Full disclosure–I am not a DR expert. However, I have practiced risk management and business continuity in large organizations for over 20 years, including the management of DR functions. In that time I have seen some very effective DR programs run by some exceptionally competent DR professionals. I have also seen some very competent DR professionals struggle to manage in some very challenging environments.
"The results of a business impact analysis or some other form of objective analysis should be the basis for DR decisions"
These are some of the reoccurring themes behind those challenges.
1. The wrong people are making risk acceptance decisions
When it comes to IT Disaster Recovery (DR) decisions, start by asking one simple question – “Who’s risk is it anyway?” Risk acceptance decisions need to be made by the appropriate risk owners within the business. Yet, all too often it is the IT people alone making decisions about DR solutions, investments, and priorities.
2. Too much is recovered too soon
Business IT exists only to support business processes, so your IT recovery must be tied to business objectives and support the business recovery. The recovery time objectives of the business processes should be used to determine what gets recovered and when. Too much is invested in the speedy recovery of things that could wait if the business had done some effective business continuity planning.
3. Lack of objective data to support DR decisions
I have asked many DR Managers how they decide which applications, systems, databases, etc., to protect and recover. The answer is often, “We just know”. Perhaps they do, but, “We just know” is an opinion. Good luck getting funding based solely on an opinion not backed by data. The results of a business impact analysis or some other form of objective analysis should be the basis for DR decisions.
4. The IT department doesn’t fully understand how (and why) the business uses its services
What they use may not be as important as how and why they use it. People may tell you that they need “email” recovered immediately, but you actually need to know how email is used. If they simply need to communicate non-restricted information about who is where and what they are doing, maybe they could use Gmail, text messaging, or another free service as a backup strategy while the regular email platform is restored over a longer (more affordable) timeframe. Also, if they lose their PCs, laptops, or mobile devices, you need to know if you can replace them with basic machines containing the standard corporate image, as opposed to custom setups with licensing considerations or longer lead times.
5. Lack of policy to drive DR objectives
DR decisions are often made in isolation. That is to say they are made on a case-by-case basis, without a policy to govern consistent, standardized support levels. DR targets and objectives should be predetermined so that support levels can be measured against an agreed-to standard.
6. The business assumes a much quicker IT recovery than is actually possible
For whatever reasons, many leaders in your organization probably assume that “everything” will be up and running within 24 to 72 hours of any disruption, including in a smoking-hole scenario. The business is likely unaware of the deltas between what they need for recovery and what is actually possible. In some organizations that is the elephant in the room that nobody wants to talk about. Start the conversation.