Disaster recovery for computers is a means, not an end to itself
January 20, 2013
When you draw up disaster recovery plans for your organization's computers, there is something very important to remember: the ultimate goal of a DR plan for computers is to help the organization to keep working in the face of a disaster. On the one hand, this sounds obvious. On the other hand, there is a huge difference between allowing the organization's computers to keep working after a disaster and allowing the organization to keep working after a disaster. The difference is that there are plenty of other things that your organization may (also) need in order to keep functioning.
(Of course there are organizations where computing is the most important thing about them and is basically the only thing that they need.)
How this matters is that in the broad view, there is no point in the organization's computers being back if the organization is not otherwise functioning. There is especially no point in spending money (or preallocating resources) to make computing survive when the organization doesn't. Doing so is the equivalent of planning to carefully construct and paint a single wall of a house all by itself, without the rest of the house. It's a very nice wall, very well constructed, you've thought of all of the contingencies in building it, but it has no point. All your planning effort is wasted effort.
(It's easy to overlook this if your job is to care very, very much about that one wall.)
Or in short, computing disaster recovery is just one component of overall disaster recovery. It is often not complete by itself.
One consequence of this is that if the organization doesn't or can't have a disaster recovery plan for the other things that it needs to function, a computing DR plan may be more or less pointless. Or at least you don't need a comprehensive DR plan; all you need is a DR plan that covers the contingencies where the only important thing that the organization has lost is the computers. In other words, there may well be some risks that are not worth mitigating in your computer DR plan because the risk would also destroy other things that the organization needs to function and there are no plans for how to recover from them.
(Again, disaster preparation is different from disaster recovery plans. You can be prepared to (eventually) recover from a building going up in flames without having a specific plan for it.)
On the other hand there are some organizations where the only thing that the organization really needs to keep going is its computers and maybe some people to answer the email. In these organizations, computing DR is organizational DR and it may well make sense to pay a lot of attention to a lot of risks and to try to mitigate them. Understanding what sort of organization you're in and what the organization's crucial resources actually are is a big part of good, sensible DR planning.
(The corollary of this is that there are no one size fits all answers for what risks you should consider in computing DR planning.)
Written on 20 January 2013.
* * *