Despite budget cuts, companies can't cease spending altogether on disaster recovery (DR) and business continuity (BC). However, the present economic climate presents an ideal opportunity
Overprotecting your data
Typically, IT departments ask business units what level of disaster recovery they think they need.
"They're going to get an answer that effectively seeks to prevent employees from being inconvenienced. But being inconvenienced and losing revenue are two very different things," said Richard Jones, vice president with Burton Group in Midvale, Utah.
Business units should be consulted, but IT is the agency responsible for ensuring your plan is both affordable and workable. Attempting to restore "all applications, all data" within 24 hours to 48 hours will cause you to spend more money than necessary.
That highlights the importance of a well-designed business impact analysis (BIA). Jones said the BIA sheds light on steps within the business processes, and also determine if certain steps can be handled using lower cost "workaround procedures".
Generally, your disaster recovery costs will be lower the longer you can go without access to data. Set realistic timetables to avoid needless spending.
"Implicit in a lot or organizations is the expectation that the IT department can recover everything on the order of a few days. In actuality, that's just cost-prohibitive," said John Morency, research director at Gartner Inc.
Another common error is associated with this perception: Very often, the discrepancy between actual need and perceived need does not get elevated to decision-makers at the executive or board level. Yet accountability for DR spending ultimately rests with executive leadership, not IT.
"As part of their fiduciary duty, (execs) need to make a conscious decision on either accepting the risk, or taking steps to mitigate it," Morency said.
Failing to maintain disaster recovery plans
Maintaining disaster recovery plans may sound easy enough to accomplish, but Jones noted that organizations often make initial capital investments in DR tools and architecture -- then get sidetracked by other business priorities. Without routine maintenance, an out-of-date DR plan actually delays recovery and ends up costing more money in the long run.
"It's the same concept you use when insuring your car or house. You're going to spend some money to maintain your DR plan, but you want to spend the right amount," Jones said.
Without vigilance in maintaining and testing your DR plan, initial investments are mostly wasted, Jones said.
Jones also recommended that organizations "examine the actual cost associated with DR, compared to what they could possibly lose because the DR plan hasn't been updated."
The key is to assemble a small team of people and make them accountable for keeping DR plans current -- including any major changes to your enterprise computing environment. Granted, this is challenging amid staff cutbacks, but shifting from a full-time to part-time focus on DR management carries indirect financial risks.
"A part-time focus may be okay to get through the economic downturn, but ultimately you are trading off well-focused, well-identified, fulltime accountability for making all this stuff work," Morency said.
Testing disaster recovery plans too often
This statement may raise eyebrows, because organizations frequently succumb to the opposite malady: not testing often enough. Disaster recovery testing isn't viewed as wasteful, but it is an expensive and time-consuming exercise, so companies are seeking ways to minimize the financial impact.
For example, Gartner surveyed CIOs at hundreds of large government organizations this year and found that costs of disaster recovery tests were growing. According to the report "Cost-Cutting IT: Should You Cut Back Your Disaster Recovery Exercise Spending?," average budgets for annual disaster recovery exercises ticked upward from $20,000 to more than $150,000 annually, depending on size, location, number of participants, scope of testing and organizational structure.
Morency said enterprises have begun to scale back their disaster recovery tests, focusing their ability on testing "a smaller number of mission-critical applications," including tools for email, ERP systems, supply-chain management, sales force automation, and other systems deemed essential to productivity and operations.
Similarly, organizations are increasing the time interval between testing lower priority systems in an effort to shave disaster recovery costs and maximize available resources.
Still, DR testing shouldn't be seen as wasteful spending. Before they cut back on testing, Morency recommended that organizations balance any cost savings against the potential for risk exposure.
Morency said there is no hard-and-fast rule to apply to all enterprise to help figure out how much testing is too much. The key is to start with those applications responsible for the lion's share of production, which is typically a small percentage of an organization's overall enterprise.
"Because if those applications don't come back, the rest of them are moot anyway," he added.
Overlooking the benefits of server virtualization
Related to testing, virtualization technology has matured to the point that almost every organization can reap the benefits with server virtualization products such as Microsoft Corp.'s Virtual Machine Manager, Novell Inc.'s PlateSpin Virtualization and Workload Management suite and VMware Inc.'s vSphere.
Virtualization is especially useful for organizations powered by Windows-based platforms. Server virtualization helps lower the capital expenditure and maintenance costs associated with building recovery data centers, Morency said.
Indeed, Jones said organizations with virtualized infrastructures notice a "definite and significant reduction" in testing costs.
"They've seen a little better than a 50% reduction in time to perform recovery tests, and slightly below 50% reduction in the number of resources. That's huge, and it's been pretty consistent among the organizations that I've talked with," Jones said.
Aside from DR and BC planning, "virtualization provides other benefits in terms or monitoring, messaging and ongoing deployment of new services," Jones said.
Reluctance to renegotiate with disaster recovery service providers
Morency advised companies to avoid waiting until the last minute to seek more favorable terms when renewing annual contracts with disaster recovery services providers. "Some of our clients are getting new contract service proposals with a monthly price anywhere from 5% to as high as 20% more than they were paying before," Morency said, as service providers seek to prop up falling revenues.
Morency recommended beginning as much as 12 months in advance of a contract's expiration date to explore other alternatives for acquiring more dedicated DR space, including virtual environments, collocation and hosting facilities and perhaps even cloud computing services.
When renegotiating, one of the requirements is that vendors focus on "teach your staff how to fish," Morency said.
"Whomever you engage, make sure they put enough time in to teaching your staff how to update the BIA and the recovery priorities, on a regular basis. That way, you don't have to re-engage a consultant year after year," Morency said.
About this author: Garry Kranz is a freelance technology writer in Richmond, VA. His work has appeared in SearchCIO.com, SearchSecurity.com, and other TechTarget news portals.