Budgeting for Disaster Recovery
- Published on Tuesday, 30 October 2007 12:12
One area of great importance to disaster recovery planners that has received very little attention is the question of how much to spend on the disaster recovery planning (DRP) effort. Through application of a “worst case” risk analysis process corporate officers can be effectively “sold” on the need for effective DRP, but what guidelines can be utilized in determining the amount of corporate resources that should be devoted to recoverability?
An excellent example of how to make such a determination is available in the insurance industry. Actuarial science is a field specifically directed at determining a reasonable price (including profit) for risk specific coverage. Actuaries use event frequency statistics to determine insurance rate. While it is unreasonable to expect DR planners to become proficient actuaries, we can certainly use actuarial methods in efforts to decide how much money should be spent on DRP.
An extension of simple “worst case” risk analysis methods can yield estimates of a company’s probable annual loss due to specific risk factors. Once an accurate picture of probable annual loss is developed, that loss figure can be utilized as a budgetary guidance tool.
Let’s look at a simplified example. Suppose X corporation has an IBM based host DP facility that supports their management of manufacturing operations. An impact analysis has demonstrated that in the absence of an effective DRP, X corporation will stand to lose $100 M if this data center is destroyed by fire. The DR Coordinator obtains information from his insurance carrier which indicates that a facility configured like X corporation’s data center can expect to experience a total loss with fire in 300 years. Assistance in determining event frequency can be obtained from insurance carriers and governmental agencies.
We now know how often the event (fire) is likely to occur, an what its impact will be. From this information we can estimate a level of probable annualized loss due to a totally destructive fire by utilizing the formula:
Annual Loss Exposure (ALE) = impact x frequency
We can express the frequency of once every 300 years as the ratio 1/300. So our formula yields:
ALE = $100,000,000 x 1/300 or
ALE = $100,000,000/300 = $333,333
This calculation tells us that the X corporation has an annual loss exposure of $333,333 due to totally destructive fire at the data center in question. In order to determine a total ALE of operation, take the factor ALE’s for all other risk factors that we wish to consider (earthquake, tornado, employee sabotage, etc.), and total them. Once our total ALE figure is determined, it can reasonably be used to guide budgetary decision making. It is simply bad business to spend more on DRP than you are “losing” on an annual basis.
Any competent risk analysis will include calculation of ALE. In fact, it is a cornerstone of the risk analysis method recommended by the National Bureau of Standards (NBS) in FIPS Publication 65. The NBS methodology presents a simplified method to ALE estimation which utilizes indexed tables. This method was originally developed by Robert H. Courtney Jr. of IBM, who gave permission to NBS to adapt the method to their needs. While this indexed table method does not yield ALE estimates quite as accurate as individual calculation, it is a viable way to obtain ALE figures that can be used as a broad budget guidance tool. FIPS Publication 65 and other NBS guidelines pertinent to DR and data security can be obtained from the National Technical Information Service:
National Technical Information Service
5285 Port Royal Road, Springfield, VA
22161, NTIS information (703) 487-4600
Regardless of the calculation method used, as the number of event types under consideration increases so does the volume of calculations to be performed. A PC based spreadsheet package can be an invaluable aid in these calculations. In addition, there are an increasing number of risk analysis consultants available to assist you. In any event, it pays to be an informed consumer when buying such services, and it certainly pays to have a financial yardstick available when cost analyzing your DRP alternatives.
Andrew M. Munro is a Disaster Recovery Planner with MCI Communications.
This article adapted from Vol. 2 No. 2, p. 45.