In-Depth

Disaster Recovery Planning Lags

How long is the DR-related outage you budget for? A few days -- a week -- or longer?

• By Stephen Swoyer
• 02/19/2008

If you're a mainframe shop, chances are that business continuity (BC) and disaster recovery (DR) planning are second nature to you: you've been doing both for years, and -- while 9/11 might have changed some things -- you've adapted your BC and DR plans accordingly.

How long of a disaster-related outage are you planning for? A few days at the most? Or does your BC or DR plan allow for outages of a week or longer?

''According to market watcher Gartner Inc., few organizations expect their longest BC- or DR-related outage to exceed seven days. According to Gartner survey data, in fact, 60 percent of U.S., U.K., and Canadian IT organizations are banking on that seven-days-or-less number. That's a mistake, the market researcher claims.

"The fact that most organizations plan for an outage that lasts up to seven days indicates a huge hole in those organizations' ability to sustain business operations if a regional disaster strikes," said Roberta Witty, research vice president at Gartner. "The impact of a disaster that lasts more than one week can have enormous negative impact on revenue, reputation, and brand. Regional incidents, terrorism, service provider outages, and pandemics can easily last longer than seven days. Therefore, enterprises must be prepared. More mature BCM/DR programs plan for outages of at least 30 days."

Gartner didn't just pull those conclusions out of its analytical hat. It surveyed 359 information security and risk management pros in the U.S., Canada, and the U.K. The results were sobering. Surprisingly, not all organizations have BC or DR plans in place: according to the Gartner survey, 77 percent have a plan for a power outage or fire, while 72 percent have a plan for a natural disaster, such as a flood or hurricane. What's more, Gartner indicates, at least half have developed BC or DR plans for IT outages, virus-related downtime, terrorist incidents, or failure on the part of one or more service providers.

The latter is a crucial consideration, Gartner says.

"With the growing use of third-party service providers to conduct mission-critical business functions, organizations that don't plan for this type of business outage can find themselves in a tough position in the event that this scenario becomes a reality," Witty indicates.

Elsewhere, Gartner finds, most BCM/DR plans are for a single facility outage; planning for regional disasters actually dropped in priority over the last two years. The research found, however, that organizations are now taking pandemic planning warnings more seriously (29 percent last year versus just 8 percent in 2005) -- owing, most likely, to mounting concern about the H15N bird flu virus.

Organizations are also more likely to establish and maintain dedicated crisis management teams: 37 percent of organizations use a physical crisis command center to coordinate emergencies (e.g., a local hotel room or conference room), while 31 percent of companies have established virtual command centers so that traveling or off-site personnel can participate in incident management.

While having a plan is the sine qua non of BC or DR planning, it's just a start. Gartner and other experts urge organizations to routinely test their BC or DR planning in order to fine-tune -- and improve -- their BC and DR efforts. In spite of such warnings, however, comparatively few organizations are actually doing it: just over one-quarter (28 percent) of organizations reported that their last DR exercise went well and met all their service targets, while 61 percent said that they had had problems with their BC or DR exercises.

"Enterprises with the best BCM and DR practices have a corporate culture that values availability and an understanding of the costs (in terms of the financial and reputation implications) associated with business process outages," Witty said. "These enterprises also realize that following a well-defined process when disaster strikes is significantly better than trying to respond to an incident in crisis mode without the benefit of planning, coordination and testing, which helps minimize downtime and costs."