Are your SaaS or hosted solutions your weakest DR link?

4 minute read

My observations...

We recently completed a Disaster Recovery Strategy & Roadmap engagement with a client and I wanted to take a moment to 'report out' what I see, far too often...

Applications, Systems, and Business Processes are becoming more-and-more complex.  As organizations undergo Digital Transformation many systems are being modernized with cloud services and/or SaaS providers to provide agility and a competitive advantage.  This is a great thing, don't get me wrong.

The issue that organizations are experiencing is that as they have grown, evolved, and expanded into the cloud they may not have accounted for Disaster Recovery at every step or change in the journey.  This includes infrastructure, architecture, and SaaS solutions.

When the time comes to develop a Disaster Recovery strategy, organizations often realize that their SaaS solutions or providers are in many cases, their weakest link.

Real-world examples from recent engagement:

Below I will give some high-level information and excerpts this recent engagement.  It also can give you an idea of how we can help with developing your Disaster Recovery Strategy and Roadmap.

Disaster Recovery Lifecycle

In scope for this engagement was:

  • Risk Assessment
  • Business/IT Impact Analysis
  • Strategy & Approach
  • Business/IT Continuity Plan
Creating the DR Plan, implementation, awareness, training, validation exercises, and maintaining readiness were out of scope.

Defining a disaster, risk assessment, and understanding business impact

We started off by defining what defines a disaster with the business and our IT stakeholders.  In the engagement we ended up solving for two different scenarios:

  • Natural, i.e. Flood, hurricane, fire, tornado, blizzard
  • Man-Made, i.e. Tampering, sabotage, cybercrime, ransomware, crypto lockers, data corruption, human error, terrorism
The Order-to-Cash business process was our initial focus, thus enabling cash flow to continue even after a disaster.  We then determined what the financial impact was to the business if the Order-to-Cash business process was not available for different periods of time.

On a parallel path, we conducted a 1-week onsite discovery and risk assessment of the IT landscape with a special focus on systems that were a 'part' of the Order-to-Cash business process.  This also included physical locations, colocation, Cloud Providers, and SaaS providers.  We examined SOPs, current architecture, availability and monitoring reports, weaknesses, etc.

Risk classification, likelihood, and impact

After we captured all risks we then set out to rationalize them, classify them, and rank them.  This resulted in 219 unique risks that were aggregated under 12 Risk Areas.  For the point of this article we only need to see the TOP 5 risk areas:

In this case, we uncovered and documented 45 risks related to SaaS solutions and providers that would directly affect the mission-critical Order-to-Cash business process if they did not function.

How did they get there?

This organization is typical and not different from others on how they ended up with this issue.  I'll summarize with some simple bullets:

  • Rapid business growth
  • Prototypes and POCs became production
  • Knowledge loss came with organizational changes and IT resource turnover
  • Lack of initial Disaster Recovery Strategy and Approach

How we helped

  • Defined what constitutes a disaster
  • Determined which business processes should be recovered during a disaster scenario 
  • Conducted IT Landscape risk assessment
  • Classified and ranked risk areas, likelihood, and impact (Risk Matrix)
  • Prescribed risk remediation steps and controls to mitigate future risks
  • Defined objectives for RPO, RTO, MTD
  • Developed Disaster Recovery Strategy & Roadmap

What you can do now to stop the bleeding

  • Define what a disaster is to your organization
  • Understand what systems and services contribute to mission-critical business processes
  • Conduct and document risks and impacts
  • Develop a Disaster Recovery Strategy & Roadmap
  • Incorporate DR as part of the contract negotiation process when procuring SaaS or hosted solutions
  • Share defined objectives for RPO, RTO, MTD and ask if vendors can support objectives
  • Define selection criteria in advance of the provider selection process
  • Determine financial implications offered by SaaS providers for DR capabilities
  • Include availability reporting and financial remediations for outages and disruption as part of the contract
  • Include terms that allow the termination of the contract for failure to meet availability and recovery objectives
  • Consider requesting support with the initial recovery procedures; vital skills may not be sufficient or even exist
  • Consider requesting support options that could be leveraged in an actual disaster scenario

In Conclusion

The above example is all too typical.  It happens.  By reminding ourselves that SaaS solutions and providers can contribute to mission-critical business processes, we can ensure that Disaster Recovery capabilities for that 'step' are accounted for.  Start with 'stop the bleeding' and let us help you with the rest.  Most DR assessments, strategies, and roadmaps only take between 5-6 weeks to complete, let's get started.

How we can help

  • Developing a Disaster Recovery Strategy & Roadmap
  • Detailed Risk Assessment and Business Impact Analysis
  • Developing Business Continuity Plans
  • Developing Disaster Recovery Plans
  • Disaster Recovery Validation
  • Transforming to DRaaS

Post a Comment

Previous Post Next Post