J Wolfgang Goerlich's thoughts on Information Security
Budgeting for disaster recovery

By wolfgang. 18 April 2005 09:54

What is your budget for disaster recovery?

Are you spending too much?

Or too little?

Ideally, Disaster Recovery is a program that contains one or more strategies. Each strategy is a specific way to recover IT systems for one or more business processes. For example, you have a hot site strategy with one-to-one duplication of the hardware and software used in production. This strategy is costly and so it protects the critical business processes. For non-critical processes, you may have a cold site strategy. Basically, you'll buy new hardware and restore from tape should an outage occur.

There is a means to calculate the budget for Disaster Recovery.

Step one is to determine the likelihood. Map the IT software and hardware to the business process. Determine the threats you are protecting against (fire, flood, earthquake). Do some digging to estimate the how likely these threats are to occur (Annualized Rate of Occurrence).

Step two is to determine the financial impact. If the impact occurs, everything is offline, the business process grounds to a halt, how hard will that hit the business? Quantify the impact in terms of dollars (Single Loss Expectancy).

Step three is to multiply the two to determine the Annualized Loss Expectancy. ALE = SLE * ARO

ALE is represents the business's asset exposure. It is the most that should be spent on a Disaster Recovery strategy that mitigates the risk. If ALE is $50,000 and the recovery strategy costs $100,000 a year, then obviously you are spending too much. If you are spending $10,000 a year, you are either a hero or putting the business process at risk by using an insufficient strategy.

I find that organizations who are just starting out with Business Continuity and Disaster Recovery greatly benefit  from this budgeting method. It demonstrates a clear link between assets and protection. This way, an IT team can cost justify investments in Disaster Recovery systems.

Tags:

Business Continuity

    Log in