Nearly 100 percent of financial organizations have a documented DR plan

It’s true—according to Flexential’s Financial Services and IT Study: Tackling the digital transformation, 96 percent of financial organizations have a documented disaster recovery (DR) plan. The vast majority also use a considerable array of DR tools, and make a significant investment in DR overall.

  • 86 percent replicate data
  • 85 percent execute backups
  • 68 percent have active-active designs

It’s not surprising that 96 percent said they have a plan—because they’re required to. The financial sector is a heavily regulated industry, and a single transaction is literally worth millions of dollars. In a perfect world, every business would have a formal DR plan, but in the financial sector, there is no acceptable alternative.

Simultaneously, a solitary industry is faced with complex and demanding government regulations, processing and storing highly sensitive and valuable financial information, and avoiding negative impacts of potential cybersecurity attacks—all of which require a robust, tested DR plan. The financial sector can’t afford to lose its data.

Why is DR so impactful in finance?

Considering the demands of government regulations and staying on top of cybersecurity, a considerable amount of resources are dedicated to DR in the financial industry. The industry-wide adoption of digitalization has added many additional applications and systems, which means more necessary protection measures. Uptime and availability are key to the day-to-day operations of finance, which also makes DR critical. Banks and insurance companies alike have to guarantee that if a problem brings down one environment, customer portals and applications are not negatively impacted.

Testing: Annually is not enough

  • 63 percent test once per year or less
  • 27 percent test quarterly
  • 6 percent test once per month or more

It’s interesting to note that while financial organizations take DR programs very seriously and seem to testing consistently, they aren’t necessarily testing enough, especially considering the critical nature of their data, applications and systems overall. At the same time, about one-quarter of the organizations who do execute testing usually uncover problems or gaps, which begs the question: how many untested environments operate with glitches?

Here’s where a potential problem comes in: banks focus primarily on making sure that financial applications are operational, mostly likely because those are the applications the government has requirements for, plus their absence will cause the greatest damage from a customer perspective. While mission-critical applications are a priority, there are other applications, which will not likely come up and run efficiently due to a lack of testing. When testing is conducted, many banks leave out applications that don’t fall under the tier 1 category entirely. However, ideally, DR testing should address the depths of all applications running in banking environments; even the ones that aren’t necessarily indispensable to business.

Prioritization could be a key improvement. Preserving the main revenue driver remains the primary concern, but categorizing ancillary applications as generally less important and not actually assigning tiers is a mistake—this is where financial institutions should take a closer look. If disaster does strike, while mission-critical applications are up and running, the rest of business is scattering trying to figure out how to take care of other objectives that are based in business continuity and not technology. Financial institutions do stellar with their critical applications, but to avoid scrambling, scrutinizing their entire environments is key for a fully healthy DR practice.

DR distinctions

It’s clear that the financial sector places particular emphasis on its DR practices. So, what makes this industry unique in the realm of DR? Two factors:

  1. Speed
  2. As mentioned, in finance, one transaction can be worth millions of dollars. Financial institutions want to know how quickly they can make transactions, and if they can be captured even in DR. Replication technologies with synchronous, nearby copies, as well as asynchronous remote copies, are common practices. If something happens to the main compute capability, they’ve already synchronously copied so that a write won’t complete until it copies to the second set of data. That way, the business will never lose both at once, or a single transaction.
  3. Latency
  4. Consider trading firms. Prices change quickly, so the faster a firm can make a transaction, the better the price they’re hoping they’ll get. One of the most important things for them is potential latency—it’s as important as the transaction itself. When you look at financial organizations’ DR plans, DR locations are typically not very far from the hub of the financial district because of the latency they’re trying to minimize.

To cloud, or not to cloud?

Another common piece of feedback from IT decision makers was the perception that cloud providers don’t have the ability to provide the same level of uptime financial institutions are capable of providing for themselves. This is what is keeping financial organizations from using the cloud for DR practices. They tend not to trust environments that aren’t on-premise and managed by employees.

“A cloud provider will never provide the amount of uptime that I can on-prem. I would rather spend millions of dollars and have my own prem. The data center we have hasn’t been down for 15 years. If a cloud provider would give the level of uptime and security that we need, then we would seriously consider cloud. They are just not there; they weren’t there 5 years ago.” – Director of Technology Services at US investment bank

The general hesitation seems to stem from two major factors:

  1. Performance concerns
  2. When you talk to most C-level executives about cloud, they aren’t thinking about hosted private cloud. They’re predominantly thinking about a public cloud, or a shared infrastructure with no performance control due to other customers using the same compute.
  3. Security
  4. Security fears are a major blockade to the cloud. Most decision makers express concerns for lack of proper security to guarantee that data isn’t accessed by another customer sharing the same environment. They want assurance that their data is absolutely segregated.

The resolution to the fear is in looking closely at where cloud is going. Today, it offers options for individual environments, with no one else sharing the infrastructure. The advantage to virtualization and cloud is the ability to transition or scale compute resources relatively easily. For example, if suddenly, you have trouble with a VM, you can bring up another instance of the VM. In contrast, in the physical world, if you have trouble with a server, you have to fail over to another server and do more work than using virtualization infrastructure to automatically move it.

Hybrid and hosted private clouds have become viable solutions by eliminating shared infrastructure. Banks and insurance companies physically segregate freely, while still taking advantage of virtualization features that deliver flexibility. These capabilities are ideal for hosting DR environments while maximizing resources and increasing efficiencies.

Recommendations for financial CIOs and CTOs

Financial IT decision makers should know that the cloud environment has changed drastically, and evaluating it has become a viable option. Performance is much better, and a lot of the applications that didn’t used to run efficiently do now. Most financial applications run well in the right type of cloud environment, so carefully considering performance and security characteristics that are available today will make a tremendous difference in the decision making process. If a bank’s primary environment runs on-premise, a secondary site for DR scenarios will work well in the cloud and eliminates potential impact from a disaster event that could affect all physical locations.

Additionally, it’s not uncommon for IT teams to want physical and visual access to equipment—this was previously a major hesitation even for colocation. However, reputable cloud providers typically have stringent security controls around environments, both physical and nonphysical, which is another tremendous change to the cloud. Considering this aspect and touring cloud providers’ data centers will give decision makers a firsthand experience of the changes that have taken place since the inception of the cloud. Most data center providers will allow customer access so that your team can be physically present to implement changes themselves.

At Flexential, we’ve helped a number of financial organizations build – and test – their DR strategies. Our experts are available to help you implement these best practices in your organization. Contact us today at