When it comes to business continuity, most organizations have plans to help them bounce back from worst-case scenarios like the loss of buildings, staff, or suppliers. There is one situation that tends to be an afterthought, if not entirely ignored: loss of IT services. Unfortunately, this concept can no longer be ignored in today’s modern digital workplace. IT services are crucial and, without them, your business may grind to a halt – costing you time, money, and productivity.
Cloud providers like Microsoft are not responsible for any of these services. In fact, Microsoft’s Shared Responsibility Model clearly specifies customers are responsible for situations like infrastructure failure, user or admin errors, software corruption, or malicious attacks. Protecting the security of your data and identities falls squarely on your shoulders.
To ensure business continuity, no matter the situation, you need a disaster recovery plan. Check out these 6 steps to get started.
Step 1: Assess your environment and its structure
If you leveraged a “lift and shift” approach to your migration to get to the cloud as quickly as possible, this step is critical for you. With this approach, the emphasis is more on how quickly adoption can happen rather than how to do it correctly and safely. Unfortunately, this can result in a vulnerable, cluttered environment.
It’s important to examine your current environment to see if changes need to be made. Products like the AvePoint Discovery Tool can help you find where your content lives, determine how much you have and how relevant it is, and create your plan to improve the structure, without trial and error.
Improving your environment and its structure not only helps you now – think storage cost savings and streamlined governance – but it’s also a critical foundation for implementing information lifecycle management, executing potential mergers & acquisitions, and, most importantly, creating your business continuity plan.
Step 2: Build an inventory of your IT services and systems
Next, it’s time to build an inventory of your systems – small and large, internal and external – and why they are important to your business. Remember: no one can save your world if they don’t know what it is
First, run a discovery scan of your entire environment (see step 1). Be sure to track every service or system you have, from homegrown applications to virtual machines, and why you have them. Then, be sure to map any dependencies between systems – i.e., if you have a business-critical, automated process that depends on the functionality of an application. These dependencies might not seem important now, but will be vital to determining your order of restoration, should an incident ever occur.
Step 3: Determine which systems are most critical
Not all IT systems are created equally. It would be a shame if you lost your application for PTO requests, but it would not bring your business to a halt the same way losing access to customer records would. You need to rank each inventory item based on its impact to the business – which many consider to be the first step for creating a business impact analysis (BIA).
The key here is determining the actual cost of loss or inactivity: If you did not have access to a system for a certain amount of time, how much would it cost you (in terms of time, productivity, or money)? Whatever system would cost you the most should be ranked the highest. Until we understand the business criticality of each of our systems and the cost of loss, it’s impossible to determine how much money to put into a disaster recovery plan.
Step 4: Establish your RPO, RTO, and RLO
While we will do everything in our power to avoid it, you must plan for worst-case scenarios: an unavoidable outage or potential data loss. With that in mind, determine your recovery point objective (RPO), recovery level object (RLO), and recovery time objective (RTO) if an outage were to occur.
You’ve probably heard these acronyms thrown around a lot. While all different – RPO is focused on determining the maximum amount of time between the last backup and potential failure point, RLO defines the granularity at which you must recover your data, and RTO determines the maximum amount of time a business can afford a recovery can take – it all boils down to one key question: how quickly you can get back up and running?
Your business’s priorities will dictate which objective to prioritize. Some businesses may focus more on granularity – if you are a hospital that lost patient records – while others will need the quickest recovery possible – if your CRM is the heart of all business activities. Only you can determine which is most important for you.
All your previous work will now come to fruition. Refer to the data points to decide exactly how long certain systems can be down before they start to cost you. Then, you can decide on metrics for each objective that make sense for your business.
Step 5: Test your RPO, RTO, and RLO
Now that you have established your key objectives, it’s time to test yourself. If you don’t rehearse these metrics – whether speed, granularity, or potential data loss – you won’t know if they are even possible in event of a disaster. Think of it as moving from “I think I know what we’ll do if disaster strikes” to “I know exactly what we need to do if something happens.”
Don’t fret if you don’t meet your objectives on the first try; there are always areas to improve, depending on your priorities. If you rehearse and refine your process again and again without meeting your objectives, you may learn there is a cost to achieving your goals.
Now that you know what is possible as is, you can determine the resources you need to improve your objectives. You may need to readjust your objectives – such as determine how much data you are willing to lose to get back up and running faster – or invest in tools, like AvePoint Cloud Backup for Azure, to help optimize or automate your processes to avoid sacrificing granularity or time.
Step 6: Advocate for a disaster recovery budget
You’ve done your homework – you know what will be required of your business to recover in event of a worst-case scenario. Those who aren’t familiar, such as your executives, may not understand why there is a cost to this. They think, as many do, it’s in the cloud and it’s protected.
We’ve already discussed Microsoft’s Shared Responsibility Model, and there are other similar decrees from cloud providers that you can point your execs to, but a more important approach is to demonstrate where these costs are coming from – and the risks and value associated with the costs.
While disaster recovery planning is an investment, the costs of not investing is much higher. This is particularly true when you note that there are some costs that can’t be calculated, such as damaged reputation or lost customers. Your investment in disaster recovery will pay back dividends in uptime when you are protected from business disruptions.
Creating your disaster recovery plan is a huge undertaking. However, the sooner you start, the better protected you will be. So start small. Safeguard your most standard and critical IT services. And partner with a third-party provider who can deliver protection and peace of mind.
AvePoint backup solutions ensure business resilience. Easy-to-use solutions for Microsoft 365, Azure Active Directory & Virtual Machines, Dynamics 365, Salesforce, and Google Workspace offer thorough coverage and faster recovery across your organization. Request a demo to talk to the experts at AvePoint and begin building your Azure Disaster Recovery plan today.