Component Five: In-House vs Outsource
Ok, let’s recap. You’ve defined what a successful disaster looks like, the components needed for recovery, how much time you are willing to be down and how much data you are willing to lose, and you’ve established a budget to accomplish all of the above. Now, you need to determine who exactly is going to perform all of these duties. Basically, you have two options or a variation of the two. You are going to either go in-house by hiring additional staff, purchasing the necessary infrastructure, etc., or you are going to outsource, by hiring a service provider to provide the infrastructure, technical resources, etc. Of course, there is always the third option of a hybrid approach, where you in-house a portion and outsource the remainder.
Do you fully understand the business impact of downtime by application?
In order to confidently say “Yes” to this question, you need to have:
- Performed a business impact analysis (BIA) to help you prioritize applications based on their importance to your credit union.
- Used the BIA to help you prioritize applications.
- Mapped application inter-dependencies (so that you have a clear picture of which applications depend upon each other and tier them correctly.)
- Set applications’ Recovery Time Objectives and Recovery Point Objectives (RTOs/RPOs) accordingly.
Can you afford to do IT disaster recovery in-house?
Answering “Yes” to this question means you have both the necessary capex and opex budget to support an in-house IT disaster recovery program. On the capex side, you’ll need to fund DR equipment and software, as well as recovery sites and systems for the recovery site. (Can you say, “I need two of everything?”)
On the opex side, you’ll need to pay for recovery site operations, staff time to develop recovery procedures and maintain recovery manuals. You’ll also need to fund the once or twice a year travel and other expenses for proper DR testing. It definitely adds up.
Do you have the in-house expertise for DR?
Keeping systems up and running is an entirely different skill set than recovering them quickly from scratch during a disaster or after a disruption, and many CIOs do recognize this. Sungard recently did a survey of Fortune 1000 enterprises on their DR planning efforts and concerns, and 54% mentioned shortages in staffing and expertise as their biggest challenge. Having worked with many credit unions, they struggle with this on a day to day basis. The key questions CIOs need to ask themselves are:
- Does my staff have the skills to develop recovery processes and procedures?
- Can they perform rigorous change control?
- Are they actively up-to-date on DR best practices and integrating them into the IT lifecycle?
- Can they perform robust DR planning and manage a fail-proof disaster recovery program?
Are you confident you are recoverable?
The key question here for CIOs to answer is: Am I able to stand in front of the Board of Directors and certify that the credit union is recoverable? Below is a directional checklist for being able to say a resounding “Yes!”
- We actively test and validate our DR plans.
- We have a good handle on change management (and perform it regularly).
- Our staff is willing and able to travel in the event of a disaster.
- We can prove recoverability in an audit.
- In our last test, we met all RTOs and RPOs for our mission-critical applications
So should you outsource your IT disaster recovery program to an outside provider? That depends on your overall IT strategy, your desired availability posture, and of course, your answers to the foregoing four questions.
It is critical that you properly vet your potential disaster recovery vendors.
- Do they fit into your budget?
- Are their services inclusive of all of your needs or only some?
- Can they meet your RTO’s and RPO’s?
- Do they have industry and core system knowledge?
- Do they provide a no cost/ no obligation evaluation of their services?
Outsourcing disaster recovery can make a lot of sense. However, it is one of the single most important decisions you are going to make. So, it is critical the vendor not only fits into your budget but is capable of delivering on their promise. Make sure you are able to evaluate their products and services.
If the vendor is not willing to take the time and show you they are capable of delivering on their promise prior to signing an agreement, then you might consider looking elsewhere. The last thing you want to do is put in the time and money implementing the service, only to find out later during a test or an actual disaster, they cannot deliver. You might not get a second chance. Please check back with us next week when we cover “Component Six: Reassess”.