The ITAM Role with Disaster Recovery/Business Continuity – 10 Questions that Measure Disaster Recovery Maturity

By Jonathon Kirby

Disaster Recovery (DR) preparedness is a multi-faceted set of processes that mitigates the damages to the operation of the organization during and after a wide range of debilitating events. The term disaster recovery is often paired with business continuity to better describe the complexity of multistep recovery plans. Creating and maintaining DR processes is difficult and expensive, especially when all of the effort is seen as an investment in something that will most likely not happen. The ROI of DR processes is not measured in hard-dollars and as a result, C-level executives can view DR as a cost center; a necessary evil for their organization.

One method for improving the value received from DR is to incorporate the DR update processes into normal work processes wherever possible, eliminating waste and reducing error in disaster recover testing. The goal is to improve the effectiveness and efficiency of DR processes and gain more support from executive management as a result of these efforts. IT and IT Asset Management are prime candidates for incorporating DR into their normal work processes and identifying for management how DR actually supports organizational goal achievement. A simple IT Asset Management example is arranging the permanent retention of software proofs of purchase through DR processes so that the retention and DR goals are both met without unnecessary duplication of effort.

The Role of ITAM

As an IT Asset Manager, you may not have worked with the DR program as a provider of data and information. In that case, it is possible that your organization’s DR program is missing the business details on the portfolio of software and hardware that is in use and that would have to be replaced as part of the business continuity phase of a disaster.

Still not clear on the role of the IT Asset Manager? To get you started, consider the role that the CIO has in creating and maintaining the DR program, answering to the rest of executive management as well as an organization’s board. A list of the top ten questions that need to be addressed is a good starting place for understanding the scope and nature of the issues:

  1. What risks are faced if core applications go down for a day, a week, or longer?
  2. What are the Recovery Time Objectives (RTO) by facility and application?
  3. How are facilities and applications currently protected and are they all protected the same way?
  4. How is security of enterprise data going to be protected during the event and the recovery processes?
  5. Who are the key decision makers in the recovery process?
  6. Does the recovery plan meet all compliance objectives?
  7. What will happen to key data in the event of a disaster?
  8. Against which types of disasters are we guarding?
  9. What was the scope of the last test of the recovery processes?
  10. What were the results of our latest full recovery test? [1], [2]
A Second Look

Understanding these questions and the role of the CIO in addressing them explains the supporting role that IT Asset Management has in providing answers. Overall, IT Asset Managers close information holes in DR processes while increasing the ROI from those processes beyond the disaster situation itself. Let’s take a second look at these questions and think through what they may mean, to IT and to ITAM:

1. What are we risking if core applications go down for a day, a week or longer? – This question should be measured based on productivity and revenue lost. A core application is one that the organization needs to function. An example would be a call center that lost VoIP connections. ITAM: Information about software and the hardware’s location and configuration is developed and maintained by ITAM, including those core applications as well as the hardware on which it resides. The ITAM asset repository information should be a valuable source of readily available and potentially more accurate data for DR. ITAM’s Vendor Management processes are also a good source of information essential in a disaster, although Vendor Management processes do not necessarily include all core product vendors. ITAM should investigate the overlap with those vendors included in Vendor Management and consider adding any missing core. With that inclusion, the collection and retention of contact information is extensive and maintained, with a recognized need for off- site retention.

2. What are the Recovery Time Objectives (RTO) by facility and application? – Prioritization is critical. The DR plan is rolled out in stages based on that priority. ITAM: In some cases, contractual language will need to support these objectives. Whether acting in the role of software negotiator or Documentation Manager, ITAM is responsible for identifying discrepancies between expectations during a recovery project and what is actually provided for in the contract. Management of contracts reduces the risk of missing or incomplete language as hardware and software are updated over time.

3. How are facilities and applications currently protected and are they all protected the same way?

4. How is the security of enterprise data going to be protected during the event and the recovery processes? – Questions 3 and 4 deal with the preservation of the physical assets as well as data itself, beginning with the status of the normal environment. ITAM: DR planning relies heavily on information about the inventory of assets to answer these questions. IT Asset Management processes also facilitate adoption of standards by creating and maintaining a portfolio perspective on the IT assets of the organization.

5. Who are the key decision-makers in the recovery process? – Who champions DR processes? Who is ultimately responsible for developing the DR plan? ITAM: Do these individuals understand that DR processes include more than backing up data? Is there clarity on how DR processes connect to normal mode activities? Do they understand the contractual elements that support DR such as right to create a backup? Educating on these issues is the responsibility of ITAM.

6. Does the recovery plan meet all compliance objectives? – One of the most important components of a Disaster Recovery process is Documentation Management. Being able to find, retrieve or secure documents during a disaster is critical to the success of the process. ITAM: Some of the most important documents to find and/or secure are documents that show compliance with various laws or regulations. Proofs of Purchases, Certificates of Destruction, licensing contracts, etc. should be considered prioritized items.

7. What will happen to key data in the event of a disaster? – This question is at the heart of the link between DR and IT Asset Management, as each participates in developing requirements for software and hardware and questions the steps taken to protect and save data on a regular basis. Essentially, what is the back-up plan for organizational data? Is it stored off-site? Is the data replicated across multiple servers? A secondary plan for the storage and recovery of key data before, during, and after a disaster is pivotal to the success of a Disaster Recovery process as a whole. ITAM: As a word of caution, disaster recovery programs do not imply permanent retention. Documentation about the end of life for hardware and proof of purchase information for software and other such documents may require additional protection that should be coordinated with the DR team.

8. Against which types of disasters are we guarding? – One view of this question is the risk-reward perspective, ensuring that the budget is spent preparing for the most likely disasters. ITAM: Another question asked at this point is about lost devices, theft and other crimes. Can the efforts for DR planning include (or coordinate with) the larger scope of securing the environment? IT Asset Managers are an excellent resource for bridging the gap since ITAM participates in both types of planning and daily actions.

9. What was the scope of the last test of the recovery processes? – How did the dry run go? What systems and IT assets does the recovery process entail? ITAM: In addition to uncovering flaws in DR processes, the results of these tests may uncover changes that IT Asset Management needs to facilitate such as working with legal on the DR language in contracts or refining the distribution of key codes for software as it is acquired.

10. What were the results of our latest full recovery test? – This question prompts follow-up questions from senior management. During that line of questioning is the best time to lay out the business case for the DR roadmap. ITAM: DR and ITAM often have overlapping needs and reflecting two sets of achievements in a single business case provides additional weight towards a positive decision.

The Benefits

The basic outcome for an IT Asset Manager’s actions is to facilitate answering these questions at a depth and level of accuracy that mitigates the risks from a disaster. The more mature ITAM program continues further and identifies additional cost reductions or savings from coordinating the ITAM and DR teams. For instance, IT Asset Management can use the DR program to propagate asset standards and support inventory controls, reducing costly remedial projects. The DR team should be able to point to an improvement in the timeliness and completeness of information used to continue operations in a disaster as well as return to normal afterwards. Cooperation is a win-win for both teams from a financial and an effectiveness perspective. Executive management should support efforts that decrease the difficulty of building and maintaining an ongoing inventory of IT assets and, at the same time, an effective DR program.

About the Author