Taking Care of Business
Organizations Not Prepared For a Business Outage Lasting Longer Than Seven Days – Gartner
by: Jerry Liao
If you think that after the 9-11 incident, companies will be more prepared if in case such incident will happen again, you better think again because according to a survey conducted by research firm Gartner – companies are not prepared if in case a business outage will last longer than seven days.
Business continuity management (BCM) and disaster recovery (DR) programs are getting better; however, work still needs to be done to increase the quality and maturity of BCM/DR programs. According to a Gartner Inc. survey of 359 information security and risk management professionals from the U.S., U.K. and Canada, nearly 60 percent of organizations only plan for their longest outage to be seven days.
“The fact that most organizations plan for an outage that lasts up to seven days indicates a huge hole in those organizations’ ability to sustain business operations if a regional disaster strikes,” said Roberta Witty, research vice president at Gartner. “The impact of a disaster that lasts more than one week can have enormous negative impact on revenue, reputation and brand. Regional incidents, terrorism, service provider outages and pandemics can easily last longer than seven days. Therefore, enterprises must be prepared. More mature BCM/DR programs plan for outages of at least 30 days.
When planning for specific types of disaster scenarios, 77 percent of companies have a plan for a power outage or fire, and 72 percent have a plan for a natural disaster, such as a flood or hurricane. At least half the companies surveyed also have plans for IT outages, computer-virus attacks, terrorism and key service providers’ failure. “With the growing use of third-party service providers to conduct mission-critical business functions, organizations that don’t plan for this type of business outage can find themselves in a tough position in the event that this scenario becomes a reality,” said Ms. Witty.
Most BCM/DR plans are for a single facility outage, and planning for regional disasters has dropped in priority during the past couple of years. Organizations are, however, taking pandemic planning warnings more seriously than in the past (29 percent in 2007 vs. 8 percent in 2005).
With the growing awareness that continuing business operations after a disaster requires a lot of planning, organizations are also realizing that the approach to best manage an incident is to have a dedicated group of people on a crisis management team. A total of 37 percent of organizations use a physical crisis command center to coordinate emergencies, such as a local hotel room or conference room. However, understanding that many disasters happen when employees are not in one place, 31 percent of companies have established a virtual command center so that traveling or off-site personnel can be included in the management of an incident.
Conducting a business impact analysis (BIA) is the most critical process in the development of a DR strategy and associated plans because it provides the business requirements used to develop the plan. Exercising (formerly called testing) on a regular basis is the second most-critical component of a BCM program. Having a plan is only a fraction of the maturity of the BCM/DR process. Knowing that the plan works during an actual emergency is key to a business’s survival. A total of 28 percent of organizations reported that their last DR exercise went well and met all their service targets. However, 61 percent of survey participants reported that they had problems with the exercise, which should not give any organization a good sense of security that their DR program will meet the business recovery needs when a crisis strikes.
“Enterprises with the best BCM and DR practices have a corporate culture that values availability and an understanding of the costs (in terms of the financial and reputation implications) associated with business process outages,” said Ms. Witty. “These enterprises also realize that following a well-defined process when disaster strikes are significantly better than trying to respond to an incident in crisis mode without the benefit of planning, coordination and testing, which helps minimize downtime and costs.”
The true test of preparedness is during the worst times and not during the best times of a situation / condition. Ensuring business continuity requires leadership, dedication and participation not only from top management but should be participated in by everybody in the company.