FIVE STEPS TO BETTER DISASTER RECOVERY AND BUSINESS CONTINUITY HYGIENE PRODUCED BY SPONSORED BY
CONTENTS PART 1: Disaster Recovery and Business Continuity Planning and Technology 4 PART 2: The Business Side of Business Continuity and Disaster Recovery 7 PART 3: Better Disaster Recovery and Business Continuity Hygiene 9 APPENDIX: Raw Survey Data 10 2 DISASTER RECOVERY
Business can no longer function without technology. And if business can no longer function without technology, disaster recovery and business continuity strategies and technologies not only support business-critical systems, they become business-critical systems themselves. IT World Canada has produced a detailed online survey of disaster recovery and business continuity strategies and practices in the Canadian enterprise. More than 160 respondents, IT decision-makers at firms with more than 50 employees, gave us detailed information about practices at their companies. We ve analyzed the practices of the organizations that have fewer outages, recover more quickly, and are most confident in the effectiveness of their plans. More importantly, we ve analyzed what weaker business continuity plans lack. We call this basic business continuity hygiene. Dig into this detailed report on what the Canadian enterprise community is doing on the disaster recovery and business continuity front, how that is affecting the stability of their operations, and what the five key elements of disaster recovery and business continuity hygiene are. Dave Webb Chief Content Officer IT World Canada 3 DISASTER RECOVERY
PART 1: DISASTER RECOVERY AND BUSINESS CONTINUITY PLANNING AND TECHNOLOGY One in three Canadian businesses has had a prolonged IT systems failure of 24 hours or more. That stark number alone speaks to the necessity for a thoroughly designed business recovery strategy and practice. In fact, seven per cent of Canadian enterprises surveyed had an extended IT failure more than once. ery situation. Still, only 70 per cent had a busy continuity plan. While another 11 per cent said a business continuity plan was under development, a full 20 per cent had no plans at all. While virtually all the respondents who said they did in fact have a business continuity plan (97 per cent) were also confident their infrastructure was at least somewhat able to deal with a disaster recovery situation, 80 per cent of those without a business continuity plan believed they were at least somewhat able to deal with a disaster recovery situation. Under development 11% No 20% Of those companies that had a business continuity plan, 42 per cent had never rehearsed it. Of those companies that rated their ability to cope with a disaster recovery situation as very able, 75 per cent had rehearsed their business continuity plans. Yes 70% Do you currently have a business continuity plan in place? But Canadian businesses are confident with their ability to deal with an outage, with an overwhelming 92 per cent saying their IT infrastructure is somewhat or highly able to cope with a disaster recov- Companies that had rehearsed their business continuity plans estimated they could recover their mission-critical data and applications faster, too. Of those companies that did rehearse, 42 per cent estimated that they could recover data and applications within two hours of a failure, compared to 16 per cent of those that did not rehearse their business continuity plan. Ten per cent of the rehearsed companies estimated it would take longer than a day to recover their systems, while 15 per cent of the unrehearsed companies believed it would take that long. 4 DISASTER RECOVERY
KEYS TO QUICK RECOVERY Time to recovery is a key metric, so let s explore it a little further. Of all companies surveyed, 59 per cent believed they could recover mission-critical systems in less than five hours. Only 12 per cent believe it would take more than one day. What do the quick-recovery companies have in common? 13 hours to one day 13% Six to 12 hours 16% More than one day 12% Less than two hours 29% Two to five hours 30% If you were to experience any downtime, how long would it take to fallback to recover your data and applications? 87 per cent of the companies that said they could recover in less than two hours, and 77 per cent of those who said they could recover in under five hours, had a business continuity plan in effect. 57 per cent of those who believed they could recover their systems in under five hours hosted their missioncritical applications on-premise, while 37 per cent hosted them offsite but managed them internally, and 12 per cent had their mission-critical applications hosted in a cloud-based environment. The low figure for cloud-hosted applications could be misleading though, since only 9 per cent of those surveyed hosted their mission-critical apps in a cloud environment. In fact, of those companies, 78 per cent said they could recover their data and applications within five hours. 67 per cent of businesses that hosted their backups offsite, selfmanaged in a secure location, said they could recover data and applications within five hours, compared to 52 per cent of companies that hosted backups onsite, 48 per cent of companies with data hosted offsite by a third party, and 38 per cent of those who stored their backups offsite with an employee. Virtually all of the companies with sub-five-hour recovery times 98 per cent backed up data daily. 5 DISASTER RECOVERY
