Relevant Contents
Need Tailored Business Continuity Insights?
Contact Us Now for Personalized Guidance!
In many organizations, Information Technology Disaster Recovery strategies and capabilities are not aligned with the needs or expectations of the business. This isn’t always the fault of Information Technology personnel and in many cases they established recovery priorities, strategies and capabilities in a silo.
We have observed cases where Information Technology management has implemented recovery strategies simply based on the verbal conversations held with senior management and without any reference to the results of the Business Impact Analysis and/or discussion with the business.
The business must take an active part in aligning its needs with the IT organization. There are critical aspects of the IT recovery strategies that must be addressed by the business:
- Recovery Time Objective (RTO) – How soon will each critical business system / application be recovered following a disruption to the production data center.
- Recovery Point Objective (RPO) – What is the maximum data loss the business can expect for each critical business system/application in the production data center based on current data backup processes (e.g., tape, replication, etc.).
- Recovery Time Actual (RTA) – The difference in time, if any, between the in-place and tested recovery strategy and the RTO.
- Recovery Point Actual (RPA) – The difference in time, if any, between the current data backup and offsite storage process versus the RPO.
The lack of business and IT alignment with RTOs and RPOs can lead to catastrophic impacts to customer service, operations, shareholder value, etc.
in the event of a critical disruption. The business and Information Technology must have honest and open discussions on RTOs and RPOs and how they compare to what is in place. Even if a gap exists between the objective and actual, it is out in the open and the business can work around it and/or accept the risk until Information Technology can rectify it.
So, how do you align business and Information Technology RTOs and RPOs?
As part of the Governance and metrics we implement for our clients, we establish Critical Success Factors (CSFs) and Key Performance Indicators (KPIs) to schedule review, measure and align the business and information technology needs, RTOs and RPOs on a regular basis (e.g., annually). These CSFs and KPIs are established for the program, business and Information Technology as follows:
- Global BCP Program Criteria
- CSF: Business and IT recovery capabilities (RTOs/RPOs) are in alignment and agreed upon.
- KPI: Results of annual business unit and IT meetings demonstrate alignment.
- Business Recovery Planning Criteria:
- CSF: Business and IT recovery capabilities (RTOs/RPOs) are in alignment and agreed upon.
- KPI: Critical business units validate RTOs/RPOs with IT annually by end of September.
- IT Disaster Recovery Planning Criteria:
- CSF: IT recovery capabilities (RTOs/RPOs) are in alignment with the business and agreed upon.
- KPI: IT validates RTOs/RPOs with critical business units by end of September.
By setting these metrics in place, you can measure the level of compliance and ability to meet the required RTOs and RPOs on a regularly scheduled basis. This will greatly aid in aligning business and Information Technology recovery.
Michael Herrera
Michael Herrera is the Chief Executive Officer (CEO) of MHA. In his role, Michael provides global leadership to the entire set of industry practices and horizontal capabilities within MHA. Under his leadership, MHA has become a leading provider of Business Continuity and Disaster Recovery services to organizations on a global level. He is also the founder of BCMMETRICS, a leading cloud based tool designed to assess business continuity compliance and residual risk. Michael is a well-known and sought after speaker on Business Continuity issues at local and national contingency planner chapter meetings and conferences. Prior to founding MHA, he was a Regional VP for Bank of America, where he was responsible for Business Continuity across the southwest region.