There are five questions all good board members should know and ask concerning data storage and disaster recovery. Gartner says that 60% of the companies that lose their data are not in business after five years. That should be reason enough to make sure your board members ask the following:
1. What is the company’s RTO? RTO stands for “recover time objective.” It is the time for a business process to be restored after a disruption. Is it minutes, hours, or days?
2. What is the RTO needed by the company? The RTO will dictate the type of service needed. A comprehensive service that covers all the bases is essential.
3. Is there a written plan? A printed copy should be kept off-site in the event a disaster affects the physical location of the company.
4. Who is responsible at the company for making sure the data storage and disaster recovery plan is being followed? Selecting someone to manage to the plan is vital to ensuring things go smoothly when something goes wrong. Assigning a person to be in charge of the plan after a disaster is, “too little, too late.”
5. Is it being outsourced to a reputable firm? Many companies claim they can handle your data storage and disaster recovery needs, but how do you know they are legitimate? Some important questions to be addressed when selecting a vendor include:
- Is the company financially strong?
- How many actual restores has the company successfully completed?
- How many restore tests are done per year?
- Who are the company’s customers and what do the say about the company?
- How does the firm backup the customers’ data and what is the RTO for the firm?
Takeaway: Make data storage and disaster recovery a board agenda item
Every board should have a board member who has been in the data storage and disaster recovery business and is knowledgeable in those areas. Otherwise, the company could be in jeopardy of losing its data if an emergency arises. And more importantly, it could put the company at risk of going out of business. Common mistakes uneducated boards make is the creation and implementation of a data storage and disaster recovery process that doesn’t work. Some of the most common problems include:
- Wrong type of service.
- Wrong plan or no plan.
- A resource that cannot perform.
- No testing of backup at periodic intervals.
Don’t let either the board or the company risk the health of the business by not properly addressing their data storage and disaster recovery needs.
Have you experienced Data Storage or Disaster Recovery situations in your company? What steps do you suggest for ensuring the board covers itself in this area?
P.S. – Do you need an Outside Director, Advisory Board Member, Trusted Advisor, or Interim CEO? Someone who can help you see your business and your goals through “Fresh Eyes.” Contact me and I will work with you to look at where you want to go and help you find the best way to get there. Sometimes all it takes is someone with a fresh viewpoint, unencumbered by company politics or culture to help find the right solution.
Image from rajcreationzs
I serve on 4 public board and, if asked what keeps me up at night, its fear of this data storage disaster and what to do about it should it happen.
I would be comfortable having a “pro” like Larry on my team!
Founder and President
The Corporate Directors Group
I appreciate your confidence.
There are big opportunities to reduce both cost and risk in this area. Many companies store way too much data for way too long. This results in heavy overspending on unnecessary data storage capacity and makes it much more difficult to properly control sensitive data and to be prepared to restore data after a disaster. The solution is to have well defined data retention policies and be sure the company follows them. Once you know which data you want to store and for how long based on its nature, you can take steps to be sure an appropriate level of security is in place for various classes of data. You can also determine you have an appropriate disaster recovery plan in place for each class of data.
Brad., thanks for reminding us not all data is equal and the disaster recovery plan needs to reflect this point.
Your bring to light a really important point. If one was to think about how bad the world would be if they lost the data in the smartphone, they would begin to get a taste of what it would be like for a company to lose its data.
Thanks for bringing this important message to boards.
Chairman and CEO
Quantum Leaders – “Create Extraordinary Impact”
Norman, the board needs to monitor the company’s disaster recovery plan. Thanks for your smartphone analogy.
The importance of having a current data storage and recovery plan can only be trumped by having a reliable and reputable outsourced company that can assure that, in an emergency, the company’s operations are secure. This is such an important matter that it cannot be delegated to “IT”. It’s a concern for the CEO and the Board.
Mike, your comment is very timely. The board needs to understand how the company is protecting their data. It needs to be a board agenda item.
After working for years in the disaster recovery software business (including some years with Larry), I can say this article nails the reality that every organization must face regarding their investment in disaster recovery technologies, planning and testing. And if this process isn’t embraced at the highest levels of the organization a level of business continuity exposure will exist that corporate leadership will almost certainly come to regret at some point in the future.
