A properly designed and tested disaster recovery system is a piece of business insurance few companies can afford to do without.
In fact, corporations may be risking their future if they don’t have a plan in place in the event of a crisis, according to analysts at Gartner Inc.
In a Gartner brief issued last month following the Sept. 11 attacks in the U.S., analysts cautioned that enterprises “must begin preparing for the possibility…of further such attacks.”
Without recovery services in place, it predicts two out of five enterprises that experience a disaster such as the World Trade Center attacks will go out of business within five years.
And while many companies in the World Trade Center had disaster recovery plans in place and were able to relocate their businesses even partially, offsite, not all were prepared. That has prompted many to revisit the idea of planning for the unknown.
“I think the amount of concern and consideration being given to the whole emergency response and business continuity planning area has increased significantly,” said Heather Tomalty, principal with Ottawa-based DMR Consulting. “It’s unfortunate that it’s only through tragic incidents, whether it be terrorism or man-made such as fire or even natural disasters, that companies suddenly feel vulnerable or exposed.”
Planning for unforeseen events should apply to everyone, she said. “Whether it is achieved through offline storage offsite that they would have to recover completely, or they actually have it immediately mirrored in another location.”
Even the smallest business with one PC should have a regular back up in their safety deposit box, right up to the very large companies which would probably invest in full immediate redundancy of data.
If a disaster recovery plan just became task No. 1 on your to-do list, Tomalty suggests dusting off that old Y2K plan and leveraging everything done in preparation for what ended up being a non-event.
“Everybody who was dealing with the year 2000 took some measures to prepare for a crisis that didn’t happen. But that had a lot to do with how well people planned and prepared in advance. If you haven’t been maintaining the material you gathered for the year 2000, resurrect it because it’s invaluable as a starting point,” said Tomalty.
Building on the Y2K plan, Tomalty said companies should reassess what is considered the critical business functions in the organization.
“This is all about making sure the business can continue, maybe not in terms of normal business, but what is the minimum function that must be supported in what time frame and make that clear right from the CEO on down,” she said.
A recovery plan must also cover the entire organization, ensuring all departments would be able to function, in some respect following an incident.
“A disaster recovery plan has often been used in the IT realm, but it is part of a whole business continuity planning perspective — your business units would have disaster recovery plans as well,” she said.
When it comes to approving investment in a disaster recovery plan, companies typically have different perspectives. Some will perceive it as dollars spent with little chance of a tangible ROI, while others recognize it’s just a standard part of the operations they must improve on.
Some industries, such as banks and insurance companies are bound by legislation to ensure continuous service can occur.
Of particular concern are organizations dealing with hazardous materials or manufacturing that need to ensure they have the appropriate measures in place to prevent and mitigate any types of risk and to manage their on-going operations.
Equally critical to business now is the shareholder view of the responsibility of the executive to ensure that the appropriate measures are in place to accommodate disaster situations.
“It’s a very volatile environment out there for companies and anything that happens gets immediate visibility,” she said “If they’re not being seen as handling it appropriately or they did not take appropriate measures then their company suffers financially and credibility-wise. You name it, they’re going to find they are in the hot seat.”
Once a plan is in place, Tomalty stressed the importance of testing it to make sure it will deliver.
“It’s a paper weight if you don’t test it at some level,” she said. “This doesn’t mean full simulations, but if you don’t go through a certain level of testing and verification by all the key parties you will be scrambling a lot more if they are not aware of what is in place or how others would have preferred it be handled.”