As my colleagues and I have talked with a number of businesses, we've been surprised how many have told us that they have tried to test their disaster recovery plans, failed, and simply gave up. They said the experience was too demoralizing and more pressing issues awaited them.
This is frightening, especially when you read the many surveys on disaster preparedness and see huge variations in the responses. I saw one such survey that indicated nearly 75% had tested disaster recovery plans, yet another indicated slightly under 50% were prepared. A recent survey showed that executives and IT staffers were not on the same page, or not communicating. Whatever the reason, they were not singing the same tune about the importance of Disaster Recovery Preparedness.
I have to ask myself: "Why are so many unprepared?" "Why do the surveys show such broad differences?"
Let's explore the survey issue first. There are a number of reasons surveys can produce great variations in results. Limiting to only a specific market (such as one vertical market segment or geographical region), asking specific questions to "lead the witness", or simply an invalid sample size. While this can explain some variation, it can't explain all. I'm of the opinion that beyond surveys, many companies don't have a concrete understanding of their disaster recovery preparedness. When asked by a surveyor, they take their best guess.
Without hard metrics and testing, there is really no way to obtain good data on preparedness.
Now the second issue, so why are so many unprepared? There are certain vertical industries which have been required by government regulations for decades to prove their preparedness, such as the financial services sector. Much like commercial airline pilots or emergency medical technicians, they are required to re-certify and take continuing training and education to prove their preparedness. But for everyone else, only recently has pressure increased for disaster preparedness. HIPAA and Sarbanes-Oxley indicate that data must be "available" but with no time frame specified. Business failures resulting from disasters have made the news, adding some pressure to the fear drivers for DR preparedness.
A number have pushed off planning due to budget constraints and other more pressing issues they are faced with. Frankly, these are only excuses; possibly due to lack of really knowing how to attack the problem. The world has taught us that "given a will, there is a way". So how to nurture that will?
Smart business executives have recognized the importance of an all-encompassing plan with continued testing and education of their whole organization, not just the IT department. Focusing on business process recovery is required for success.
What's really neat are the new technologies on the market, such as server virtualization, which can significantly simplify and speed the IT recovery process. Virtualization has proven to reduce the costs of disaster recovery, and more importantly, make the IT recovery process more deterministic: no more failed disaster recovery tests.
So if you are one who is unprepared, now is the time to start. Don't try to "eat the elephant" in one sitting, you will fail. Start one step at a time and be persistent.
Posted by: Richard Jones