Disaster recovery is a term that originated in IT, referring to recovery of computer and network systems after serious interruption of operations or damage. However, from an overall business point of view it would be foolhardy to ignore the further reaching effects of IT incidents; and to what extent DR planning and management contain or exacerbate these effects. One of the major risks that accompanies IT disasters is reputational damage – especially when the IT systems directly concern an organization’s customers or constituents. How much do DR metrics like recovery time objective (RTO) take reputational damage into consideration?
RTO is expressed in units of time. If the end result you seek is expressed simply in terms of operations (‘all mission-critical IT systems functioning normally again’, for instance), then you can compare how long it took to get back to that state with your objective. However, the moment IT systems that serve customers keel over, the reputational damage also starts. It may be small and containable: ‘the power company’s online accounts system was down five minutes ago, but it’s back now’. Or it may be larger and more damaging: ‘the airline’s reservation system was down, I couldn’t book a flight, my trip is messed up – guess who I won’t be flying with next time!’
While reputational damage containment can be factored in to disaster recovery objectives, it’s an approximate process at best. Estimating from existing data points and estimates is the only way many companies have of estimating how they will be affected individually – and whether extra expense required to reduce an RTO is justified in terms of damage avoided. For internal systems, effects on staff morale and productivity should also be taken into account, rather than just calculating widget production shortfall. Disaster recovery teams should be encouraged to take a holistic business view that includes these ramifications even if their plans only directly concern the recovery of IT systems.