There is no easy way to quantify the financial benefits of investing in backup and recovery. That’s why with many companies, funds and resources for a backup and recovery solution are only allocated as part of another project. Too often the costs aren’t fully understood until after a company faces a major data loss. Can you afford to do nothing?
What Does Nothing Cost?
Doing nothing seems surprisingly inexpensive at first glance. There is no equipment or software to purchase, no annoying project plan to set up, and no overtaxed personnel to re-allocate.
Who could argue with a strategy that has a cost of zero? Regardless of currency fluctuations or foreign exchange rates, zero is a very manageable number!
Unfortunately, doing nothing only works until the moment something happens. Just like it’s efficient not to carry an umbrella – right up until the day it rains. In the IT field, something is definitely going to happen. The only question is, “When?”
Once something happens, doing nothing starts to look more costly. To put it in mathematical terms:
Expected loss = Probability of incident x Cost of incident
A simple example: if the probability of rain is 50% per week (weekly probability of 0.5) and the cost of being in the rain is the price of a suit ($250), your weekly expected loss for not carrying an umbrella is 0.5 x $250, which is $125. Given that calculation, I’d keep an umbrella in my briefcase. Doing nothing could be rather expensive.
When Will Something Happen?
In disaster recovery (DR) terms, the first thing we need to know is the probability of a disaster.
The fact is that unwanted stuff happens all the time. If you’re counting on zero downtime or data loss, prepare to be disappointed. While the frequency of data center disasters varies by company and location, a 2012 Aberdeen Group report found that the average company reported 2.3 business interruptions each year, averaging one hour of downtime per event. And outages are only one class of potential disaster.
Weather-related disasters have been making headlines for several years, wiping out businesses in dramatic and unpreventable ways. In 2013 alone there were seven weather or climate disasters resulting in loss of one billion dollars or more. But it turns out that far more likely risk is presented by power/UPS failures, human error and the steadily growing threat of cybercrime.
Risk assessment is a scientific endeavor since calculations need to be individualized to your company. While broad generalizations can be found, you’re best off engaging with an expert consultant. In your organization’s setting, there may be specific factors that influence your risk. Your geological location, local infrastructure, nearby hazardous businesses and even the appeal of your company to hackers can magnify or reduce your disaster risk.
You get to define “disaster” in a way that’s meaningful to you. You’ll probably look at circumstances that interrupt your operations, cause you loss or damage your organization’s reputation. There are lots of these. A recent Computing magazine survey of IT professionals in the UK identified the obvious disaster risks – natural disaster, system downtime and malware – as well as some you’d probably not think of – like disgusting smells from animal and human sources that necessitated equipment shutdown.
A risk assessment consultant will help you factor in all pertinent categories of disasters, each of which has a different probability of occurring. For example, the probability of misplacing my umbrella is pretty high, based on experience. The probability of misplacing my toaster: negligible.
Totaling up the list of incidents and probabilities quickly eliminates the advantages of doing nothing – unless the probability of all disasters is zero.
What Will It Cost?
The second part of our loss calculation is the cost of each incident type.
Costs calculations for various disasters are readily available. In the category of data center outages, Gartner offers a detailed Downtime Cost Calculator. The Aberdeen Group report declares that the average annual cost of business interruption is $418,071. Forrester Research calculates the cost of typical email and web outages between $11,142 and $47,662 per incident.
Those calculations only scratch the surface of what you might lose. Only some costs of a disaster are tangible, as history enlightens us. Memorable recent data breaches at major retailers have created quantifiable data center and customer retention costs, to be sure. In addition, senior managers’ reputations were damaged, profits dropped, shareholders became militant and employee morale deteriorated.
It’s difficult to assign a dollar figure in such cases. Some consequences cannot easily be remediated, particularly in the personal lives of those affected. But the dismay they cause us indicates that we cannot overlook qualitative losses in a review of the costs.
Make your own list of tangible and intangible costs, based on your business. Lists of likely categories are available from many reputable sources. You’ll want to consider the hard and soft costs of remedying all types of calamities and their consequences. A partial list, as starting point:
- IT failures: servers and monitoring, databases, applications, infrastructure and networks
- Environmental disasters: fire, flood, earthquake, hurricane and tornado
- Utilities: HVAC failures, power outages, telecommunication failures
- Human error and accident: data corruption, file deletion, database record loss
- Cybercrime: in-house sabotage; efforts to steal, corrupt or destroy data; denial of service (DoS); malware, organized criminal activity
- Physical Break-ins: theft, destruction, vandalism, terrorist attacks
- Performance guarantees to your clients and related fees
- Local and regional disruption: strikes, legal actions, shutdown orders, ripple effects from neighboring crime or disaster
- Loss of business and customer retention, specific customer and vendor liability, consumer credit monitoring
- Regulatory compliance costs and penalties
- Company reputation, valuation, future business, impact on employee recruitment
- Community relations: local town/state goodwill, political considerations
- Lost productivity, employee morale
- Senior management’s lost reputation: internal, external, future employment
- Shareholder value, disgruntlement, lawsuits
What Will It Cost to Mitigate?
Disaster cannot be prevented. Weather events, for example, can often be predicted but rarely avoided. Cybercriminals, regrettably, are moving faster than our ability to identify and prevent them.
But a good disaster recovery plan mitigates the cost impact of disasters and their consequences. To revise the previous mathematical formula, your budget for mitigation and recovery is the value of the losses the DR plan prevents.
Preventable loss = Probability of incident x Preventable cost of incident = DR budget
For most businesses, that’s a sizeable budget.
But first, couldn’t you save a lot of trouble merely by getting insurance? The answer depends on how willing you are to pause or close your business. After Hurricane Sandy’s tragedy along the Jersey Shore, some small businesses that were insured were able to rebuild and eventually reopen – after a significant pause in operations. Others, even though insured, closed their doors forever. The damage done to property, customer continuity or morale exceeded their owners’ physical and emotional resources to recover.
They just walked away.
So if you’re willing to shut down your business in exchange for any insurance proceeds after the next significant incident, that strategy works. However, organizations with commitments to large customer and employee populations will not find this an attractive approach. Would you?
That’s where disaster recovery comes in. A well-designed recovery plan assesses what you most need to protect, identifies your objectives for recovery, then designs technology and processes to reach these objectives. A good DR process also minimizes the duration of outages and follow-on consequences, so that you’re back on your feet far sooner.
Planning and building a DIY disaster recovery is perfectly possible but complex. Frequently, the simplest solution is outsourcing with an experienced DR partner. Unless you already have secure redundant data centers in place, a colocation or cloud recovery partner will get your plan up and running faster than you could. Plus, the expertise and processes that they bring to the table makes your DR plan more robust.
If you’re daunted by DR, it’s worth finding out who can help.
Doing Nothing Costs Too Much
To paraphrase the bumper sticker, unwanted incidents happen. In the real world, putting your head in the sand simply makes the problem worse. The unplanned disaster throws business into a panic, wreaks havoc on the revenue, deflects personal careers and conceivably terminates the business. Doing nothing is expensive. Planning for recovery can pay for itself.
To be sure, it’s easy to postpone action when the choices are confusing or the justification is complex. But the ideal time to act is before the disaster develops. Now, for instance.