We have found that a majority of DR Offices do not have a formalized process to identify what applications they should exercise and what applications do not require regular exercises to be conducted. At times, its the flip of a coin or someone in management who decides it would be nice to test this or that. At MHA, we have taken the approach to consider two key factors in determining what to exercise:
- Business Impact Analysis (BIA) Recovery Time Objective (RTO)
- Recovery Demand (RD)
Exercising applications with a critical BIA RTO and high RD score are easily defensible to management. It is the less obvious values that will require management decisions as to what levels they deem acceptable.
Step 1: utilize the Business Impact Analysis Recovery RTO level assigned to each application.
Step 2: in conjunction with the application manager calculate RD for the application; apply scoring from 0 to 3 (Low to High) based on RD for each category (e.g., Hardware and Data Storage, Integration / Dependencies, Personnel).
Step 3: matrices BIA and RD, in conjunction with management determine the exercise threshold for the individual application.
Applications with Recovery Demand scores that are shaded should be exercised on a regularly scheduled basis. Applications with Recovery Demand scores not in the shaded area do not need to be tested on a regularly scheduled basis.