Lately, we have often depicted CIOs as parachuting down to earth, with dubious levels of safety. But despite our potential overuse of this metaphor, I think it’s still apt, especially when describing the decision to outsource your IT disaster recovery program or stay in-house. IT disaster recovery efforts can consume large amounts of IT staff time and budget dollars, but even so, outsourcing any part of IT operations can raise eyebrows. So how do CIOs make the right choice between building and managing a recovery program internally or selectively out-tasking it to a service provider?
To help CIOs safely make the decision without taking a dive, we created a “CIO’s Guide to Insourcing vs. Outsourcing IT Recovery” infographic to provide a framework for asking the right questions (consider it a “sister” infographic to the one we created for CFOs – but the questions are somewhat different, reflecting the different focus of the CIO). For each question, a “YES” answer may mean you are okay to stay in-house, while a “NO” answer might suggest that you consider outsourcing. Here is a peek at the decision-making process covered in the infographic:
Question 1: Do you fully understand the business impact of downtime by application?
In order to say “Yes” to this question confidently, you need to have:
- Performed a business impact analysis (BIA) to help you prioritize applications based on their importance to the business.
- Used the BIA to help you prioritize applications
- Mapped application interdependencies (so that you have a clear picture of which applications depend upon which pieces, and tier them correctly)
- Set applications’ Recovery Time Objectives and Recovery Point Objectives (RTOs/RPOs) accordingly
Question 2: Can you afford to do IT disaster recovery in-house?
Answering “Yes” to this question means you have both the necessary capex and opex budget to support an in-house IT disaster recovery program. On the capex side, you’ll need to fund DR equipment and software, as well as recovery sites and systems for the recovery site. (Can you say, “I need two of everything?”) On the opex side, you’ll need to pay for recovery site operations, staff time to develop recovery procedures and maintain recovery runbooks, as well as fund the once-or-twice a year travel-and-other expenses for proper DR testing. It definitely adds up.
Question 3: Do you have the in-house expertise for DR?
Keeping systems up and running is an entirely different skill set than recovering them quickly from scratch during a disaster or after a disruption, and many CIOs do recognize this (we surveyed Fortune 1000 enterprises on their DR planning efforts and concerns, and 54% mentioned shortages in staffing and expertise as their biggest challenge). The key questions CIOs need to ask themselves here are:
- Does my staff have the skills to develop recovery processes and procedures?
- Can they perform rigorous change control?
- Are we actively up-to-date on DR best practices and integrating them into the IT lifecycle?
- Can we perform robust DR planning and manage a fail-proof disaster recovery program?
Question 4: Are you confident you are recoverable?
The key question here for CIOs to answer is, are you able to stand up in front of your Board of Directors and certify that you’re recoverable? The below is a directional checklist for being able to say a resounding “Yes!”
- We actively test and validate our DR plans.
- We have a good handle on change management (and perform it regularly).
- Our staff is willing and able to travel in the event of a disaster.
- We can prove recoverability in an audit.
- In our last test, we met all RTOs and RPOs for our mission-critical applications.
Question 5: Do you have a robust IT DR plan today?
To feel comfortable with moving forward in-house, either you’ve got a robust IT disaster recovery plan today, or you are close enough to one that the risk of delay is acceptable. Many companies we encounter, however, rely on recovery plans based on what was considered the norm a few years ago. But markets change and business goals change, so it’s important that your recovery priorities and tasks change along with them. You might be answering “Yes” for a certain group of applications, but your answer might be “Not so sure” for a group of new applications. So should you outsource your IT disaster recovery program to an outside provider? That depends on your overall IT strategy, your desired availability posture, and of course, your answers to the foregoing five questions.