Disaster Preparedness Taking a Back Seat

By Jodi Mardesich

Only a few years ago, news headlines were enough to frighten most organizations into undertaking disaster preparedness and business continuity plans.

The September 11, 2001 terrorist attacks on the World Trade Center, the European floods of 2005, the Asian tsunami and Hurricane Katrina -- among other disasters -- were great motivators to be prepared in order to prevent disruptions in business, avoid liability for disruptions, or worse. Experts say that having a disaster preparedness plan, establishing a backup recovery site for getting back online rapidly and testing the plan at the site are crucial to maintaining business continuity in the event of a disaster. Yet many enterprises operate without sufficient preparedness.

According to a survey by Forrester Research, about 27% of enterprises don't have a recovery site to switch over to, 23% never test their disaster recovery plans and 40% test their plans only once per year. A recent AT&T study, meanwhile, found that 30% of IT managers don't see business continuity planning as a priority and 25% don't even have a plan.

Some IT executives believe the risk of experiencing a disaster is small. According to the AT&T study, only 24% of companies have experienced a disaster. The most common disasters are blackouts (11%), hurricanes (6%), cyber attacks (5%), floods (5%) and extreme weather or snow (5%). For some companies, since other matters take priority, they consider the risk of experiencing a natural disaster to be slight.

But as companies span regions and countries, that risk grows greater.

"In an enterprise, a disaster is very likely," says Rob Enderle, principal analyst with the Enderle Group. "The enterprise crosses geographies, and while the incidence of disaster is slight locally, when the entire world is factored in, a major problem is not only certain, it is a recurring event."

How to succeed with disaster preparedness
CIOs who are convinced of the necessity of having a disaster preparedness plan, but who still don't have enough support for it from the CEO, should take the following steps to ensure the success of their plans:

1. Perform a risk assessment The easiest way to convince an executive that you need to fund a disaster preparedness plan is to do a full risk assessment of the likely disasters that might be faced and the reasonable probabilities of each, providing case studies of companies that faced disasters and were or were not prepared, Enderle says. "This gives you a baseline you can build a budget out of," he says, "and when you create a plan, it helps validate the cost of the recommended actions."

2. Leverage current events to promote awareness  Remind management of recent events, such as the wildfires in California and how damaging business disruptions can be. "The best time to do this is when there is a disaster in the news because typically the executive staff is much more open to related proposals at that time, particularly if you can highlight the result of not being prepared," Enderle says. If your enterprise has experienced a disaster, use a case study of your own response, or lack thereof, to build a convincing case.

3. Remember compliance regulations Publicly traded companies need to answer to shareholders, and the CFO and others on the financial side of the business can be called on to share the corporation's responsibilities surrounding availability and business continuity. For private companies that must answer to the public -- hospitals, governmental agencies and so on -- training for handling the media in the event of a disaster or failure to provide expected services can raise awareness, says Roberta Witty, an analyst at Gartner.

4. Test current plans  Perform a walk-through to test how organizations identify and respond to gaps in the plan. Walk-throughs can also help CIOs gain more financial support for areas found lacking. "Managers should be walked through disaster scenarios and trained in assessing costs incurred as a result of the disasters," Witty says. "Planners should share these results with senior management to get support, commitment and funding."

5. Think beyond IT  Disaster preparedness was traditionally the purview of the IT department with the focus on hardware and software infrastructure needed for the business to operate. Increasingly, the focus of disaster preparedness is expanding to include business processes, personnel and so on. Beyond the loss of technology infrastructure, from the physical equipment to software needed to run the business, consider the impact of business interruptions, interruptions to the supply chain, the need to care for large groups of people who can't leave the workplace, and the inability of workers to return to work because of displacement from their homes, says Witty.

Disaster preparedness is a continual process, not a static plan. Regular testing of the plan, education of senior management and coordination with groups outside IT are crucial to disaster recovery success.

Jodi Mardesich writes about business and technology. Her writing has appeared in The New York Times, Fortune, San Jose Mercury News, Salon and Slate.