As a business headquartered in Florida, we are acutely aware of the ever-present threat posed by hurricanes and other strong tropical weather. History has shown that such events can cause catastrophic and even unrecoverable damage to businesses. In other regions, threats such as tornadoes, earthquakes, and blizzards can have similarly devastating impacts. In addition to natural disasters, nearly every business faces universal risks which include theft, fire, flood, vandalism, social unrest, security breaches and more.

Thankfully, a well-conceived and rigorously tested disaster recovery plan can mitigate most of these risks. But only considering the four walls of your business isn’t nearly enough — disaster recovery must include the data, systems, processes, and procedures on which your business relies.

Most executives now know that storing data in two geographically dispersed locations is just good business.  But storing your data “in the cloud” doesn’t necessarily mean it’s protected from on-the-ground threats: In Europe, a major data center fire led to significant data loss for multiple customers. Meanwhile, an airline’s data center failure led to costs running into 9 figures.  Even Microsoft’s own Shared Responsibility Model (shown below) dictates that Office/Microsoft 365 customers are responsible for their own data backups and security.

Whether yours is a large or small organization, a tested and reliable disaster recovery plan must be a key component of your overall business strategy.  In today’s world, customers have exhibited a decreasing tolerance for companies that are unprepared or underprepared for a disaster.  When the inevitable happens, statistics indicate that the inability to recover in an acceptable period of time can lead to irreparable business damage or, worse, complete business failure.

Disaster Recovery Planning as Insurance

Most people grasp the importance of insurance when it comes to life’s most valuable assets, from cars, to homes, and even our very lives. Why should the core systems and data that your business depends on be any different? 

We encourage you to think of disaster recovery as another form of essential insurance: you are insuring against a variety of disaster types that are not a matter of if, but when.

Like any insurance policy, disaster recovery plans vary in their level of protection depending on the complexity of core systems, comprehensiveness of the plan, and the required speed of recovery.  And just like insurance policies, with increased protection comes increased cost.

It is, therefore, up to each business to determine the appropriate amount of insurance (i.e. budget for their disaster recovery effort) based on their risk profile and cost of downtime.  A small business owner likely knows how much he or she stands to lose for each hour their system is down. A larger and/or more complicated business, however, may require a business impact assessment (BIA) to determine its true hourly cost of downtime.  Once a business has an understanding of downtime cost per hour and the likelihood of such downtime occurring, they can then arrive at an acceptable cost for an ongoing disaster recovery program.

Let’s use a fictional law firm as an example. This particular law firm has conducted a business impact assessment and determined their cost of downtime to be $80,000 per hour.  They then used historical data and industry trends to determine they are likely to experience an average of four hours of downtime per year at a net total cost of $320,000.  Their technology partner has proposed a comprehensive disaster recovery program that costs $10,000 per month that can mitigate three of the four hours of downtime.  In this scenario, the disaster recovery plan as prescribed not only makes excellent business sense, but also pays for itself.

What Form of Disaster Recovery Do You Need?

Let’s start with the disaster recovery equivalent of catastrophic care insurance: offsite backup. 

Let’s imagine that total disaster strikes and your building burns down. With offsite backup in place, your insurance will cover the cost of new equipment and, often, the installation thereof.  You would then restore your data and, once all the dust has settled, be back up and running in a week or two. If you run a business that isn’t reliant on day-to-day data access, this low-cost level of protection may be perfectly acceptable. 

For businesses that can’t afford that sort of downtime, you may need a policy that includes a ready-to-go replica of your environment, known as a hot standby. If your primary environment is suddenly unavailable, this standby environment is ready immediately, with little or no downtime. Once access to the primary environment is restored, data changes are synced back from the standby environment, and things revert to normal.

Hot standbys are typically divided between reserved instances or best effort. Reserved instances deliver the same level of high performance you rely on in normal times, while best effort offers a more affordable, but more sluggish temporary fix. If you’re a private equity firm, a “best effort” approach is probably fine; for a medical telemetry provider, a reserved instance is likely essential.  Your disaster recovery partner can help guide you through the decision-making process.

Other companies — such as banks and insurance carriers that need to operate around the clock — can benefit from procuring disaster recovery office suites. In the event that your office becomes inaccessible, your essential employees can continue to operate together, in person, and you protect your business from total facility loss. 

Customizing Your Recovery

There’s a lot that goes into determining what exactly you need to recover. How many offsite backups do you need? What’s the maximum time you may need to go back when restoring your system?

For many businesses, there are certain core systems that they can’t afford to go down — it’s these systems that recovery resources should concentrate on. Perhaps the 16 non-core systems get regular data backups, while the four core systems get reserved instance replicas.  It is important to understand that a disaster recovery plan can (and often should) have differing levels of protection based on the criticality of the systems and data being protected.

Running Your Recovery

Once your Disaster Recovery Plan is complete, the entire process needs to be tested — you don’t want your first experience with recovery to be the moment the smell of fire is still in the air. Savvy businesses should create a run book: a “do this, then that” instruction manual for recovering their environment in a disaster (for more regulated industries, this kind of disaster recovery plan is legally mandated). This run book should be included in a broader disaster recovery plan including an emergency contact list, a chain of command for certain business units, and so on.

Disaster Recovery Is Just Good Business

In short, a true Disaster Recovery plan should account for the highest probability events and provide a clear, concise set of procedures for each.  After preservation of life, those procedures should then prioritize business continuity and recovery of systems.

Whether your business is headquartered at the base of an active volcano or in the safest place on earth, we hope we’ve made clear how no organization can afford to either ignore Disaster Recovery or define it too narrowly. If you follow these steps, you can at least rest assured that you have made a smart investment in safeguarding all aspects of your business when disaster inevitably strikes. Trust us — you won’t regret it.