Disaster recovery is more than just an “IT issue.” In fact, successful recovery from cyberattacks and other disasters hinges on an approach that integrates business impact assessments (BIA), business continuity planning (BCP), and disaster recovery planning (DRP) including rigorous testing.  Without these elements, your recovery efforts could crumble under pressure.

The cost of downtime: More than you think

Downtime can cost an organization an average of $129,300 per hour. However, this figure varies depending on industry and company size. For example, large businesses can lose as much as $357,600 per hour.

Credit: The Business Impact of Downtime Across Operational Segments, IDC, September 2024; IDC IT/OT Convergence Survey, August 2024, n = 1,041

When ransomware strikes (a disaster almost all technology leaders will experience), the disruption can last for days or even weeks. IDC’s June 2024 Future Enterprise Resiliency and Spending Survey, Wave 6, found that approximately 33% of organizations experienced system or data access disruption for one week or more due to ransomware. Almost 80% of organizations experienced an outage of multiple days. The impact from a cost, revenue, and brand perspective can be exceedingly high.

The triumvirate of protection: BIA, BCP, and DRP

To protect your organization effectively, consider the interplay between BIA, BCP, and DRP:

• BIA: A BIA is the cornerstone for prioritizing investments in disaster recovery and business continuity. It identifies your organization’s most critical functions and assesses the potential risks and impacts to income, opportunity, brand, service, mission, and people. A BIA helps to prioritize investment for mitigation and recovery efforts.
• BCP: A BCP focuses on maintaining business functions and services during a disruption. It outlines strategies to ensure operations continue, minimize disruption, and drive preventative measures and contingency plans.
• DRP: A DRP helps in the recovery of IT infrastructure, critical systems, applications, and data. It ensures a rapid response in the aftermath of a disruption.

Cybersecurity recovery failure: A failure of BIA/BCP/DRP

When a cybersecurity incident occurs, the effectiveness of your disaster recovery plan is put to the test. If recovery fails, it often indicates your BIA, BCP, and DRP shortcomings. Recognizing that backups alone do not constitute a disaster recovery solution is crucial.

In IDC’s 2023 and 2024 CIO Sentiment Surveys, approximately 65% of respondents rated their DR/resiliency maturity as a 4 or 5 on a scale of 1 to 5. This means a majority of respondents rated their DR/resiliency as either “managed” (4) or “optimized” (5) — very good ratings. However, this assessment is seemingly contradicted when looking at how well companies recover from a cyberattack.

In the June 2024 Future Enterprise Resiliency and Spending Survey,  Wave 6, among over 800 respondents, 56% of them had major negative impacts in recovering their data following a ransomware attack. They either paid ransom to recover fully, did not pay ransom and only partially recovered, or (worse yet) paid and only partially recovered. Based on this 56% who had significant impacts, one could argue that organizations’ self-reported DR/resiliency maturity was overestimated and that organizations were not honest with themselves or weren’t testing their solutions effectively (or both). (See also: How resilient CIOs future-proof to mitigate risks.)

Prioritizing investments: Where and how much?

Most organizations do not have the resources (money, time, people) to protect everything equally. Prioritization should be guided by a clear understanding of the potential impact on an organization’s business, mission, and goal and the likelihood of different disaster scenarios. Business priorities should guide it.

Use the BIA to determine the potential impact on income, opportunity, brand, service, mission, and people. Then, assess the risk likelihood versus impact. Finally, consider the solution cost, including technology investments for disaster recovery and organizational impacts and mitigation costs for business continuity.

When considering solutions, resist the urge to overengineer. Many organizations spend more than required for instant or full recovery when a more limited recovery would allow more cost-effective solutions and enable the saved funds to be used elsewhere. For example, one IDC client had extremely high recovery point and time objectives for its payroll system. Upon examination, it was determined that instead of using such high objectives, the company could re-run its previous payroll and then true up after full recovery. This solution meant the company had to conduct staff training and create manual processes and runbooks (a business continuity solution). Still, the change to its recovery objectives saved $1 million annually (which was applied to other parts of its DR/BCP program).

This diligence results in a decision matrix that balances investment, value, and risk. (Download the AI Risk Management Enterprise Spotlight.)

