IT disaster recovery plans are giving many business leaders a false sense of security. META Group research indicates that only 20% of Global 2000 organizations have business continuity plans effective enough to ensure a strong likelihood of the enterprise surviving a disaster without lasting adverse impacts.
"Disaster recovery plans, hardened sites, high availability - none of these IT-focused safeguards will do a company any good if its personnel or the network infrastructure cannot access the site," says META Group analyst Carl Greiner. "That is one of the lessons of September 11. Corporate data centers in the New York financial district were running, but lack of network connectivity and building access rendered them unusable."
Business continuity extends far beyond IT disaster recovery. The business continuity planning committee must include human resources (HR) and facilities management leaders as well as line-of-business (LOB) executives and the CIO. For large organizations, executing on the plan requires a team of experts from across the organization and an adequate budget. This team normally reports to the CFO, not the CIO. Disaster recovery, an IT responsibility along with high-availability infrastructure, should be managed as a subset of the overall business continuity program.
While the terms "business continuity" and "disaster recovery" conjure visions of major disasters - fires, earthquakes, or terrorist attacks - most problems are caused by more common events. A severe winter storm, a flood or hurricane, or even a manmade disruption like a transit strike can prevent key staff members from reaching their facilities. For a large insurance company, for example, a storm that prevents staff from getting to a claims processing center can be as damaging to the business as the failure of a major IT system.
Business continuity plans must be formulated to ensure the viability of every type of resource that the organization will need to survive a damaging event - including adequate facilities, the safety and accessibility of staff members, and IT systems. LOB leaders must itemize the importance of business processes. What processes must continue uninterrupted for the enterprise as a whole or a major business unit to survive? Which processes can stand an interruption, and for how long? What alternatives or backup processes exist?
Planning for business continuity should look beyond the organization itself to its suppliers, subcontractors, transportation providers, etc. For instance, the head of a major US automobile manufacturer must consider what might happen to the company if the Canadian border is shut down - how long can the company continue manufacturing cars without cross-border trade in components? What alternative sources can it tap?
Of course, effective business continuity plans cost considerable sums of money. Many executives are reluctant to spend the necessary funds because they are under pressure to fatten the bottom line - and the lack of adequate business continuity planning has not yet had a severe impact on their company. "Many top executives are now talking about business continuity," observes Greiner. "But most of them are asking questions rather than budgeting the money that is required."
Business and IT leaders must recognize that adequate business continuity plans are an "insurance premium" that must be paid to protect the business. Every year some businesses - including enterprises of considerable size - are materially impacted by events that could have been controlled with adequate planning. Exactly how much a company needs to invest depends on the level of residual risk that executives and stockholders are willing to accept. But all organizations require some level of business continuity protection.
User Action:
Senior managers must first realize that their current business continuity plans are probably faulty. "Nine of ten recommendations made to corporate leaders are not implemented," says Greiner. "Corporate management typically refuses to admit the extent of their vulnerability. They say that the auditors have verified that the existing plan will work - so why do they need to make major new investments? They go on denying the inadequacies of the existing plan until a disruptive event occurs."
Sound business continuity planning begins with senior management frankly confronting and demanding answers to the vital question: Is the organization prepared to withstand a major disruption? Each of the possible causes of disruption must be assessed, including the relative probability of each of these causes and the damage that could result. To protect the company, business and IT leaders must maintain their focus on business continuity as an ongoing discipline, and adequate spending must be allocated to the creation, review, testing, and upgrading of continuity plans.
META Group analysts Carl Greiner, Barry Wilderman, David Yockelson, Rich Evans, David Cearley, Sean Derrington, and Val Sribar contributed to this article.
Share
This article previews one of the topics that will be discussed in depth at METAmorphosis 2003, META Group`s 14th Annual Forum of IT and Business Change, 27 to 29 May 2003, Caesars Gauteng, Johannesburg. Visit www.metagroupsa.co.za for more information or to register online.
Editorial contacts