Economic impact of disaster recovery planning and implementation

Disaster Recovery

Economic Impact of Disaster Recovery

What is the economic impact of not having a disaster recovery plan should a disaster occur?

Understanding the economic impact of failing to have an adequate disaster recovery plan is important as it can help us to understand the economic costs a disaster can have on an organization. The reason we need to understand economic impact is simple; we need to know what's at stake if disaster strikes. Knowing the costs of a disaster to our organization or ourselves can help us better understand how to prepare a disaster recovery plan and help identify the best ways to properly spend our money to mitigate such an event. Understanding the economic impact of a disaster will help enhance how we plan for a disaster and how we respond to it.

There are many forms of types of disasters that can impact an organization negatively. These can range from natural disasters such as Incidents of floods, earthquakes and hurricanes or manmade loss of data and the capacity to produce. This can include aspects such as,"…fire, employee sabotage, computer viruses, physical damage (e.g., static electricity or disks crashing) and theft" (Carlson & Parker, 1998, p.10).

The economic affect of disaster to an organization or company can be extensive and even potentially devastating. For example, in the 1992 flood in the city of Chicago, organizations and business suffered over one billion dollars in damage. Even more important is the fact that the effects of disasters can remain and impact the organization long after the actual disaster event. Therefore, disaster recovery is an essential component of a return to functional and economic viability. As one expert on this subject states;

While the loss of sales during a disaster is harmful, the loss of customers, vendors, inventory and employee records extend recovery times from weeks and months to years. If a company has a well designed disaster recovery plan (DRP) in place, the plan will minimize the inconvenience of a disaster, while improper planning can result in a company experiencing bankruptcy.

(Carlson & Parker, 1998)

The magnitude of this problem is clearly evident from the following quotation from an article by Chisholm ( 2008) in the CPA journal.

According to Info-Tech Research Group, almost 60% of North American businesses do not have a disaster recovery plan in place that would resume their information technology (TT) services in case of crisis. The seriousness of this problem is supported by research from Faulkner Information Services, which found that 50% of companies that lose their data due to disasters go out of business within 24 months.

(Chisholm, 2008, p. 11)

The above quotation not only emphasizes the importance of good disaster recovery planning but also stresses the importance of understanding the economic cost of possible disaster scenarios and why long-term and contingency planning is essential. Therefore, the lack of adequate disaster recovery strategies can lead to serious economic consequences and even to the loss of an entire business concern as a result of unpreparedness in the face of disaster.

The paper will therefore focus on research into the economic impact of disasters in a way that will show how understanding the economics of a disaster can help us better prepare a disaster recovery plan. The audience that I will target is fellow students and information technology professionals that are interested in the economic impact of disaster recovery. I hope that my research question and paper will help further the understanding of economic impact as it applies to disaster recovery.

Definitions

A disaster in terms of the context of this study can be generally defined as "…any interruption in a company's operations that will significantly affect employees and/or customers" (Carlson & Parker, 1998. P.10). Actual examples include the loss of power of to First Chicago Bank in 1987, due to the heaviest rain falls in history; the flooding of the data center of the Robert Bosch Corporation Charleston, SC, in 1989; and many more recent examples, including the Katrina disaster. However, many of these companies recovered due to adequate recovery plans.

A sobering statistic that relates to the link between disaster recovery and economic recovery is as follows: "The average company that experiences a computer outage lasting longer than 10 days never fully recovers. Fifty percent go out of business within five years. The chances of experiencing a disaster affecting the corporate data processing center are one in 100" (Murphy, 1991, p.60).

A disaster recovery plan or DRP is defined as "… the method by which a company identifies critical resources, determines how these resources are negatively impacted by a disaster, and develops a plan to minimize and recover from the negative impact of a disaster " (Carlson & Parker, 1998. P.10). Another common and wide-ranging definition is as follows:

…a disaster recovery plan consists of the precautions taken so that the effects of a disaster will be minimized and the organization will be able to either maintain or quickly resume mission-critical functions. Typically, disaster recovery planning involves an analysis of business processes and continuity needs; it may also include a significant focus on disaster prevention.

(Definitions: disaster recovery plan)

A central issue that has to be taken into consideration, especially in terms of the economic effects of disaster recovery is the fact that if a business or organization is disrupted for a lengthy period of time then this would seriously affect "… the overall viability of a company and may eventually lead to bankruptcy" (Carlson & Parker, 1998. P.10). It follows that the comprehensiveness of a company or organization's disaster recovery plan has a crucial bearing on the extent to which the company or organization can recover from any significant disaster. Consequently, the normative approach is to have a comprehensive DRP strategy that includes the following objectives.

