Study: Many companies lack disaster, continuity plans

A U.S.-led war in Iraq that could spawn new terrorist attacks in the U.S. could be less than two weeks away, but that hasn’t prompted many companies in the U.S. to invest adequately in disaster recovery, according to a new study released Tuesday by Dataquest Inc.

The study, “Investment Decisions: Preparing for Organizational Disasters,” warns that unless companies invest immediately in disaster preparedness planning, as many as one in three could lose critical data or operational capability if a disaster occurred.

IT managers from 205 end-user companies representing eight vertical industries in the U.S., including government, aren’t investing appropriately in disaster plans because they don’t have the money to reach their required readiness levels, said Tony Adams, principal analyst in Dataquest’s IT services group. “Budget constraints are forcing an average of 40 percent of respondents to rely on a best guess to determine potential risk rather than obtaining formal assessments, which would be too costly,” he said.

“More prioritized investments must be made to ensure that businesses can quickly regain productivity after a calamity,” said Adams. “Preparation is key, and without adequate investment for protection of critical systems, the repercussions of disasters will be lengthier and more costly.”

Still, 53 percent of the respondents have implemented crisis management plans and another 30 percent that do not yet have plans are considering developing them, according to the Dataquest study. The remaining 17 percent said they aren’t developing crisis management plans.

“Organizations may have researched and prepared a disaster recovery plan, but the data show that only a fraction have involved themselves in contingency planning for external events that might impact their capability to perform their business operations,” the study concludes.

“It could be merely that clarity about the aim and function of crisis management is needed,” according to the study. “It could also be explained in terms of the IT systems not being deemed mission-critical in importance.” Just over a third of those surveyed by Dataquest, or 34 percent, indicated that crisis management preparedness is being studied for possible increased funding.

Fully 57 percent of the organizations surveyed either said that they didn’t know how often they evaluate contingency preparedness or that they do so in less than half of all new IT initiatives they undertake, according to the Dataquest study. Just 10 percent said they evaluate every new initiative for business continuity.

Rob Clyde, vice president and chief technology officer at Symantec Corp., agreed that funding issues continue to hamper the creation of contingency plans at many businesses. However, even companies that have disaster and contingency plans in place are probably not prepared for the multiple events that could occur in wartime or during a terrorism attack, said Clyde.

“A confluence of multiple incidents, [such as] major blended threats and worm attacks, coupled with physical attacks or disasters, would break the back of most organizations’ incident response and disaster recovery capabilities,” said Clyde. As a result, advance preparation is key. In addition to focusing on technology and processes, “it is useful to run a worst-case scenario during the test and identify missing capabilities and try to put together an appropriate mitigation [plan],” he said.

Although the Dataquest study focused on the responses and plans of IT managers, John Keast, chief operating officer at SEEC Inc., a Pittsburgh firm that develops software for the insurance and financial industries, said that while a company’s CIO designs and implements the plan and likely orchestrates its execution during a disaster, the ultimate responsibility for focusing the appropriate resources on disaster recovery and continuity planning rests with the CEO, chief operating officer and the board of directors.

“Losing data that affects business operations is avoidable and unacceptable,” said Keast. “So CEOs and COOs must make it their priority.” Otherwise, “the markets will punish any company who drops the ball.”