While "business continuity" is a growing concern among top corporate executives, a lot of them seem unwilling to back that concern with spending on appropriate resources.
As many as 33 per cent of 117 Fortune 1000 C-level executives polled by a recent survey don't expect their companies to increase IT spending on business continuity measures. And this is though an overwhelming majority - 88 per cent - claims business continuity is a big concern.
Beacon Technology Partners, conducted the online survey for SunGard Availability Services, a provider of information availability and business continuity software and services.
"[Companies] are clearly motivated towards...maintaining uninterrupted access to the systems that run their business," said Jim Simmons, group CEO, SunGard Availability Services. "Yet, they are still lagging behind in making the resource investments needed to help make this goal a reality."
Seventy-three per cent of the executives surveyed expressed concern about the costs -- and dual redundancy requirements -- associated with maintaining a secondary data center.
Simmons said the research results represent a "fundamental gap" in the strategy businesses adopt to ensure information availability.
According to the study, leading causes of disruption over the past year included power outages, viruses and security breaches, telecommunications breakdowns and hardware failures.
While more than 66 per cent of the companies surveyed rated themselves a 'B' or higher in terms of their organization's ability to access business-critical information quickly after a disaster, 61.5 per cent said their company actually experienced service disruption in the past year.
"Even a company that grades itself an 'A' is vulnerable if one step in a ten-step process fails and causes an unplanned disruption to a company's entire set of technology services," said Simmons. He said the only correct answer to score a passing grade is a strategy that keeps information always secure and available, even under the most challenging circumstances.
When it comes to disaster recovery planning, the most successful CIOs and IT managers are the ones that say they are well-aligned with their company's business strategies, according to John Sloan, senior research analyst at Info-Tech Research.
One of the most effective ways of planning disaster recovery is regular risk assessment and scenario-based testing, where managers are constantly asking all possible 'what-if' questions.
"Fear and insecurity are great motivators. There is always renewed interest in disaster recovery planning after a disaster, even if it doesn't occur to you directly," said Sloan. The challenge, he said, is keeping the interest level up, even when there is no disruption.
Each disaster that happens poses scenarios that can help companies assess their business continuity strategies.
A good example was the SARS crisis in Toronto, said the analyst. "SARS raised another scenario, 'What if everything is working fine, but no one can come to work?' People who had an effective disaster recovery process should have taken that back to the table for the next planning cycle."
In another survey of 307 CIOs Mass.-based CIO Executive Council, one in five said their companies do not have a formal disaster recovery program in place for their organization.
Of the 76 per cent that said they do have such a plan, only three per cent are conducting quarterly testing of IT recovery plans, 15 per cent perform testing twice a year, and 42 per cent conduct annual testing.
Iain Anderson, client director, EMC Consulting Canada, said annual testing of disaster recovery contingency is simply not enough. He said because testing can be disruptive to normal business operations, most companies perform tests during the weekend or when it is less busy, "which means that true transaction load is not being tested."
Although it can cause disruption, Anderson said testing should be done at least once every quarter. "An ideal DR [test] would be that on a [given] day, a manager would walk into a data center and turn the equipment off. You call it a disaster from that point and you execute your disaster recovery plan. That would more closely resemble what an actual disaster would look like."
Organizations might be hesitant to invest a lot in disaster recovery because most of them have not been through an actual disaster, said Anderson. Except in certain industries that are data or transaction intensive -- such as banking and telecommunications, which tend to spend more on business continuity planning -- most businesses feel there may be little value in disaster recovery investments.
Quite often, businesses don't have a good grasp of the financial, economic and legal consequences if, suddenly, a vital business application becomes unavailable, said Anderson.
"Do you realize that if your trading application, or online banking application, or Web application is down for an extended period, the impact in terms financial and economic losses and legal (implication) is high?"
In determining disaster preparedness, companies must first engage in impact and risk assessment, which would usually drive them to develop a disaster recovery strategy, said Anderson.
An important step, he said, is negotiating and agreeing on proper service levels between the business owners and the IT people that run the business applications.
These agreements should specify the recovery objective in the event of a disaster, and cover the creation of adequate infrastructure to meet those recovery objectives, he said.