• United States



by Michael Dortch

Disaster Recovery and Business Continuance: Best Practices for IT

Jan 06, 200310 mins
Disaster RecoveryEnterprise

RFG believes most enterprises have no or inadequate plans for disaster recovery (DR) and business continuance (BC). Even where such plans are in place, many of them are out-of-date, and/or lack sufficient attention to important human factors. IT executives should ensure that DR/BC plans at their enterprises are comprehensive, and include processes for inclusion of input from key constituents and frequent testing and updating, so that such plans become and remain effective.

Business Imperatives:

  • Despite initially business- and life-changing events, many enterprises still have DR/BC plans that are critically inadequate, in scope, timeliness, or both, or have no DR/BC plans at all. IT executives should take leadership roles in convincing colleagues and constituents to support the creation and maintenance of comprehensive, up-to-date plans that address personnel and procedural issues as well as technological concerns.
  • DR/BC requirements cannot be met by comprehensive plans alone. IT executives should also work closely with line of business (LOB) managers, senior executives, and key user constituencies to develop compelling justifications and obtain complete support for those plans, to assure their short- and long-term success.
  • Once comprehensive plans are in place, buttressed with well-defined testing and refinement procedures, and support from key constituencies, key vendor relationships must be modified and updated as appropriate to reflect the goals of those plans. IT executives should ensure their DR/BC efforts include time and resources to evaluate vendors carefully, and establish worthy vendors as advisors and partners in future DR/BC efforts.

    RFG’s Information and Resources Center on disaster recovery includes several past Research Notes that provide guidance concerning specific issues, offerings, and vendors. This Research Note updates and expands on some of that information, and offers guidance on how best to approach four key pillars supporting every effective DR/BC strategy. These include:

    • comprehensive plans, including methods and resources for their frequent testing and refinement;
    • compelling justifications for such plans and their execution;
    • constituent buy-in at every level of the enterprise;
    • and well-managed vendor roles.

    What Constitutes an Effective DR/BC Plan?

    Every enterprise needs an IT infrastructure that can recover as quickly as possible from serious disasters and be resilient in response to successful threats. Various technological solutions, ranging from “hot spare” servers and redundant data centers and power supplies to personal firewall and anti-virus tools, can play important roles in delivering such an infrastructure.

    However, technologies alone cannot assure effective and successful DR/BC strategies. Such strategies must address personnel, procedures, and technologies to deliver maximum business value. Specifically, effective DR/BC strategies must be supported by plans that address needs for rapid restoration and continuance of personnel roles, business procedures, and critical technologies, in that order. Without people to operate them and procedures to guide those people, the most sophisticated DR/BC technologies available are of little to no value.

    IT executives should work closely with line of business (LOB) managers, senior executives, and key users within their enterprises, to identify and prioritize the staff positions and business procedures most critical to rapid restoration of business operations after a disaster. These positions and procedures should be identified as specifically and completely as possible in the enterprise’s DR/BC plan. Figure 1 below provides a sound starting point for determining the list of specific elements each enterprise’s DR/BC plan should address in these areas.


    1: Disaster Recovery and Business Continuance: Select Planning Specifics

    Personnel Continuance
    • Allocation of multiple offsite facilities for relocation
    • Provision of telephone and computing capabilities
    • Restoration of functionality to the most business-critical people and projects first

    Procedural Continuance

    • Construction of comprehensive disaster scenarios
    • Development of methods for restoration of critical data and systems
    • Development of methods for resumption of key business processes
    • Frequent testing and updating of scenarios and methods
    • Oversight by committee of IT, line of business (LOB), and senior managers

    Technology Continuance

    • Desktop and laptop backup and recovery solutions
    • Outsourced hosting of data and systems (with known, vetted providers!)
    • Redundancy for data and voice communications links
    • Relevant non-IT issues (including food, lodging, power, and transportation, as well as on-site decision-making empowerment)

    Source: Robert Frances Group

    In addition, business application profiles (BAPs) and user application profiles (UAPs), or their equivalents, should be expanded to include relevant DR/BC information. They should also be used to help DR/BC planners choose and prioritize the people, procedures, and technologies most critical to rapid, successful response to disasters. Not all resources require the same level or timeliness of protection, and different scenarios may require different time frames for implementation of DR/BC solutions and/or return to normal operations.

    Perhaps most important to sustained DR/BC success, effective DR/BC strategies and plans must require and support frequent testing and refinement of underlying scenarios and assumptions. At the very least, every significant change in business or IT infrastructure a new application, new server or storage platforms, or newly acquired or merged business units should trigger testing and possible refinement of an enterprise’s DR/BC plan.

    Compelling DR/BC Justifications

    To obtain adequate support and resources to create and maintain effective DR/BC plans, IT executives and their colleagues will likely need to justify DR/BC activities and investments to affected constituents and funding providers. Fortunately, at least in some senses, current conditions offer several compelling justifications for developing DR/BC strategies and plans that effectively address the key areas of concern discussed above.

    Disasters can result in outages that range from hours to days or weeks. This can result in losses in revenue and productivity that can reach tens of millions of “hard” and “soft” dollars, particularly at enterprises highly reliant upon IT-enabled financial transactions. IT executives should work closely with their business-focused colleagues to quantify such potential losses as completely and accurately as possible.

