Step 2: Identify risk, and locate all your data: Identifying risk in a large, distributed enterprise is a complex task. Risks are everywhere, starting with cyberattacks (including insider attacks), and encompass human error, system failures (hardware, software, network), natural disasters, and third-party vulnerabilities associated with supply chains, cloud service providers, and SaaS providers.When Forrester asked survey respondents to identify the root cause of invocations of their DR/business continuity plans, the top causes were IT failure, natural disaster, IT security incident, supply chain disruption, and power outage. Each type of risk calls for a different response plan.Renner says that organizations often struggle to answer basic questions such as “Where is my data?” and “Who owns the data?” He adds, “The more complex the system is, the harder it is to identify system owners and to identify where the data is residing, including structured and unstructured data.”The good news is that there are AI-driven software tools that can scan structured and unstructured enterprise data to identify vulnerabilities, perform data discovery, and classify the data.Gartner predicts that by 2029, 90% of backup and data protection platforms products will integrate genAI to improve management and support operations, compared with fewer than 25% in 2025.
Step 3: Conduct a business impact analysis: Data doesn’t exist for its own sake; it’s there to support the business, so enterprises need to understand the business impact of a disaster and back up only what’s necessary. Still, when organizations go through the exercise of identifying all the bits and pieces of a complex business process, it can become overwhelming, particularly in a hybrid or multicloud environment rife with microservices, containers, APIs, identity and access controls, SaaS applications, and so on.Accenture’s Whelan says that rather than try to restore the entire business in the event of a disaster, a better approach might be to create a skeletal replica of the business, an MVB, that can be spun up immediately to keep mission-critical processes going while traditional backup and recovery efforts are under way.This type of “out-of-the-box” fail-over system could include a core functions such as email, which would enable the organization to communicate internally and externally, while other, less time-sensitive functions like ERP are recovered.This MVB approach requires tight integration between business units and technology teams, Whelan says. They need to work together to conduct dependency mapping aimed at identifying critical business functions and the technology components associated with that function.
Step 4: Backups strategies shift from 3-2-1 to 3-2-1-1-0: The basic 3-2-1 backup strategy that has been standard for many years is no longer sufficient. The idea of having three copies of data on two different backup formats, with one copy located offsite, is being replaced with 3-2-1-1-0.The two additional elements are: one offline, immutable, or air-gapped backup that will enable organizations to get back on their feet in the event of a ransomware attack, and a goal of zero errors. Immutable data is “the gold standard,” Whelan says, but there are complexities associated with proper implementation. For example, in the event of a disaster, how does an enterprise know when the last snapshot occurred? And how does an enterprise verify that the data being saved in an immutable data store is accurate and not corrupted? “We’re still finding that data cleanliness and providence is a major issue for organizations,” he adds.FTI’s Renner points out that AI-driven backup and restore platforms can continuously scan enterprise data for accuracy, and develop recommendations for how often snapshots should be taken, where data should be stored, and what data needs to be backed up.And Gartner estimates that 35% of enterprises will implement agentic AI to perform autonomous backup operations by 2029, up from less than 2% in 2025.
Step 5: Create the plan and test it: There are many templates for creating the actual plan document, and AI systems can automate the process. The plan needs to be clear, and it needs to document procedures for incident detection and reporting, communication with internal and external stakeholders, emergency response in the event of a natural disaster, IT recovery, business continuity, and roles and responsibilities for relevant parties.But the plan must be tested. According to the Forrester report, “Unfortunately, the testing situation is largely unchanged since 2008. For all test types, most organizations only test once per year with plan walk-throughs and tabletop exercises, and as tests become more extensive, test frequency declines, 41% of respondents said that they never performed a full simulation.”Forward-thinking companies are trying to make tabletop exercises more effective by switching from a static PowerPoint presentation to interactive, gamified experiences that are more realistic and compelling, Renner says. “I’ve never seen a tabletop not be effective in teaching someone a portion of their business they weren’t thinking about ahead of time,” he adds.
Step 6: Managing the aftermath: The final piece of the puzzle is the post-mortem, taking stock in the aftermath of a disaster. Organizations need to pinpoint what went wrong and determine how it can be prevented in the future.And Gartner analyst Michael Hoeck argues that backup copies of enterprise data don’t have to just sit there; they can be put to good use. He predicts that by 2029, 30% of enterprises will make use of backup copies of data for analytics and inference, up from less than 5% in 2025.
Step 5: Create the plan and test it: There are many templates for creating the actual plan document, and AI systems can automate the process. The plan needs to be clear, and it needs to document procedures for incident detection and reporting, communication with internal and external stakeholders, emergency response in the event of a natural disaster, IT recovery, business continuity, and roles and responsibilities for relevant parties.But the plan must be tested. According to the Forrester report, “Unfortunately, the testing situation is largely unchanged since 2008. For all test types, most organizations only test once per year with plan walk-throughs and tabletop exercises, and as tests become more extensive, test frequency declines, 41% of respondents said that they never performed a full simulation.”Forward-thinking companies are trying to make tabletop exercises more effective by switching from a static PowerPoint presentation to interactive, gamified experiences that are more realistic and compelling, Renner says. “I’ve never seen a tabletop not be effective in teaching someone a portion of their business they weren’t thinking about ahead of time,” he adds.
Step 6: Managing the aftermath: The final piece of the puzzle is the post-mortem, taking stock in the aftermath of a disaster. Organizations need to pinpoint what went wrong and determine how it can be prevented in the future.And Gartner analyst Michael Hoeck argues that backup copies of enterprise data don’t have to just sit there; they can be put to good use. He predicts that by 2029, 30% of enterprises will make use of backup copies of data for analytics and inference, up from less than 5% in 2025.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/515730/business-continuity-and-disaster-recovery-planning-the-basics.html