* Protection of assets and records

* Resumption of normal operations

* Protection of personnel

* Continuity of management

* Minimization of losses and recovery time

(Carlson & Parker, 1998. P.10).

A distinction should be made however between a continuity plan for disaster recovery and preventative planning for disaster. As Cerullo, McDuffie and Smith, (1994) point out,

A computer contingency plan is classified as a corrective control. It is not designed to prevent or detect various disasters, but rather to limit losses resulting from commonly occurring disasters. Assuming disaster strikes, the presence of a computer contingency plan enables a company to quickly restore its capabilities & #8230; and to provide services and products for its customers efficiently and effectively.

(Cerullo, McDuffie & Smith, 1994. P.34)

Another important point made in the above article is that the preparation of such a contingency and recovery plan also motivates the company or organization to assess assets in terms of value and vulnerability. In other words, an understanding of assets derived from a good disaster recovery plan will include an evaluation and analysis of assets in terms of both vulnerabilities and potential areas of weakness in the structure of the organization.

Pundits stress that 'disaster recovery' are"…two vital words in today's security managers' and directors' vocabulary. Nowadays these people can't be without a disaster recovery plan or they may soon be without a job" (Murphy, 1991. P.60). It should also be noted that there are many different approaches to disaster recovery and each approach takes into account the type of business or organization and their particular vulnerabilities. For example, some recovery plans attempt to take into account every possible disaster scenario or contingency, from earthquakes to vandalism. This may be economically restrictive and time consuming. Others may take a more directed and specific approach, targeting the most common and obvious disaster scenarios in their particular context. However the important point to note is that failure to plan adequately for disaster recovery can have severe consequences, which can range from temporary loss of data, leading to loss of sales and contacts, to total financial collapse and penalties or fines, dependent on the extent of the disaster.

Brief Overview of disaster recovery planning

In recent years there have been as number of disasters in the United States that has tended to stress the importance of disaster recovery planning. Earthquakes in California, the Katrina disaster and many other have underlined the essential nature of DRP planning. Another example is manmade: "The terrorist bombing of the World Trade Center resulted in hundreds of millions of dollars in damages…" (Cerullo, McDuffie and Smith, 1994, p.34). As one article states:

What has become clear is that businesses must implement corporate-wide disaster recovery planning (DRP) that transcends data processing issues alone. DRP is a major corporate responsibility. The CEO must understand the major risks to the company and the potential consequences of disaster. Proper DRP addresses the needs of all departments and involves personnel from all areas of the company. Responsibility for DRP is not the sole responsibility of MIS management.

(Cerullo, McDuffie & Smith, 1994)

The important point being made by Cerullo, McDuffie and Smith ( 1994) is that the serious economic implications of disaster means that disaster recovery planning has become much more than only the responsibility of a section of the organizations personnel. There is a modern emphasis, which has resulted from the experience of the economic impact of disaster, on a more extensive and 'distributed' mode of thinking about disaster recovery. This is an important factor that should be stressed as it has direct implications in terms of the economic aspects of disaster recovery planning in an increasingly networked and technologized contemporary working environment. This aspect is cogently expressed in a White Paper on this issue.

Many organizations have strong business recovery plans for their mainframe and mini-computer systems. but, as more and more critical applications are migrated to distributed systems, companies are becoming concerned about how they can protect these systems in the event of a disaster. Chances of a disaster increase significantly as systems are moved away from traditional central computer facilities that have hardened security and environmental controls.

(Disaster Recovery - a White Paper)

This emphasizes a cardinal issue in modern disaster recovery planning; namely, that almost all businesses and organizations depend on computer technology and various forms of data storage. This means that the economic consequences of even a few hours of disruption can be extremely costly. Furthermore, this fact implies that any disaster recovery planning must include measures for recovering both the functionality and data of the organization that has been determined to be of high value or critical.

This finding of a survey by the Symantec Corporation in 2007 underlines this important aspect.

…while 91% of it organisations carry out full scenario testing of their disaster recovery plans incorporating relevant people, processes and technologies, nearly 50% of those tests fail. This means that one in two UK organisations are not equipped to handle events, such as natural disasters, computer system failures and external computer threats.

(Companies Exposed from Inadequate Disaster Recovery Planning, Testing)

This has many implications in term of future planning. For instance, recovery plans must include the ability to replicate data offsite, as well as many other aspects and possibilities that are strictly outside the ambit of the present discussion. This also includes the increasing importance of virtual servers in the process of disaster recovery (Raffo, 2009).

