Most Organizations Not Prepared for a Business Outage Lasting Longer than Seven Days
Friday, 11 January 2008
Business continuity management (BCM) and disaster recovery (DR) programs are getting better, however, work still needs to be done to increase the quality and maturity of BCM/DR programs. According to a Gartner Inc. survey of 359 information security and risk management professionals from the US, UK, and Canada, nearly 60 percent of organizations only plan for their longest outage to be seven days.
"The fact that most organizations plan for an outage that lasts up to seven days indicates a huge hole in those organizations’ ability to sustain business operations if a regional disaster strikes," said Roberta Witty, research vice president at Gartner. "The impact of a disaster that lasts more than one week can have enormous negative impact on revenue, reputation and brand. Regional incidents, terrorism, service provider outages and pandemics can easily last longer than seven days. Therefore, enterprises must be prepared. More mature BCM/DR programs plan for outages of at least 30 days.
When planning for specific types of disaster scenarios, 77 percent of companies have a plan for a power outage or fire, and 72 percent have a plan for a natural disaster, such as a flood or hurricane. At least half the companies surveyed also have plans for IT outages, computer-virus attacks, terrorism and key service providers’ failure.
"With the growing use of third-party service providers to conduct mission-critical business functions, organizations that don’t plan for this type of business outage can find themselves in a tough position in the event that this scenario becomes a reality," said Witty.
Most BCM/DR plans are for a single facility outage, and planning for regional disasters has dropped in priority during the past couple of years. Organizations are, however, taking pandemic planning warnings more seriously than in the past (29 percent in 2007 vs. 8 percent in 2005).
With the growing awareness that continuing business operations after a disaster requires a lot of planning, organizations are also realizing that the approach to best manage an incident is to have a dedicated group of people on a crisis management team.
A total of 37 percent of organizations use a physical crisis command center to coordinate emergencies, such as a local hotel room or conference room. However, understanding that many disasters happen when employees are not in one place, 31 percent of companies have established a virtual command center so that traveling or off-site personnel can be included in the management of an incident.
Conducting a business impact analysis (BIA) is the most critical process in the development of a DR strategy and associated plans because it provides the business requirements used to develop the plan. Exercising (formerly called testing) on a regular basis is the second most-critical component of a BCM program.
Having a plan is only a fraction of the maturity of the BCM/DR process. Knowing that the plan works during an actual emergency is key to a business's survival. A total of 28 percent of organizations reported that their last DR exercise went well and met all their service targets.
However, 61 percent of survey participants reported that they had problems with the exercise, which should not give any organization a good sense of security that their DR program will meet the business recovery needs when a crisis strikes.
"Enterprises with the best BCM and DR practices have a corporate culture that values availability and an understanding of the costs (in terms of the financial and reputation implications) associated with business process outages," said Witty. "These enterprises also realize that following a well-defined process when disaster strikes is significantly better than trying to respond to an incident in crisis mode without the benefit of planning, coordination and testing, which helps minimize downtime and costs."
More information on BCM/DR plans and strategies will be presented at the inaugural Gartner Business Continuity Management Summit taking place March 5-7, 2008 at the Sheraton Chicago Hotel & Towers in Chicago. The Summit will focus on the key trends, best practices, technologies and services needed to develop and implement a risk-based strategy and framework for ensuring an organization's recovery from various types of business and IT disasters and interruptions.