When assessing the value of a disaster recovery program for your organization, it is important to remember that DR is first and foremost an investment, because it involves upfront costs, ongoing costs, and a combination of capital and operating expenditures. Assessing an investment’s value typically involves some combination of payback period, ROI, internal rate of return, or average annual / net cost.
Out of these, the most popular and applicable assessment of DR is the payback period, which raises the fundamental question to any organization: When and how will your investment in DR pay back?
Assessing Potential Losses
Determining the payback on your DR investment requires your organization to undergo an assessment process. First, you need to identify what is critical to your business in terms of services and the systems that support them. You need to identify the threats to these systems and understand your organization’s sensitivity to unavailability.
Once you’ve determined the potential size and nature of an outage, you need to be able to quantify damages and summarize them over a period. For example, research may show that there will be a high likelihood of a power outage lasting two days within the next five years. The key question your organization needs to answer is this: What is the right amount to pay to mitigate the unrecoverable revenue losses, costs and penalties associated with two days’ downtime?
The Cost of Mitigating Potential Losses
Threat mitigation is what DR is all about. It typically includes measures such as relocating a data center to a better spot so that you can run your systems remotely, but more safely. This involves costs of setting the remote center and maintaining it over time. Here’s where the equation starts to kick in. If an outage occurs sometime during the next 5-year period, will it save your organization one million dollars in unrecoverable losses, and if the cost of a DR program over five years is one million dollars, is that a tradeoff you want to make?
The DR Equation
Deciding whether to undertake a DR program is a complex decision for most organizations, but it boils down to this:
Probability x Impact vs. DR Investment – over the chosen time period
A DR program means making a commitment to threat mitigation measures with life spans covering the exposure to the threat. If the threat exists for 5 or 10 years, you set up a 5- or 10-year DR program, estimate the cost of the program for that time frame, and balance that against what you would lose if the threat comes true.
A Resilient Organization Is A Better Organization
Of course, there are other factors to consider when assessing the value of a DR program. Sometimes there is more at stake than just unrecoverable losses or “out-of-pocket” expenses, as a result of the outage. You also need to consider the “soft”, “intangible”, but no-less-painful effects of long-term damage to your reputation, the loss of customer loyalty, or the stigma associated with violation of accepted societal norms or standards for corporate – employee protection.
Even if your organization has little money to spend on developing a full-fledged DR program, it can be very helpful just to get the ball rolling on the process of “thinking through” DR scenarios. Once you begin pondering your vulnerabilities, you can start doing even little things that can help mitigate some risk. Every little bit builds resilience into your organization, making it that much stronger.
