Would it surprise you to know that enterprises often spend around 25% of their information technology budget on disaster recovery solutions? With all that’s at stake including the survival in the market, companies can’t afford to get it wrong. While IT teams and internal auditors may be working on DR procedures and compliance, disaster recovery managers need to see the overall picture and identify any gaps or shortfalls that must addressed. The DR planning documents that list disaster recovery risks, impacts and objectives are the starting point. But while a plan is necessary, it’s not sufficient: execution and checking are vital components as well.
The key factors to be addressed in disaster recovery of IT facilities are power, space, the IT equipment itself (servers, PCs and mobile devices among others) and communications. If availability and capacity for these four items in disaster situations cannot be guaranteed using in-house resources, a DR manager will have to consider external suppliers. Whatever the combination of insourcing and outsourcing, the overall solution must be designed to give sufficient risk coverage and mitigation, and to meet specified targets for recovery time objectives (RTO).
All contributing parties, whether inside or outside the organisation, must recognize and agree to service levels that will allow the disaster recovery solutions to function correctly. Not only do such service level agreements need to be defined precisely and realistically, but they also need to be tested. Even if DR managers cannot cause flooding, fire, earthquakes or just server crashes, they can organize simulations of such situations to monitor expected responses, and improve them afterwards if required. DR plans and SLAs that have not been tested may leave the company a false and dangerous impression of security. Regular, realistic testing against objectives of all disaster recovery services is the only way to go.