For companies not deemed to be part of the critical infrastructure, the hardest part is identifying what should be in the plan and where to commit the dollars.
Regardless of industry, IDC analyst Megan Dahlgren says all good disaster recovery or business continuity plans begin with an actual business plan. "The main issue for business continuity is that the expense is infinite; in other words it would be the IT budget times two plus the telecommunication costs for replication over fibre ? generally a company cannot afford that unless it is mandated by the government," Dahlgren said.
"For example, some plans state that if the power goes out then turn it back on, or call the telephone company when the telephone is out - a better idea is to have a plan that states if phone goes out call the account manager at the telephone provider using a specific mobile phone ? that is a business continuity plan.
"The business plan needs to be addressed by a consortium of stakeholders right across the organization and what you need to do is get a lawyer, risk officer or financial controller, CFO, MD and the IT department to get together and understand the critical business processes in the organization and what IT systems and applications support those critical business prophecies. You ultimately need a high-level, one- or two-page document that spells out the strategy for disaster recovery or business continuity and how it relates to the business."
Before any disaster, Dahlgren said, companies should know how to quantify the potential loss of trading, in hard currency terms as well as its soft value.
"The business must understand if the system is down for a period of time then it will cost the business 'X' in terms of dollars, or use a soft matrix like customer satisfaction, to get the recovery time objective," she said.
Put simply, putting a plan together isn't easy which may explain why so many companies do very little.
The 2004 IDC Continuum Report which researched the business continuity and disaster recovery plans for 131 companies in Australia and New Zealand found that a whopping 19 percent of companies in Australia have no disaster recovery plan.
A further 44 per cent had only one disaster recovery measure in place while 18 percent had three or four measures in place.
For those companies without plans, KPMG business continuity practice partner Peter McNally, says they have taken their eye off the ball because it should be part of the day-to-day running of the business.
"It is fine to think you work in a bombproof building with the best disaster recovery plans in place, but there are other protection issues that cause interruption, like letting malicious code into your environment," McNally said.
"The very first thing you need to do for a disaster recovery plan is look at the things preventing a disaster in the first place ? an upfront risk assessment finds the critical or weakest points which can then be assessed and strengthened. For IT, this means looking at the design of the network, the location of equipment, identifying where you are less likely to have single points of failure."
Moreover, a good plan should be continually tested. It is of little value if it doesn't actually work when it is supposed to.
KPMG risk management associate director Rob Goldberg said testing should demonstrate business resilience to unexpected events.
"A firm needs to focus on DR and not be reactive to just one event ? a lot of focus has been on preparing for highly unlikely events with a high impact," Goldberg said.
"The decisions of how to architect a disaster recovery plan should be driven by the prioritization of assets that support the business ? the reality is industry is struggling with the basics but also more importantly disaster recovery is related to business continuity but it is not the same."
And putting these plans in place is very much a team effort
According to an IT manager at a global logistics firm, who requested anonymity, a disaster recovery or risk management plan should be developed by heads of the individual business units not by the IT department alone.
The nature of business continuity and risk management is universally appropriate to each individual unit which have different concerns and priorities, he said.
"A disaster recovery plan should be driven by the business with the ability to change and be as flexible as the overall business model, and anything understood to have a high revenue impact should be looked at regularly," he said
"In our space there are few applications that are as heavily relied on as e-mail which makes the mail server is a number-one priority.
"Other servers that look after freight management, which is our bread and butter, have to be alive otherwise the company does not generate any revenue so disaster recovery or business continuity all relate to what generates the highest revenue," he said.
"The type of disaster recovery or business continuity we look at regularly comes down to whether something (an application or hardware to run it) can be built, tested and deployed in a hurry or pre-built, waiting for something to happen. If it generates high revenue an exact backup would be waiting for us, but you have to take into consideration the cost of that real estate, the resources to [run it], your internal inventory and the physical time it takes."
He said backing up to tape held offsite is a mandatory procedure, which occurs nearly every day. "This seriously mitigates the potential of lost and irretrievable data in a worst-case scenario," he added.
"Our data is also stored quite a distance away and we know it can be turned around to us within an hour. Everything in Sydney is an hour away ? we just make a phone call and it [stored tapes] gets delivered back to us."
"We concentrate on our business continuity plans all the time ? we don't know if we have the appropriate disaster recovery plans at the moment but it is [mentioned] all the time."
In other words it is top of mind. For a plan to be effective it cannot just sit in a top drawer left to collect dust.
It has to be tried and tested regularly so that when a disaster does occur, it works.