CIO Technical Series - Why IT Disaster Recovery Planning Fails the Most

1. CIO Technical Series- Why IT Disaster
Recovery Planning Fails the Most
Having worked for numerous companies in a consulting or full-time employee capacity, I have
led and seen numerous business continuity and disaster recovery planning in various stages of
maturity. However, one key element stands out and I have stepped in to rescue failed Disaster
Recovery Plan (DRP) consulting initiates due to one key missing element.
This missing element is the lack of a Business Impact Analysis (BIA). What is a BIA and why is
this so important?
A BIA aims to identify critical business functions and the impact of a disruption to them and
provides an important starting point for defining disaster recovery strategies that are used to
respond to disruptive events. It must be the first place your start when developing and updating
your DRP. Your DRP can not effectively standalone with a BIA.
The BIA determines what needs to be recovered and how quickly. It is one of the most difficult
tasks to perform and one of the most critical to get right. The more time you have to bring a
business function back in service following a disaster, the more your recovery options increase.

2. The BIA is invaluable for identifying what is at stake following a disaster and for justifying
spending on protection and recovery capability.
All business functions and the technology that supports them need to be classified based on their
recovery priority.
Two components of a BIA are:
Recovery Time Objective (RTO) is targeted duration of time and a service level within which a
business process must be restored after a disaster (or disruption) in order to avoid unacceptable
Recovery Point Objective (RPO) is the maximum targeted period in which data might be lost
from an IT service due to a major incident.
BIA Development
Performing a BIA can be a time consuming challenge and I strongly suggest that you seek expert
help in this area. The process can be complex and connections between people, products, process
and partners can easily be missed. Even in the very smallest of companies its taken me a
minimum of three to four weeks to collect data, perform the analysis, document and get
approval. In larger companies this can months and up to a year for large global operations.
BIA Format
The format of a BIA can range from fairly simple to very complex. The focus should be to have
just the right amount of information. Never too much or too little.
At minimum you want to document:
 What your critical business functions are
 What the potential impact of an incident may be on these process
 RTOs
 RPOs
 What the dollar impact of the loss may be
 Likelihood of an impact occurring
Without a BIA you could potentially:
See extend periods of outages due to incorrect recovery times and recovery points
 Lose data
 Lose of staff
 Cause deep negative financial impact for a company
 Open a company to potential law suits
 Waste lots of money on developing, testing and implementing a DRP

3. Conclusion
A failure of a CIO to begin disaster recovery planning without a BIA could be a disastrous for a
company.
CIOs make sure that you or you infrastructure and operations leaders include this critical step in
your DRP journey.
Directors/Managers of IT Operations and Infrastructure can perform this step if they haven't
already and make adjustments to your DRP.
CEOs and CFOs – Make sure you ask your IT leadership if this critical step is included in your
DR implementations and re-evaluated on an annual basis.
Bruce McCullough
High Performance * Leadership * Results
https://www.linkedin.com/in/brucemccullough