Economic Implications

The importance of disaster recovery planning is emphasized again and again by various experts and pundits. As one pundit notes, "Aside from the legal ramifications of neglecting to safeguard vital data, disaster recovery planning is a business necessity. Simply put, business relies on computers more than ever before and will continue to do so" (Murphy, 1991, p.60). Murphy also states that, "It doesn't matter what you call it -- automated data processing or management information services -- the life of a business or organization is at risk without disaster management,." (Murphy, 1991, p. 60). This is of course linked to the dependence on data and databases by almost every modern organization. Other sources reiterate the pervasiveness of modern threats to valuable data.

Failure to identify every potential event that can jeopardize the infrastructure and data that your enterprise depends - in addition to the security and network threats -- viruses, Trojans, worms, etc. -- you need to identify any forces that are unique to your geography. Do you live on an earthquake fault, tornado alley, or in a flood zone? Does your region experience frequent power interruptions from storms or rolling blackouts?

(Disaster Recovery Business Continuity: Common Mistakes).

However, it is when one considers the financial and economic implications of a faulty or inadequate disaster response plan then the need for this planning becomes even more evident. On the other hand, the cost of actually implementing a thorough and comprehensive disaster recovery plan also brings into play various criteria that have to be taken into consideration. As Bielski ( 2002) states, "Day-to-day process-related work is hard to back up -- much of it isn't digital to begin with…Think of backing up all your e-mails or Word files. How much time would that take? Is it worth it? (Bielski, 2002).

The economic implications of inadequate disaster planning and management are on one level fairly obvious. As has been noted a number of times in this discussion, there is as general consensus that any company or organization cannot function when there is data loss or loss of networking functionality and if this is extended over time it will invariably lead to serious economic implications.

A serious possibility that can have dire economic consequences is the unplanned disaster or outrage. "Whether it is a severe weather incident that shuts down a city or region or a simple mistake like kicking a power cord loose causing a server to halt, every business is susceptible to some form of outage or disaster" (Rennels, 2006).

Experts state that even a short period of disruption and not being able to access data can have severe economic repercussions for the organization.

At best one could expect to incur some financial losses and have to smooth things over with some unhappy customers, but at worst, and far too often this is the case, businesses are unable to recover and are forced to close.

(Rennels, 2006)

An understanding of the economic implications of a disaster should also include aspects such as a decline in productivity, work stoppages as a result of no email activity etc. The following statistics serve to illustrate the above points. The research company Gartner states that "…40% of all SMBs will go out of business if they cannot get to their data in the first 24 hours after a crisis" (Rennels, 2006). This statistic becomes even more alarming in the light of the prediction that, " Another 35% are out of business within 3 years" (Rennels, 2006). Furthermore, the amount of lost revenue and productivity tends to increase rapidly if there is no fast and effective recovery planning and this "… does not account for the business and legal implications of lost data that could result in fines and even imprisonment" (Rennels, 2006).

The consequences of not having a disaster recovery plan are therefore extremely serious in the modern world. This fact is again stressed by a study conducted by the University of Texas, entitled "FINANCIAL and FUNCTIONAL IMPACTS of COMPUTER OUTAGES on BusinessES." The following are some of the most results of this study relevant to the present discussion.

85% of organizations are heavily or totally dependent upon computer systems.

On average, by the sixth day of an outage, companies' experience a 25% loss in daily revenue; by the 25th day it is 40%.

Financial and functional loss increases rapidly after the onset of an outage.

Within two weeks of the loss of computer support, 75% of organizations reach critical or total loss of functioning.

43% of companies that experience a disaster but have no business recovery plan in place never reopen.

(Disaster Recovery - a White Paper )

These finding tend to shed a glaring light on the financial and economic implications of not having a good disaster recovery plan; conversely they should also serve to motivate organizations and companies to make sure that a well thought out and comprehensive plan that is suited the assets and particular vulnerabilities of that organization is implemented. This is also reiterated by the finding from the above study that "…of companies that experience a disaster but have no tested business recovery plans in place, only one in ten are still in business two years later" (Disaster Recovery - a White Paper ).

The link between economics and disaster recovery planning is clearly emphasized in the conclusion of the above study.

Organizations which had prepared for an extended computer outage through insurance and/or a contingency plan reported significantly lower expected loss of revenues, additional costs, and loss of functioning. As a group, these organizations estimated that their revenue losses would be 2.5 times as severe if their contingency plans were not activated.

(Disaster Recovery - a White Paper ).

One the other hand those organizations that do not have a clear and comprehensive recovery plan will, in the event of disaster, also suffer from various intangible costs, in addition to direct revenue loss. This can include aspects such as "…cash flow interruption, loss of customers, loss of competitive edge, erosion of industry image, and reduced market share" (Disaster Recovery - a White Paper).