Budgeting for Disaster
As the year winds to a close, thoughts are turning to the coming holidays: turkey, pies, snow shoveling, and perhaps a new budget. So how exactly does one plan for the unexpected, or budget for disasters?
By definition disasters are very bad: bad enough that we should be insured against them. Assuming that we are insured against most disasters, we're going to downgrade this discussion to mere emergencies. Specifically, we'll be focusing on those nasty little incidents that fall into that gray area between "AHHHH!!" and "doh!".
This might be a network server going down, a critical file being corrupted, a virus getting loose in the network, a lost backup tape with patient records, or even a court ordered e-discovery request. The common threads between all of these incidents are 1) they are unexpected, 2) they involve the technologies we use to run our organizations, and 3) they have the potential to disrupt our operations and cost thousands, or even tens of thousands, of dollars. In these situations, costs can be incurred for replacement hardware, consulting fees, legal fees, lost information, lost productivity, lost opportunities, lost reputation, or all of the above.
So how does one budget for this type of technology emergency? For the emergency itself, most organizations plan on using available funds or accessing a line of credit, but the mitigation measures used to reduce the risk of these emergencies should be planned for and adequately funded.
Specifically, most organizations should plan on regular reoccurring expenses for routine maintenance, data backup (offsite services and software support), hardware warranties, subscriptions for anti-malware and security services, user training (to reduce costly mistakes), and computer obsolesce/replacement.
Capital expenditures should be budgeted to upgrade server/device hardware as it becomes obsolete or falls out of warranty, as your organization expands, or as you invest in new technologies.