Disaster Recovery Maturity
December 17, 2013
As an IT Business Continuity Consultant, I come across many organizations who think that having a solid disaster recovery strategy in place or even better, a well-documented Disaster Recovery Plan on hand provides the assurance that they will successfully recover their IT environment following a disaster or a loss of access to the IT infrastructure. This is often far from reality; because you have documented the recovery procedures for your critical systems and have a technology solution in place in support of recovery, this provides no guarantee that you can recover from a disaster.
Much like a fire department with a ladder truck but with no training and without a fire chief, a disaster recovery plan without ownership and commitment offers no guarantee. Successful, dependable and repeatable recovery can only be ensured as organization reaches a certain level of DR maturity.
The answers to these initial questions will help you determine your organization’s DR maturity (be honest):
- Do I have full executive support for Disaster Recovery Planning?
- Is there an annual budget in place specifically for DR or is it funded like any other project?
- Is there staff allocated to owning, updating and testing the DR plan (DR Plan ownership)?
- What type of DR tests do we conduct and how frequently?
Some of this may seem obvious but let’s dig a little deeper. If your DR planning efforts are only mostly IT driven, your DR capabilities will always be somewhat limited. For one, you likely have to take a best guess at what the business recovery requirements are. With top executive support and commitment, you get to work with the business groups on defining those requirements. With executive support also comes the funding for DR as process rather than a project. Without an annual budget allocation, plan maintenance, testing and training must be justified and funded each year and risk being put on hold to accommodate higher priorities.
Staff allocation for DR ownership comes with executive support, commitment and funding. This does not have to be a dedicated role and, depending on the size of the organization, can be part of a broader job description. However, ownership of the DR program is vital to ensuring regular plan maintenance, testing and DR training. Without ownership, everyone assumes someone else is taking care of it and your plan quickly becomes untested and obsolete.
I mentioned testing a number of times already so let’s talk about it. It is a very common mistake for organizations to want to conduct a full blown DR test following the completion of a DR plan; this not only a mistake but also an unreasonable expectation and overall a bad idea that can turn into a disaster of its own by disrupting the production IT environment. Like anything else, you only get better with practice so do not expect to break the world slalom record the first time you ski; start small with something like a table top exercise at first (reading and ‘acting’ the plan as a group) and add new elements with each new test by including technology recovery components. Testing is one of the most noticeable signs of achieving DR maturity; as you DR tests increase in scale and integrate real recovery scenarios, you team gets better at it, becomes more familiar with the procedures and continuously improve the plan. This is also the best form of training allowing the DR team to achieve a constant state of readiness which ultimately, it the true sign of an organization’s DR maturity.