|
Step 2: Define
The second step is to establish realistic and specific business recovery objectives. RTO and RPO requirements need to be defined in terms of risk/reward. That is, how much protection does the company really need, and how much is it willing to pay for?
CIOs should adopt a structured, formal approach, drawing on published methodologies -- including IT Infrastructure Library, COBIT and ISO standards 17799 and 27001 -- that define risk, threats and controls.
But actually defining how robust a DR plan a company needs is a business decision. Forrester's Krojnewski says executives sometimes ask for unrealistic or overly expensive continuity. And IT needs to provide a reality check.
"The key problem is people from IT and business don't talk the same language," he says. "The role of the challenger has to be an internal IT person. But the scope is solely a business decision."
CIOs should document business processes arranged by tier of criticality, usually on a scale of one to five (see "How to Classify Assets for Recovery"). Customer- and partner-facing apps tend to fall into tier one importance, while back-office operations are deemed less critical. But some apps may need to be moved up in importance because of the way they interact with mission-critical systems.
When Chris Formes became IT manager at Brookfield Homes, the $888 million public company didn't have a DR plan, so he hired a contractor to perform a threat assessment and design a recovery strategy. At the highest level of failover continuity, the plan would have required a $200,000 hardware investment and $90,000 the first year in service costs.
"I felt it was important to have a plan in place," he says. "But when I looked at the numbers and sat down with the company president, it didn't make a lot of sense for the kind of work we do. In the event of a disaster like an earthquake, we're not doing any work anyway."
Instead, the Del Mar, Calif.-based company opted to go with an eight-hour RTO and tape backup, hiring Arizona-based Insight Enterprises to deploy a tape system to take a snapshot of the storage area network every hour. The company also rolled out Mimosa Systems' NearPoint email solution to archive its Microsoft Exchange server data. The cost of business continuity dropped to $1,200 a month.
"DR is simply an insurance policy," says Formes. "It's risk and reward. In our case it wasn't worth the risk [for total business continuity]. We wouldn't lose any revenue. We'd be hampered, but the process of building homes wouldn't stop."
|
