There is an organisational disconnect between the board and the IT department on disaster recovery.
We asked over 400 UK IT decision makers how their Recovery Time Objective (the length of time it takes to restore IT systems following a disaster) compared with the expectation of the board. Around a quarter (26 per cent) said their recovery times were slower than their board’s expectation, and a further quarter (24 per cent) didn’t know if they were meeting its requirement. The results reflect what we see in the real-world. There is a lack of agreement on recovery requirements for businesses.
Organisations that do business continuity planning well have recovery objectives agreed and approved by the board. This is important because it sets the goals for business continuity and individual disaster recovery plans. Without a consensus agreement, those recovery plans just aren’t working towards a common end.
When planning a business continuity plan, there is a question we must all address. How quickly do you need your IT system back after a disaster? Ask the accounts team about billing systems or a sales team about its CRM and the answer is likely “ASAP”. It is possible for an IT team to deliver that kind of speed of recovery but it comes at a high cost.
Beyond that initial, knee-jerk reaction, if you get teams to think about how they would be able to continue working, using alternative methods you start to get to a more realistic recovery need. But ultimately the business continuity team needs to collate this information and weigh the costs and implications of downtime against the cost of recovery solutions.
Once the business sets these objectives, it’s then the responsibility of the IT department to deliver on them – to build the internal capability or to select a service provider to help them meet that requirement. It’s therefore vital that these projects are adequately funded. It’s pointless to set a very aggressive recovery time but not provide sufficient budget to deliver on it.
A growing reliance on technology
For that reason, these decisions must also consider expected changes over the short-medium term. The board must factor in that if changes are made to the objectives, it will take time for IT to then source and implement new solutions to meet them.
We were recently told a story by an IT Manager who had just suffered an IT outage. He carried out a successful recovery and had the business back up and running in two days. After the incident, he was called in to explain himself to the board. They asked why it took such and unacceptably long time. He then showed them that the recovery went exactly according to plan and met the recovery times they had agreed two years prior.
This example highlights a specific issue:
- There is a growing dependence on technology from all areas of business
- There is an increased expectation of uptime
Even in a very short period, for that particular business, the requirement changed. Business continuity plans, risks and mitigation plans should be reviewed and updated every year. But also, consider that the average lifespan of a solution is around 36 months (depending on depreciation lifecycle or supplier contract length). It is therefore important to plan sufficiently far ahead.
The case for IT representation on the board
This disconnect over disaster recovery also points to a larger issue. We’ve recently seen numerous high profile IT incidents, such as the troubled TSB IT migration and the recent British Airways data breach. It reinforces why organisations simply can’t afford to sideline technology to the back office any more.
These aren’t supporting functions – they are the critical operations of the business. It is our opinion that there is a need for greater IT representation at the board level. There is a need for someone with specialist knowledge to be able to translate the specifics of how technology is enabling the businesses – as well as the risks it brings.
The board sets the tone for a firm’s digital future, but it is also accountable for the ramifications of tech failures across the entire business. As we’ve seen from our research, it’s clear opinions differ between stakeholders within an organisation. Having a digital leader in place embeds the board with a more realistic understanding of the company’s IT capabilities, opportunities and threats.