Credit: IDC, 2025

Not everything can be protected, so focus on what matters most, but don’t forget dependencies: whether a critical system requires the support of a (theoretically) not critical system. Map the web of interdependencies among systems to help identify actual risk and impact.

The role of testing: Validate and revise

Regular testing is essential to validate your DR/BC plan and guide revisions. Without testing, organizations cannot honestly assess how well and whether their resiliency strategies will be effective.

Testing should involve key players responsible for response and recovery, not just the IT department. In addition, these parties may include legal, crisis management, LOB directors, business leaders team, communications, etc.

Business continuity resources should be engaged for tabletop and working tests to ensure complete communication processes, documentation, resiliency plans, and stakeholder engagement are aligned with mitigating the impact and accelerating recovery. Testing should involve not just recovery of IT systems, but mitigation of impacts on staff work (e.g., where staff would work, how they would receive communications, acceptable levels of performance during recovery, order of recovery, etc.). This would include communications plans, alternative working locations, mapping resources to services, defining roles in response, and providing runbooks for disaster scenarios and their business continuity impacts.

Stakeholder alignment: Who is responsible?

IDC’s January 2023 report titled IDC PlanScape: Disaster Recovery Testing for On-Premises, Hybrid Cloud, Multicloud, and DRaaS Models indicated that successful DR/BCP testing requires clear roles and responsibilities across the organization and that tests should include both DR (technical) and BC (business) risks and mitigations. Key roles involved are:

Executive management

• CEO: Ensures testing is an executive priority, including business continuity; identifies key executive stakeholders to support and engage with testing
• CFO: Approves financial expenditures for testing and ensures cost-effective implementation
• Chief risk officer (CRO): Identifies and mitigates risks that could threaten the organization; ensures compliance with relevant regulations
• Chief compliance officer (CCO): Ensures compliance with all relevant standards, policies, practices, and legal requirements

Line of business (LOB)

• SVP, EVP, GM, etc.: Participate in testing advisory and oversight roles; ensure business units consider contingencies and evaluate testing outcomes
• LOB VPs, directors, managers: Co-develop test plans, create and distribute runbooks, drive training, and provide feedback on testing

IT

• CIO: Acts as the primary coordinator, working with IT, executives, and LOB management; ensures people, processes, and technology are addressed across the organization for DR and BC testing
• VPs and directors: Ensure the necessary technological foundation for a successful DR test; lead the development of test strategies
• IT managers: Ensure testing methods meet enterprise standards for security and robustness

Key takeaways

Disaster recovery is only part of the equation — business continuity planning is essential to ensure resilience. A business impact assessment helps prioritize investments effectively, focusing on what matters most rather than attempting to protect everything. Aligning stakeholders on mitigation strategies is crucial, and consistent testing is key to long-term success. It’s important to avoid overengineering solutions and recognize that backups alone do not constitute a disaster recovery plan. Most importantly, disaster recovery is not just an IT issue — it requires a broader organizational approach. (See also: 14 things keeping IT leaders up at night.)

Learn more about IDC’s research for technology leaders OR subscribe today to receive industry-leading research directly to your inbox.

International Data Corporation (IDC) is the premier global provider of market intelligence, advisory services, and events for the technology markets. IDC is a wholly owned subsidiary of International Data Group (IDG Inc.), the world’s leading tech media, data, and marketing services company. Recently voted Analyst Firm of the Year for the third consecutive time, IDC’s Technology Leader Solutions provide you with expert guidance backed by our industry-leading research and advisory services, robust leadership and development programs, and best-in-class benchmarking and sourcing intelligence data from the industry’s most experienced advisors. Contact us today to learn more. Daniel Saroff is group vice president of consulting and research at IDC, where he is a senior practitioner in the end-user consulting practice. This practice provides support to boards, business leaders, and technology executives in their efforts to architect, benchmark, and optimize their organization’s information technology. IDC’s end-user consulting practice utilizes IDC’s extensive international IT data library, robust research base, and tailored consulting solutions to deliver unique business value through IT acceleration, performance management, cost optimization, and contextualized benchmarking capabilities.