In theory, disaster recovery like its counterpart business continuity needs to concentrate on what is critical in an organisation to keep it functioning correctly, and concentrate on planning for and managing those aspects. Experience plays a large part in understanding how far to go, and having broad knowledge gained by working in or with the various operations of a company can be invaluable. Otherwise plans can become too elaborate and too costly compared to the general level of business risk that applies to an organisation. Yet, how much disaster recovery is too much?
Some enterprises will deliberately provoke realistic DR situations, with the resulting expenses and disruption, to see how well they can cope. Others go through detailed risk analysis to find out if they should train thousands of staff to cope with hazardous chemicals spillage or fence in large areas of company operations. Although different organisations have varying needs, at least one remark is of general relevance. A number of companies incur monthly IT hot-site fees and charges for annual hot-site testing programs that are overkill compared to their real requirements. The problem is that they develop an IT recovery strategy before thinking out their overall business continuity plan.
Too much disaster recovery is one problem. The banking sector apparently has the opposite one of not enough. Its cause is attributed in a survey by the CSFI (Centre for the Study of Financial Innovation) to a rise in regulation that “saps bank resources”, “reduces risk diversification” and “creates a false sense of security”. At the end of the day, it still comes down to fundamental risk management: how much risk will your organisation accept, what are you willing to spend to avoid or mitigate the risks involved, and what plan will you execute to do so? It is this analysis that lets you avoid overkill or “underkill”, and protect your organisation sufficiently yet cost-effectively.