2012

IT

DISASTER

RECOVERY

SURVEY

CertitudeTECHNOLOGY RISK SERVICES

Organisations operating in Australia

12 of the 19 ANZSIC Industries

Representation of all employee sizes

All annual IT spend, except for $0.5m to $1m

DEMOGRAPHICS

Certitu

de

DR Budget (% of IT)

Outages vs DR Spend

Most outages reported by those who spent 1% of their IT budget on DR

Respondents who spent > 10%, incurred 12% of all outages reported

Those with IT budgets <=$100k, spent nearly nothing on DR

BUDGETRespondents spend around3% of their IT budget ondisaster recovery. However money doesn’t necessarilybuy fewer IT outages.

Certitu

de

Location

Recovery Site Location

Most respondents (55.88%) recover to the same city

Size & geographical presence have a significant influence on recovery location

Respondents who have a regional presence are taking full advantage of their geographical diversity

RECOVERY LOCATIONSmall and / or geographically non-dispersed organisationsHave difficulty findingsuitable recovery locations.

Certitu

de

MATURITY

Maturity

Outages vs Maturity

Higher levels of disasterrecovery maturity canreduce system disruption.

Most describe their DR maturity as ‘repeatable, but intuitive’, or ‘defined’

Size does not influence maturity.

The higher the maturity, the lower the number of outages and harm (e.g. average and longest duration)

Certitu

de

STANDARDS & REGULATIONS

Standards / Guidelines

Disaster recoverystandards and guides do not significantly influencemost organisations’disaster recovery.

Regulation / Legislation

Standards have no significant influence on disaster recovery

Broader standards have greater influence than DR specific ones

There are changes to APRAs Practice Standards that affect DR

Certitu

de

PROCESS INTEGRATION

Where DR is EmbeddedDisaster recovery is poorlyembedded into project andservice level management,As well as service deskprocesses.

Most have DR embedded into IT Service Continuity, ICT Infrastructure, Availability, Change, Incident, Security & Financial Management

Few have DR embedded into Release, Management, Service Desk and Service Level Management!

Certitu

de

THREATS

Where DR Threats are Identified

Trends learned fromincident & problemmanagement are not oftenused to identify DR threats& opportunities to preventfuture system disruption.

Most use various forms of risk assessment to identify threats

Few (<30%) use information recorded by incident and problem management processes to identify threats

Certitu

de

KEY CONTROLSThe management of servicelevels and 3rd-party serviceproviders is being missed tocontrol disaster recovery risk.

Not Identifi…

Identified, but …

Identified and …

Manage Changes

Manage Performance& Capacity

Manage Problems

Define & ManageService Levels

Manage Third-Party Providers

Few evaluate important DR controls such as managing performance, capacity and problems

Even fewer recognise the importance of managing service levels, and third-party providers.

Manage PhysicalEnvironment

Certitu

de

Nearly half experienced unplanned outages in the past 2 years

Direct correlation between maturity, and outage frequency and duration

DISRUPTIONS

Average (hrs)

Longest (hrs)

Certitu

de

Outages

DISRUPTIONS

Root CausesMany system disruptionsare essentially self-inflicted..

Many causes of disruption can be controlled by processes that affect outages are in the direct control of the organisation

Processes that help manage 3rd-parties are neglected even though many outages are caused by third-parties

Certitu

de

RECOVERY REQUIREMENTS

RTO ConsiderationsUsers are involved indetermining disasterrecovery requirements.

RPO Considerations

Work-arounds, and system dependencies are well considered

The re-entry and processing of lost data, and the clearing of any work backlog is not well considered

Certitu

de

EXPECTATIONS & IMPACT

Expectation ManagementThe most difficult area of harm to quantify, reputation, is ofthe greatest concern.

Areas of Harm

Users are involved but expectations are not well managed

Reputational damage was of high concern, and is the most difficult to actually measure, and quantify

Operational and financial impacts also ranked highly

Certitu

de

DESIGN & TECHNOLOGY

Use of DR Architecture

Use of Production Technologies

Only 75% of respondents make good use of the DR architecture

12% have no DR architecture at all

Most make good use of existing technologies in their production environment

Cloud-based services not popular

Technologies in productionare well utilised for recoverycapability. However, use of DR architecture is not widespread.

Certitu

de

DOCUMENTATION

Documentation Tools

Documentation Status

38% review or update their documentation at least once every year.

94% use generic word processing tools to document their disaster recovery plans

Supporting documentation is often neglected

Plans are often out of date,and supportingdocumentation is oftenunidentified or unavailable.

Certitu

de

TRAINING

Training Frequency

Many respondents usedisaster recovery testing asthe primary method oftraining.

Training Methods

47% have never conducted disaster recovery training

Some considered regular disaster recovery testing to be the best form of training

Certitu

de

TESTING

Testing Frequency

Few (34%) of respondentshave their recovery testindependentlyevaluated and reported.

Testing Methods

Most test at least once every year (note APRA)

8% do no testing at all

A wide range of testing methods are used, with failover to DR site the most popular

Certitu

de

2012IT Disaster Recovery Survey

@ www.certitude.au.com