- A US-led war in Iraq that could spawn new terrorist attacks in the US could be less than two weeks away, but that hasn’t prompted many companies in the US to invest adequately in disaster recovery, according to a new study by Dataquest .
The study, "Investment Decisions: Preparing for Organisational Disasters," warns that unless companies invest immediately in disaster preparedness planning, as many as one in three could lose critical data or operational capability if a disaster occurred.
IT managers from 205 end-user companies representing eight vertical industries in the US, including government, aren’t investing appropriately in disaster plans because they don’t have the money to reach their required readiness levels, says Tony Adams, principal analyst in Dataquest's IT services group.
"Budget constraints are forcing an average of 40% of respondents to rely on a best guess to determine potential risk rather than obtaining formal assessments, which would be too costly," he says.
"More prioritised investments must be made to ensure that businesses can quickly regain productivity after a calamity," says Adams.
"Preparation is key, and without adequate investment for protection of critical systems, the repercussions of disasters will be lengthier and more costly."
Still, 53% of the respondents have implemented crisis management plans and another 30% that do not yet have plans are considering developing them, according to the Dataquest study. The remaining 17% said they aren’t developing crisis management plans.
"Organisations may have researched and prepared a disaster recovery plan, but the data show that only a fraction have involved themselves in contingency planning for external events that might impact their capability to perform their business operations," the study concludes.
"It could be merely that clarity about the aim and function of crisis management is needed," according to the study. "It could also be explained in terms of the IT systems not being deemed mission-critical in importance." Just over a third of those surveyed by Dataquest, or 34%, indicated that crisis management preparedness is being studied for possible increased funding.
Fully 57% of the organisations surveyed either say that they didn’t know how often they evaluate contingency preparedness or that they do so in less than half of all new IT initiatives they undertake, according to the Dataquest study. Just 10% say they evaluate every new initiative for business continuity.
Rob Clyde, vice president and chief technology officer at Symantec, agreed that funding issues continue to hamper the creation of contingency plans at many businesses. However, even companies that have disaster and contingency plans in place are probably not prepared for the multiple events that could occur in wartime or during a terrorism attack, says Clyde.
"A confluence of multiple incidents, [such as] major blended threats and worm attacks, coupled with physical attacks or disasters, would break the back of most organisations’ incident response and disaster recovery capabilities," says Clyde. As a result, advance preparation is key. In addition to focusing on technology and processes, "it is useful to run a worst-case scenario during the test and identify missing capabilities and try to put together an appropriate mitigation [plan]," he says.
Although the Dataquest study focused on the responses and plans of IT managers, John Keast, chief operating officer at SEEC, a Pittsburgh firm that develops software for the insurance and financial industries, says that while a company’s CIO designs and implements the plan and likely orchestrates its execution during a disaster, the ultimate responsibility for focusing the appropriate resources on disaster recovery and continuity planning rests with the CEO, chief operating officer and the board of directors.
"Losing data that affects business operations is avoidable and unacceptable," says Keast. "So CEOs and COOs must make it their priority." Otherwise, "the markets will punish any company who drops the ball."