Bill, thanks for your comments. The board needs to have Data Storage and Disaster Recovery as a board agenda item.
Larry – good comments. May I also add the importance of keeping that DR plan up to date and accessible for all parties to get to in case of a disaster? I have seen too many situations over the years where the plans were not tested (or enough) and when it came time to implement, the plan was nowhere to be found. (In other words, putting the plan on a server and having the server crash is not a wise decision).
Jennifer, Thanks for your points about planning and testing. When you are dealing with data you can never over plan or over test. You never know when a DR plan may need to be implemented.
Larry has been involved with data storage and disaster recovery since long before it became popular. I have had the privilege of watching and working with Larry for many years. His background in the field and his general leadership experience combine to make him a very skilled leader and advisor.
Corporate and Transactional Attorney
Mike, thanks for your comments. A board needs seasoned members that have experience in all business areas and it is prudent to have a board director with experience in Data Storage and Disaster Recovery.
You raise some needed questions that all Boards need to address. Additionally, it is important for the Board to have a member that has good experience with technology.
Board accountability should rest, most often, in the Audit Committee or perhaps in a Technology Sub Committee in large boards. If disaster recovery is to be handled internal to the company then all the questions of redundacy, physical location and security, conversion strategy and ROF, periodic testing and accountability needs to be answered and made transparent to the Board at least once per year. If a decision is made to outsource then the added questions of provider viability and experience must be answered and benchmarked as well. All of this of course should be viewed in the overall context of a Data/Information Strategy for the company.
Ernie, your right on all counts. The question is how many boards understand how important it is, have someone on the board who understands the technology, and have the “Data/Information Strategy” as an agenda item. Thanks for your timely comments.
Great reminder! This topic falls under the ever growing and very important umbrella of corporate Risk Management. For some Boards, this responsibility is absorbed by the Audit Committee. My public company Board Experience has led me to conclude that best practices require Risk Management to be a separate committee of the Board, and it should be populated by independent Board members who have expertise in the process of Risk Management as it relates to a variety of relevant risks, most certainly including the one you have noted in this article and video.
C. James Meese, Jr. | President | Business Development Associates, Inc.
Jim, you make a good point about a separate committee of independent board members being in charge of risk management. Thanks for your comments.
Your blog and expertise are excellent reminders to both boards and management of the need to address the critical areas of data/system disaster prevention, and should it occur, disaster management and recovery.
Rick Kelly | Corporate Directors Group | Professional Director (Advanced)
Rick, thanks for your positive comments.
Larry, your article is of great importance to all companies. Audit committees or full boards really need to understand what management of their companies are doing to make sure that this ever increasing risk is properly addressed.
I would love to hear some comments about how companies are also addressing confidentiality issues in their data storage and retrieval plans – especially not-for -profit companies with strict HIPAA requirements.
Thank you for an excellent outline of the critical issues related to data storage and disaster recovery. Virtually every organization depends upon technology and most are highly dependent. The potential for disaster and loss of data or access to data is truly one of those nightmares that worry me. The concept of a recovery time objective is an excellent application for helping leaders deal with this anxiety and to begin developing plans. I appreciate your work here and value the expertise you have developed born of your own leadership experiences and knowledge.
Jay, I appreciate your your comments. These are the types of concerns that keep leaders and directors up at night. Thank you for your comments.
Great starting advice for many smaller companies who are unnecessary putting their companies at great risk without a disaster recovery plan. Unfortunately, the IT industry has also become so complex that most DR/BC plans today need to consider not only RTO’s (as you’ve pointed out), but also RPO’s, backup windows, failover/replication strategies, virtualization technologies, etc. I think that we’ve scared many businesses into thinking DR/BC plans and tools are too hard or too expensive. As much as I agree with your assessment that we need more IT-savvy board members at companies today, I also believe that the promise of cloud computing, or the provisioning and consumption of IT-as-a-service, is going to transform how Boards think about and protect their critical data assets in the future. Considering that this cloud journey is already underway at many companies today, your 5th Outsourcing Question and advise could be more timely.