    Beyond lost revenues and productivity, sufficiently disastrous disruptions can threaten an enterprise’s very existence. According to some industry-watchers, as many as 20 percent of companies that experience serious, sustained disasters go out of business completely within 24 months of such events. Such harrowing potential eventualities should motivate IT executives to ensure their DR/BC plans identify all potential failure points in their enterprise infrastructures, and focus on protecting and/or avoiding these in case of a significant disaster.

    In addition, regulations are increasingly compelling companies, particularly those in specific industries, to implement effective DR/BC strategies and plans. Examples include the Federal Thrift Supervision Act for financial institutions and the Health Insurance Portability and Accountability Act (HIPAA) and related regulations for enterprises involved in health care and insurance. Anticipated “Homeland Security” initiatives are expected to impose similar requirements on utilities and transportation companies, and perhaps other types of business as well.

    Further, corporate liability insurance rates are increasingly likely to be affected positively when DR/BC solutions are implemented, and negatively when they are not. IT executives should work with legal and insurance experts within their organizations, to identify and respond to any regulatory or other financial incentives to implement effective DR/BC plans at their enterprises.

    IT executives should also not overlook the desire of their enterprises’ senior executives to avoid what some industry wags call “CNN moments.” As amply demonstrated by outages at, Inc., Charles Schwab & Co., Inc., eBay, Inc., Merrill Lynch & Co., Inc., and elsewhere, such moments can be embarrassing to executives and financially damaging to their companies.

    Taken together, these and other justifications and evolving market conditions point to an inescapable conclusion. While other IT initiatives may be desirable, effective DR/BC strategies and plans are absolute essentials, from both IT-centric and business-focused perspectives. IT executives should work diligently to make this clear to any at their enterprises who may be able to affect availability of resources to support such strategies and plans. IT executives who cannot demonstrate the potential costs to their companies of ineffective or no DR/BC efforts may find it difficult or impossible to gain the support DR/BC initiatives need to succeed.

    Complete Constituent Buy-in

    Once initial plans are in place and effective justifications identified, IT executives and their colleagues should strive to ensure support for their DR/BC plans among all key constituencies. At most enterprises these will include the IT team itself, senior corporate and LOB executives, and users. As part of their efforts to garner support from all quarters, DR/BC plans should be published and widely disseminated, so everyone knows what is possible, what’s at stake, and the potential costs involved.

    With IT team members, attempts to solicit support should focus on the ability of effective DR/BC strategies to result in greater business value and alignment for IT. This can result in opportunities for IT staff members to enjoy increased perceived value at their organizations, and to achieve personal and professional growth in their jobs.

    With senior corporate and LOB executives, attempts to garner support should focus on business benefits, including more reliable and responsive operations, and on the specter of lost revenues if effective DR/BC strategies are not supported. Such efforts should also include frequent solicitations of input and feedback from these constituents throughout the DR/BC planning process.

    Where users are concerned, the prospects of continued, consistent productivity with minimal disruptions can prove persuasive. As with LOB and senior executives, IT executives can increase support from users by soliciting their input and feedback throughout the development of DR/BC plans, and during testing and significant refinement of those plans.

    The Role of Vendors

    Vendors can play important, valuable roles in helping enterprises develop and execute effective DR/BC plans that integrate tightly with business processes and goals. However, IT executives and their DR/BC colleagues must work together carefully, to determine whether and where best to engage the help of vendors. This is especially true when DR/BC plans include reliance on vendors for outsourced services, which may need to be invoked quickly and under duress in the face of a sufficiently significant disaster.

    Specifically, IT executives and their colleagues should identify their key and critical vendors, and include those vendors in the DR/BC planning and strategy development. IT executives should ensure that key requirements are spelled out explicitly in all contracts, and are agreed to by all parties. In addition, candidate critical vendors should also be fully vetted, to confirm that they have the capacities they claim. Several enterprises suffered in the aftermath of events on Sept. 11, 2001, when their chosen outsourcing vendors oversold claimed capacities.

    Beyond the above, IT executives and others leading the DR/BC charge at their enterprises should cautiously and selectively focus their attentions on vendors that have demonstrated the ability and willingness to act as trusted advisors. Figure 2 lists some of the specific indicators for which IT executives and their DR/BC colleagues should look for in their candidate vendor partners.


    2: What Makes a Vendor a Candidate Trusted Business Partner?

    • A broad range of integrated, open, proven technological tools and resources.
    • A demonstrated commitment to the success of every client and partner.
    • A high likelihood of long-term marketplace survival.
    • A successful track record of focused, strategic industry partnerships.
    • A successful track record of working closely with customers to help them achieve their business objectives and goals.
    • Adequate reach and accessibility, to global and 24/7/365 levels where appropriate.
    • Business-savvy professionals who can help users plan, deploy, customize, and integrate those users’ chosen technologies with each other and their enterprises’ overall business goals.
    • The proven ability to use IT to solve business problems, not just technological challenges.

    Source: Robert Frances Group

    RFG believes IT executives can and should lead proactive, comprehensive efforts to implement, execute, and manage adequate DR/BC plans at their enterprises. Nothing less than the very health and viability of those executives’ enterprises is at stake. If IT executives can develop effective plans, then form alliances with LOB and senior managers, users, and appropriate vendors, they and their enterprises will be rewarded with more reliable and resilient IT and business infrastructures.