Many organizations place disaster recovery on the back burner because they consider it to be too big of an expense. Why allocate money toward “what if” scenarios when those funds can be put toward more immediate business needs, like sales and marketing? The problem is, treating cyber security incident response and disaster recovery as an afterthought or unnecessary luxury in an attempt to save money may very well end up costing your company a lot more than you may realize. In fact, some research indicates that upwards of 25% of businesses that close due to unforeseen events never reopen.
Even a temporary downtime can be incredibly costly, with average hourly losses ranging from $50,000 up to millions of dollars. Shifting perspective from expense to investment by identifying ROI can improve how disaster recovery is viewed and increase adoption, which means a safer, more secure business operation.
First and foremost, you can’t calculate the value of having a solid cyber security incident response and disaster recovery strategy until you first understand what a loss could potentially cost. Specifically, by determining what costs and losses are acceptable, you can then begin to establish acceptable recovery parameters. This will include a Recovery Time Objective (RTO) as well as a Recovery Point Objective (RPO).
Your defined RTO should indicate the maximum amount of downtime your organization is willing to tolerate. Your RPO should help gauge how much data your business can comfortably afford to lose, measured in seconds, minutes, hours and/or days. Typically a different RTO and RPO values will be set for each system or business process, based on importance. For instance, you would likely set higher objectives for systems for which downtime would likely have the lowest business impact, such as email servers, versus mission-critical systems that directly impact revenue.
Assigning priorities to each proposed scenario can be handled using a “cold” versus “hot” scale, with higher RTO and RPO scenarios requiring a cold solution and those will lower tolerances requiring hot capabilities. For example, systems that can withstand a downtime of 24 hours or more without making a significant impact would be categorized as cold while systems with an RTO of 15 minutes or less would require a much more urgent – or hot – response.
The final step in the process is to officially calculate the expected ROI considering the following factors:
- Unprotected downtime (amount of time required to restore operations without a formal disaster recovery plan in place)
- Protected downtime (amount of time to recovery with a DR solution in place)
- Hourly revenue (amount of annual revenue divided by the total number of working hours in a year)
By multiplying both downtime scenarios by the hourly revenue you can determine the potential loss associated with each. The difference between the two represents the loss that can be avoided by implementing a documented disaster recovery strategy.
From there, the formula for calculating the overall ROI of DR is as follows:
ROI = (Avoided loss – cost of disaster recovery solution/disaster recovery solution cost x 100%)
It’s important to point out that given today’s digital landscape, the risks associated with potential online security breaches and the subsequent downtime they can cause should play an integral role in the overall disaster recovery policy. Specifically, implementing a strong cyber security incident response plan that features automation as a central tool for monitoring, evaluating and addressing incoming incidents can help avoid potential losses that a successful breach can result in. This can and should also be considered when calculating ROI.
IT professionals who recognize the importance of cyber security incident response and a strong, established disaster recovery strategy can make a case for their cause by presenting the proposed ROI to key decision makers. By selling the value of such a strategy and positioning it as it rightfully should be – an investment rather than an expense – the chances of getting the financial backing needed will greatly increase.