BACKING UP Overall, the respondents in this survey overwhelmingly practice daily backups 97 per cent. Two per cent backed up weekly, and one per cent backed up monthly. (Note: In the context of another question, two per cent claimed they don t back up at all.) There s not that same consistency in the validation of those backups. Thirtythree per cent of companies validated at least a portion of their backed-up data weekly, while 35 per cent validated monthly and 19 per cent semiannually. The remaining 14 per cent said they never validated their backups, or that they don t do backups at all. The frequency of validation had minimal influence on the companies confidence in their ability to respond to a disaster recovery situation. Weekly, monthly or semi-annually, more than 90 per cent of respondents felt they were at least somewhat able to deal with disaster recovery (96, 94 and 90 per cent, respectively). Only 78 per cent of companies that did not validate felt at least somewhat able to deal with a DR situation. This suggests that, while backup validation has an effect on a company s ability to recover from a disaster situation, there is no consensus on what the best practices are in terms of frequency of validation. Offsite, with an employee 16% Onsite 18% Offsite, managed by third-party service provider 39% Offsite, managed by organization 27% Where are your backups stored? Finally, the majority of respondents said they store their backups offsite, with only 18 per cent storing them on-premises. The largest number (39 per cent) had their backups offsite and managed by a third-party provider, while 27 per cent stored backups in a secured, offsite location managed by the company itself. Interestingly, 16 per cent of companies leave their backups offsite under the care of an employee. 6 DISASTER RECOVERY
PART 2: THE BUSINESS SIDE OF BUSINESS CONTINUITY AND DISASTER RECOVERY By definition, the failure of a mission-critical system renders a company unable to do business. This implies that there is a cost of downtime associated with a business-critical system failure. Therefore, business should be able to identify the cost per hour or day of mission-critical system failure. Yes 50% No 50% Have you identified the cost associated with temporary loss of mission-critical application services and systems? Surprisingly, slightly more than half (50.3 per cent) of companies surveyed had not identified the cost per unit of downtime. There were few factors distinguishing those who knew the cost of their downtime and those who didn t. Those who had experienced an extended outage were only slightly more likely (54 per cent) to have associated a specific cost with downtime than those who hadn t. Of those with a business continuity plan, only 55 per cent had determined this cost, though those currently developing their plans were more likely to have a dollar figure to attach (59 per cent). But a few things stand out. For example, 75 per cent of those surveyed who did not have a business continuity plan couldn t attach a dollar figure to their downtime. Seventy-four per cent of those who did not validate their backups didn t know the cost of their downtime. Sixtyseven per cent of companies that had not rehearsed their business continuity plan didn t know the cost of downtime. These are all practices we ve outlined above as what we ll call basic business continuity hygiene. This suggests that while identifying the costs of downtime doesn t necessarily lead to better business continuity practices, not identifying those costs is a symptom of weakness in its execution. Good business continuity hygiene begins with identifying the cost per unit of time of a mission-critical systems failure. 7 DISASTER RECOVERY
NEED TO KNOW On other fronts, though, Canadian enterprises seem to be on top of the information they need for a thorough business continuity and disaster recovery plan: 67 per cent have determined the minimum service levels required to operate during a disaster recovery situation. 85 per cent have identified and ranked their business-critical applications. 77 per cent have evaluated and classified their data in terms of business priority. 82 per cent have identified users critical to keeping the business running during a disaster, and 87 per cent have up-todate contact information for all employees. REGULATORY CONCERNS Many industries, particularly financial institutions, are governed by strict regulatory and compliance guidelines that apply during a period of disaster recovery. Adherence to these regulatory requirements should be an informing influence on the development of disaster recovery and business continuity plans. Of the companies we surveyed, 63 per cent said they had identified regulatory and compliance guidelines they must meet during a disaster recovery effort. No 37% Yes 63% Of those organizations surveyed that had no business continuity plan, only 38 per cent had identified regulatory requirements that had to be met during a disaster recovery exercise. That s 11 per cent of companies that have identified these requirements. The 78 per cent of businesses that have identified these requirements and do have a business plan, and the 10 per cent that have one under development, are minimizing this particular business risk provided the business continuity plan is consciously aimed at meeting those regulatory requirements. Have you identified any regulatory and compliance requirements that you must meet during a disaster recovery period? 8 DISASTER RECOVERY
