How Much Should You Spend on Business Continuity and Disaster Recovery?

Many companies underfund their business continuity and disaster recovery plans, not realizing several hours of downtime can cost them hundreds of thousands, or even millions of dollars. Every company’s DR strategy and budget should be based on their unique requirements, not a cookie-cutter plan. The best way to approach spending on disaster recovery efforts is to first understand your compliance requirements, if you have any, and then calculate your cost of downtime per hour. Once you have an idea of what that number is, you’ll have a better understanding of the ROI on different approaches to disaster recovery. In this blog post, we’ll look at average downtime risk based on availability, and we’ll take a look at how much companies typically allocate for their DR budgets.

Determine Compliance Requirements & Downtime Cost

Some organizations, especially banks, government organizations and hospitals, must meet certain compliance requirements for backup and disaster recovery (FDIC, SSAE, HIPPA). If you must meet compliance requirements, begin with listing these. Next, determine your approximate cost of downtime per hour. This could include revenue loss and/or productivity loss. Oftentimes, other costs are overlooked, such as the cost of repairing a damaged reputation. If you don’t know your company’s cost of downtime, read our blog post on calculating downtime. Next, figure out how many hours of downtime you experience annually. Look at your contract with your cloud and/or data center provider to find your agreed upon percentage of availability.

If you simply run your IT infrastructure out of your office, ask your utility provider or building superintendent how many hours of power outages they experience annually. Then use the chart below to see how the hours translate to availability. According to a 2016 study by Cloud Endure, 77% of companies have a service availability goal of at least 99.9%, meaning no more than nine hours of downtime per year. Looking at the chart below, you can see why.

cost of downtime by availability and total annual risk

*IDC/Carbonite based on mean cost of downtime per minute for small businesses ($282/min)
**Based on Ponemon Institute 2016 mean cost of data center downtime per minute ($8,851/min)

How Much Data Can You Afford to Lose?

Another factor to consider (this may also be included in your compliance requirements) is data loss. How much data can your company lose after an outage before suffering significant losses from fines, reputation damage and productivity loss? The maximum period of time that can pass during which data is lost is referred to as a Recovery Point Objective (RPO). According to the survey by Cloud Endure, 25% of companies had an RPO of less than one minute, while 36% had an RPO of less than one hour. (See below.) Determine this number for your company and add it to your list of requirements for your disaster recovery / business continuity plan (DR/BC).

What Is Your RPO?

Source: Cloud Endure 2016 Disaster Recovery Survey

 

How Many Hours of Downtime Can You Expect from a Natural Disaster?

If your company or organization does not currently use an infrastructure provider, such as a cloud provider, colocation provider, or DRaaS (Disaster Recovery as a Service), it means there are no SLAs covering your cost of downtime, and you should expect to cover 100% of costs from routine outages (such as planned maintenance) and major storms or natural disasters. So, how many hours of downtime can you expect to experience in the event of a disaster? Here are some examples of lengthy power outages from hurricanes in recent history.

  • Hurricane Rita (Texas): 384 hours
  • Hurricane Sandy (Long Island): 337 hours
  • Hurricane Ike (Texas): 336 hours
  • Hurricane Sandy (Maryland and West Virginia): 241 hours

Power outages from severe storms can last several days, and restoration can take as long as two weeks. Hurricanes aren’t the only natural disasters that result in lengthy outages. For example, snowstorms in Boston, earthquakes in California and tornadoes in Kansas have resulted in power loss for multiple days. While two-week outages are rare occurrences, it is advisable to plan for the possibility of at least a few days of downtime annually due to harsh weather conditions.

Still Want to Know What Other Companies Are Spending?

When we look at survey results from disaster recovery studies, we find that disaster recovery spending correlates with a company’s average cost of downtime. A 2016 study by Cloud Endure found that organizations that have a daily cost of downtime less than $10,000 spend less than $10,000 annually on backup and disaster recovery. Those who have a daily cost of downtime that exceeds $10,000 have an annual disaster recovery budget that exceeds $10,000. Forty-one percent of IT pros surveyed said their companies have a DR budget that exceeds $100,000. Additionally, a 2014 study from Evolve IP found 55% of survey respondents spend $50,000 or less annually.

Source: Cloud Endure 2016 Disaster Recovery Survey

 

When looking at these numbers in comparison to average downtime costs, it’s clear that many companies underfund their disaster recovery initiatives. They should at least aim to mitigate the cost of downtime based on the average availability of their systems ($147,813 a year for a small company with 99.9% availability).

Keeping cost of downtime and compliance in mind, here are some budget statistics by company category. According to Gartner’s data, government, financial services and healthcare sectors spent the most on disaster recovery. Compliance is one major driving factor for these sectors. While this data is from 2008, it’s safe to say that budget allocation for DR/BC continued to increase over time due to increasing reliability on IT services for all business functions. The Evolve IP study from 2014 produced similar results to Gartner’s, showing that the banking and government sectors felt most prepared for a disaster.

DR Spending Based on % of Data Center Budget

Mind the IT/Executive Knowledge Gap

Something else to keep in mind when pitching a DR/BC plan for your company is the knowledge gap between IT and the executive team. According to Evolve IP’s study, 70% of executives felt their company was very prepared to recover from a disaster, while just 45% of IT professionals felt their organizations were well prepared.

DR/BC planning should involve backup and recovery, failover plans and sometimes secondary worksites. With all these factors in mind, you can determine how important, or unimportant, a disaster recovery plan is for your business and determine the right budget to minimize your organization’s legal and financial risks.