From the Lab

Planning for Disaster – Be Specific, Update and Test

Business continuity (BC) or disaster recovery (DR) solutions come in two common flavors today. Some companies, with minimal-to-zero tolerance for downtime, need a duplicate physical instance of an application in order to attain instantaneous failover. Others are fine with virtual servers running DR instances in a disaster-recovery-as-a-service (DRaaS) model.

Figuring out what kind of solution is the best fit requires determining which applications are needed for a business or organization to operate and what their levels of service should be. That helps quantify the requirements, in particular: recovery time objectives (RTOs), or how fast you need to get up and running again; and recovery point objectives (RPOs), which refer to the point at which a backup replicates an application’s data.

Without a solid assessment, an organization could be flying blind, relying on solutions that would bring it back online in days or hours, where minutes or seconds (if not milliseconds) are required. Yet according to a survey conducted by Forrester Research and the Disaster Recovery Journal, many businesses are incurring just that kind of risk.

Slightly more than half of all business continuity plans (BCPs), for instance, fail to address discrete threats. But to be useful, a plan must be specific. “Different scenarios require customized responses,” writes Forrester Research Director Stephanie Balaouras.

There also seems to be a natural tendency to write a plan, and then leave it on the shelf. Only 14 percent of respondents said they were updating their BCPs continuously, which is Forrester’s recommendation. Most now refresh their plans only once a year, or less frequently.

A lack of testing is also leaving businesses exposed. Not surprisingly, the more extensive the test, the less frequently it is conducted. Two out of every three respondents report doing an annual walkthrough, which simply reviews the layout and content of a plan. Only 32 percent conduct a full simulation annually. Experts recommend at least one such exercise per year, and say that twice is ideal.

Another area of exposure involves business partners. Participation in testing by third parties has grown to 59 percent, but Balaouras said that with increased reliance on partners, especially in cloud services, that level of participation should “be much closer to 100 percent.” Here at Keystone NAP, where we mandate multiple tests with clients per year, we couldn’t agree more.