For many small to medium-sized business (SMB) owners, disaster recovery and business continuity (DR/BC) are nebulous concepts to be dealt with "when there is time." The problem for many (more than 50%) is the "right" time never comes, leaving them unprepared when disaster strikes. Yet, in the past year, many SMBs are realizing that disasters can hit anywhere, and they are realizing that they cannot put off planning forever.
Although preparing a DR/BC plan is admittedly not a "no-brainer" process, it doesn't have to take hundreds of hours to complete. Perhaps the most important part of this effort—and something you can do without developing bulky manuals and detailed schematics—is determining your "magic numbers" and then taking action to ensure you can meet them.
Three numbers—Recovery Time Objective (RTO), Recovery Point Objective (RPO) and Maximum Tolerable Outage (MTO) will give you a good idea how quickly you need to recover your business—from critical client and decision-making data to core business processes—to ensure your firm doesn't collapse after the dust of a disaster settles. Once you know this information, you'll be in a better position to plan an effective recovery.
Recovery Time Objective (RTO): The minimum time within which you would like to restore your data, applications and critical IT-related processes after an outage.
Recovery Point Objective (RPO): The amount of recent data you could tolerate losing in the event of an outage—which equates to the frequency of your backup snapshots.
Maximum Tolerable Outage (MTO): The longest amount of time your business and its employees could function without access to data, email and applications before the outage puts your business and/or client relationships at risk.
Calculating your RTO, RPO and MTO require you to run a business impact analysis, identify processes that must be operable for you to function, and evaluate the strength of your client relationships (and their tolerance for outages). You'll also need to investigate your vendors and supply chains to see what their disaster plans are and whether you have alternate choices. DynaSis recently published a practical guide to help you in this quest; click here to view our white paper on the topic.
However, you can calculate a rough approximation of your RTO, RPO and MTO through simple visioning exercises. Make a list of clients you could not afford to lose, then estimate their tolerance for a service outage (you know how patient your big clients are). Consider the type of work you do, and decide whether or not it requires instant access to recent data and if employees could perform that work remotely.
Then, evaluate whether your crucial data—like email and client information (contacts /contracts/RFPs, etc.)—Is stored in the cloud or only at your location. Finally, consider whether your business processes can be completed remotely, and whether employees are cross-trained sufficiently that some could step in if others were tied up with disaster crises.
Many companies that make these rough projections are surprised to discover that their tolerance for outages and disruption is very low. They also realize that even if their physical location is not functional, they could maintain client relationships and operate at a minimal level—provided they had access to their information.
If this is the case with your calculation, I invite you to call me. We can perform an in-depth risk analysis that pinpoints your vulnerabilities and makes recommendations for improvement. Given that more than two-thirds of SMBs are located in areas prone to disasters, and the frequency and impact of disasters is increasing (per the National Oceanic and Atmospheric Administration), disaster recovery for most companies is no longer a matter of "if." It's a matter of "when."