Rethinking IT disaster recovery strategy – a shift in focus

The annual ComputerWeekly/‘TechTarget ‘IT Priorities Survey’, questioned 111 UK IT professionals and one of the key findings revealed that IT disaster recovery, is a key project for 45% of those questioned.

Also in the Sheshunoff  ‘Bankers Guide to Disaster Recovery Planning’ it was stated that:

‘only 36% of banks have documented disaster recovery plans for every critical business unit and failure to have an acceptable plan in place has become a frequently cited regulatory violation’.

Most financial institutions have some form of IT disaster recovery plan in place but are they actionable? Certainly disaster recovery has become a hot topic in recent years. Regulators in all key financial districts are stressing the importance of developing a robust and actionable IT disaster recovery strategy and plan. But what should IT departments really be focusing on?

IT departments manage complex platforms, systems as well as outsourcing arrangements. Effective disaster recovery can be difficult to fully action. Instead, we have seen financial institutions start to rethink what IT disaster recovery actually means with a shift in focus to ‘disaster resilience’. Therefore, recovering from a ‘disaster’ should be hard-wired into the IT DNA of an organization rather than relying on a documented plan, which is often out-of-date.

We believe that a robust IT disaster recovery strategy should cover all angles including:

  • Infrastructure, data and systems (i.e. can disaster resilience be incorporated into your infrastructure and can key data be easily accessed?)
  • Disaster recovery sites
  • Policies and work-force communication
  • Third party outsourcing (including, virtualization, disk backup and cloud solutions) disaster recovery (i.e. where cloud solutions are used what are the cloud provider’s disaster recovery mechanisms in the event that their systems go down?)
  • Disaster recovery testing
  • Regulatory and compliance considerations (e.g. data ownership, hosting, and reporting)

The FCA has been taking a much closer look at bank’s IT systems. The FCA fined RBS, Natwest, and Ulster Bank £42,000,000 for IT incidents. One of the key findings from the FCA’s Final Notice stated that RBS’:

IT Continuity Policy Standard was not adequate because, although it was consistent with the operational risk appetite, it was limited in scope because it addressed recovering from a single low probability but high impact event of the total loss of a data centre. The policy should have included a much greater focus on IT Resilience, that is designing IT systems to withstand or minimise the risk of disruptive events (such as software failures) that are more probable and that can potentially have an equivalent effect’.

IT departments must ensure that both IT systems and their underlying disaster recovery plans/ policies are resilient and cover a broader remit than dealing with one-off ‘disaster’ events. As a result, IT executives will be re-thinking their focus on disaster recovery.