Why time matters in a disaster by Gregory Medwell
Natural disasters, cyber-attacks, human error or disrupted site access may impact your ability to conduct business. There is little doubt that disaster recovery, or business continuity as it is now known, is a requirement for almost all businesses. Our re
No one doubts the importance; in fact many enterprise and government organisations will not transact with partners that do not have a business continuity service. Business continuity is not a single product, more a cyclical process – an organisation should review its business continuity plan whenever it introduces changes to the business or alters its business priorities.
However one critical element to a business continuity plan is time. There are many questions pertaining to time when it comes to your business continuity plan. How long will it take for your business to be functioning? How long can you afford to be down? How long until your customers lose trust in your ability to deliver? The list is endless, and in reality we are just trying to limit the impact of unplanned downtime.
Business Impact Analysis
The impact of downtime is crucial to understanding the time implications. Across an organisation these might be lost sales, increased expenses (such as outsourcing, contracting costs or overtime), regulatory fines, reduced customer satisfaction or brand damage. A Business Impact Analysis is a detailed questionnaire that identifies critical business processes, resources, and relationships across an organisation and can help in quantifying the potential impact if a disruptive event occurs.
The goals of the Business Impact Analysis is to determine the most crucial business functions and systems, the staff and technology resources needed for operations to run optimally, and the time frame within which the functions need to be recovered for the organisation to restore operations to normal. Once these are known, the next stage is to design a business continuity plan that meets these objectives.
RTO and RPO
There are two important acronyms that business continuity providers will talk about, RTO and RPO. They are the Recovery Time Objectives and Recovery Point Objectives.
During a disaster, it is a fact that most organisations will lose some data. The Recovery Point Objective aims to address this by asking how much data you can afford to lose, or what your organisations tolerance to lost data is. Usually the data will need to be re-entered, and it can be compared with an author writing a long report on an old computer that is likely to crash. How often would they backup their data? Or better yet – what is the maximum time between backups that you would be comfortable with? Your answer here might be every two days, which would translate to an RPO of 48 hours.
You may find that different processes and systems have different RPOs. An ERP system may have a premium 4-hour RPO, whereas a 36-hour RPO may be suitable for a development server. Custom RPOs can help your budget by only paying premium prices for the systems that matter most to your organisation’s operations.
Recovery Time Objective is the target time you set for the recovery of your business activities after a disaster event has occurred. It is defined as the maximum period for which the business can be out of operation without significant risks or losses. Again using the author example, how long would they like to wait until they can begin writing again? But before you answer this you need to consider the impact on your business, revenue, customer retention and brand.
The objective of RTO is to calculate how quickly you need to recover, which then dictates the plan you need to implement and the overall budget you should assign. Again this really depends on what systems and processes are most important to your business. Typically most important systems to your business will be your sales and fulfilment systems, which typically have the best RPO you can afford.
The major difference between RPO and RTO is their purpose. The RTO is usually large scale, and looks at your whole business and the systems involved whilst RPO focuses just on data and your company’s overall resilience to the loss of it. While they may be different, you should consider both metrics when looking to develop an effective continuity plan. A premium service may have an RPO of four hours but an RTO of 2 hours, meaning the IT recovery specialists having a two-hour window to restore data that’s no more than four hours old.
But in the end it comes down to time. How long can you afford to not be doing business? How long your customers wait? What is the financial impact to the business? Analysing the impact and planning accordingly will improve the resilience of your business, instil trust in your business and overall take better care of your customers.