BUDGETING FOR THE WORST An effective business continuity plan, like any other project, benefits from dedicated, specific budgeting within the IT budget umbrella. Surprisingly, only half of IT professionals surveyed said there was sufficient, specific budget for business continuity. Twenty-three per cent said they had no business continuity budget at all; 12 per cent said their budget was insufficient. Not even having been burned previously by an extended outage convinces companies to budget adequately for business continuity; only 46 per cent of those businesses that had had one or more 24-hour-plus outages budgeted sufficiently for disaster recovery. PART 3: BETTER DISASTER RECOVERY AND BUSINESS CONTINUITY HYGIENE The information for this survey, when it is sliced and diced, gives us some insight into the practices of organizations that have fewer episodes of extended system failure and who recover more quickly from a mission-critical system outage. Adapting these practices will lead us to a more comprehensive and effective disaster recovery regimen through better business continuity hygiene. First on the list of best practices is having a business continuity plan in the first place. Organizations that do recover more quickly from a mission-critical systems failure. If you don t have a plan, or are in the process of developing one, take these practices into consideration when creating one. If you already have a plan, assess whether it has all the elements it needs. 1. Attach a dollar value to the cost of mission-critical systems failure. Knowing this number makes you more likely to develop a plan with fewer weaknesses. 2. Take into account regulatory and compliance requirements. If your organization faces particular requirements, those requirements must be woven into the fabric of the plan to ameliorate the business risks of regulatory action. 3. Budget specifically for a business continuity plan. Companies that have had extended system failure are less likely to have a specific budget for business continuity. 4. Back up at least daily. And plan to validate the data of those backups periodically. Since there is no consensus on the optimum frequency of validation, address the issue with your internal team, or in consultation with your service providers if you use them. 5. Rehearse your plan. Periodic simulations should be part of the business continuity and disaster recovery strategy. Organizations that perform them recover more quickly from a systems failure. 9 DISASTER RECOVERY
APPENDIX: RAW SURVEY DATA More than once 7% Somewhat unable 5% Highly unable 2% 3 No 20% 4 11% we do not have a plan Once 26% Never 68% Somewhat able 45% Highly able 48% Under development 11% Yes 70% No 38% Yes 52% Has your business ever experienced an extended (more than 24 hours) of IT-related failure? How would you rank the ability of your infrastructure to cope with a disaster recovery situation? Do you currently have a business continuity plan in place? No 50% If you have a business continuity plan in place, have you excercised (rehearsed and tested) it? Weekly Monthly 2% 1% Don t back up 2% More than one 13 day 12% hours to one day 13% Six to 12 hours 16% Less than two hours 29% Two to five hours 30% 6 Daily 97% Never 12% Semi-annually 19% Monthly 35% Weekly 33% 8 Offsite, with an employee 16% Offsite, managed by third-party service provider 39% Onsite 18% Offsite, managed by organization 27% If you were to experience any downtime, how long would it take to fallback to recover your data and applications? How often do you back up your data? Week 2% How often do you validate at least a portion of your data backups? Where are your backups stored? In a cloud hosted environment 9% 9 10 11 12 Yes 50% No 50% More than one day 19% One day 29% Hours 45% No 43% Yes 67% Offsite, managed by the organization 26% On-premises 65% Have you identified the cost associated with temporary loss of mission-critical application services and systems? How long can you be without your mission-critical applications before business is unacceptably impacted? Have you determined the minimum service levels you require during a disaster period? Where are you mission-critical applications hosted? 13 14 15 16 No 15% No 23% No 18% No 37% Yes 63% Yes 85% Yes 77% Yes 82% Do you have a clustered environment or other method of automatic-failover? Have you identified and ranked your most critical line of business applications? Have you evaluated and classified data in terms of business priority? Have you identified which users are critical to keeping the business running in a disaster situation? Yes, but we re not sure if it s up-to-date 9% No 4% 17 Yes 87% 18 No 37% Yes 63% 19 No 23% No, but it s in another budget envelope 4% Don t know 12% Yes, but it s an insuffient amount 12% Yes, and it s a sufficient amount 50% Very uncomfortable 2% 20 Somewhat uncomfortable 16% Somewhat comfortable 55% Very comfortable 26% Do you have current contact information for all employees in the event of a business disruption? Have you identified any regulatory and compliance requirements that you must meet during a disaster recovery period? Is a portion of your IT budget allocated to business continuity? Having considered all of the above questions, how comfortable are you with your company s ability to operate during a period of natural disaster or disruption? 10 DISASTER RECOVERY