceptable, as the hospital could not afford to risk any EMR downtime.
The organization inevitably must address the perceptions of business staff versus current realities. They may not realize that assuring timely recovery requires IT investments that may not have been planned or adequately funded — and they may be unhappy to learn that their operations are not as well-protected as they had assumed.
Since senior business staffers typically control the budgeting of technology projects, it is important to engage them in reviewing the business impact and gap analyses. To remediate the most critical gaps, the IT team will need to make a clear business case for investing in recovery infrastructure, such as storage replication, disk-based backups, and off-site servers. The business-impact analysis is a helpful tool for juxtaposing business risk against the cost of IT infrastructure investments.
How can you close the gaps?
After the gaps are identified, the organization can create a technical and procedural plan to close them, along with the associated costs of each recovery strategy. Clearly, the mission-critical systems will receive the highest level of attention and investment, while the less-critical applications will be recoverable over longer periods of time.
Often, the best solution is to create a secure “hot site” for highest-priority applications, with disk or tape backup for others. This off-site facility hosts a replica of the mission-critical applications and data, and can be quickly activated during a disaster. Since a hot site that completely mirrors all IT systems could cost even a small organization seven figures, this strategy must be deployed very selectively.
Less-costly backup options include disk, tape or, increasingly, even the cloud. As cloud-based services evolve, this may become another standard recovery strategy. However, in many cases today, cloud options are best fit for DR for less critical systems. As time goes on, cloud will likely become increasingly more compelling for even mission-critical systems, though.
How long will it take to close the gaps?
Closing the gaps between business needs and capabilities may be a multiyear process, depending on the time and resources available. A thorough disaster-recovery plan will include the details of IT infrastructure improvements, timelines for project phases and resources required so the organization can budget for the multiyear implementation costs.
For most organizations, disaster-recovery planning is a valuable education process. It is comparable to buying an insurance policy, and you should not invest in the insurance until the risks and mitigation strategies are fully understood. Most important, disaster-recovery planning compels the organization to anticipate the worst — and feel more confident about tackling the aftermath.
Nick Chandler is a Senior Consultant for Data Center & Application Delivery at Burwood Group, a consulting firm specializing in IT management and infrastructure solutions. Chandler specializes in the design and deployment of Data Center infrastructure technologies, including core networking, server virtualization, and unified storage. Founded in 1997 and headquartered in Chicago, Ill., Burwood Group serves local, national and international clients, helping them bridge the gap between business strategy and technology solutions.