Lessons about the after-effects on IT systems from September 11 have apparently failed to resonate with about half of Australia's companies which still have no disaster recovery plans in place.
Graham Penn, research director, Asia-Pacific storage for IDC Australia, said about 40 to 60 per cent of Australian sites "still have not done very much" about disaster recovery.
"There is a greater awareness of the issues post-September 11. However, a lot of organisations don't know where to start and their decision cycle is very long."
Penn said there are many proposals in the marketplace at the moment; even for companies that had decided in September that a disaster recovery plan was critical, plans would only now be passing through the approval stage.
"It will be another three months before anything is put in. It will not be until July or August that these companies have something in place."
This state of non-activity is not "inconsistent" with a recent Compass survey of 1000 mid-range Unix data centres in large US organisations, which revealed only 25 per cent have any type of disaster recovery plan in place.
Moreover, one-third of those mid-range environments that did have a recovery plan had never tested it.
Compass said it estimates that in the event of a disaster, only 15 per cent of mid-range data centres would be able to recover more than 30 per cent of their applications in any time frame; 3.8 per cent could recover their applications within the same day and 2.5 per cent could recover within four hours.
For companies that are yet to formulate a plan, Compass analysts Doran Boroski and Carl Pitasi warn contingencies to protect IT components will prove futile in a true catastrophe; disaster recovery plans should focus on people and processes.
To be blunt, Boroski and Pitasi said, in the event of a true diaster, individuals with the most knowledge of IT operations will not be there to assist in the recovery.
As such, a test of an organisation's diaster recovery should primarily be a test of documentation and an organisation's knowledge management capabilities.
"An effective disaster recovery plan protects the business and how it functions [plans] must be thoroughly and regularly tested and must exclude the participation of key personnel," Boroski and Pitasi said in their white paper, People and Processes, Not Platforms: Considerations in Disaster Recovery Planning.
The authors also warn against protecting against mainframe data centres whilst overlooking mid-range, client/server and PC environments.
"A backed-up mainframe storing critical applications and customer information is irrelevant if the client/server-based frontend that accesses that data centre is down and unrecoverable."
In light of these findings, Boroski and Pitasi said for organisations with absolutely no room for disaster recovery error, running live on back-up facilities once or twice a year is a best practice, despite the expense involved.
"For other organisations, running back-up operations in parallel provides a valuable benchmark."