Here's a tricky question: Could your company operate during a flu pandemic?
Nearly 3,000 financial services organizations tested their answers to that question with a disaster drill last September. The exercise showed that the financial sector could continue to operate during a pandemic, but it also revealed stress points throughout the industry. For instance, many recovery plans laid the groundwork for employees to telecommute -- a smart move in a scenario that could leave thousands homebound -- but the existing infrastructure couldn't handle the increased traffic.
"When you have [so many more] people working from home, the Internet is going to slow to a crawl, and that's if it's even recoverable in all parts of the country," says Nick Benvenuto, managing director and global head of business continuity at Protiviti Inc., a risk management consulting firm in Menlo Park, Calif.
That drill highlights the status of many companies vis-a-vis disaster recovery: They have disaster plans, but those plans aren't adequately designed to handle an actual event.
Instead, many business executives, including top IT managers, are relying on old procedures and technologies that might work for small-scale, brief disasters -- a regional power outage, for example -- but would fall woefully short during a catastrophe like another major hurricane or terrorist attack.
Moreover, many companies can't claim to have real confidence in their disaster recovery plans, either, because they fail to test and update those plans often enough to guarantee that their procedures and technologies are keeping pace with business changes and growth.
In a 2007 report from Cambridge, Mass.-based Forrester Research Inc., only 33% of 124 data center decision-makers surveyed said they believe they're very prepared to recover their data centers in the event of a failure or disaster. Meanwhile, 37% said they were prepared, 27% said they were somewhat prepared, and 3% admitted that they weren't prepared.
However, there are leaders out there. In particular, organizations that have survived recent, massive disasters have internalized their hard-earned lessons in recovery and are now better prepared for what might come next.
And the news isn't all bad. Experts say that although companies need to work harder on disaster recovery planning and testing, they're still doing better than they have in the past.
"If you went back 10 years, things were far worse. There has been great improvement," says Jonathan Gossels, president and CEO of SystemExperts Corp., an IT compliance and network security consulting firm in Sudbury, Mass. "But not enough companies are doing enough."
Although preparedness varies greatly from industry to industry and from one company to the next, Gossels says there are several factors that contribute to an organization's failures in disaster recovery preparation.
"It's expensive, it falls below the priority line, and it doesn't generate revenue. It's seen as just an ongoing high cost. It's natural for companies to do as little as they can get away with," says Gossels. "It's human nature to expect that we'll see this area underfunded."
In a recent survey conducted by Gartner Inc., more than half the 359 participants from the U.S., Canada and the U.K. said they planned for natural disasters, power outages, fires, IT outages, computer virus attacks, and failures at key service providers. And 50% of the respondents said they planned for terrorist attacks.
But the survey also found that less than half have plans for dealing with labor strikes, civil unrest, denial-of-service attacks or pandemics. And only 45% have plans for long-term facility outages -- that is, outages lasting more than a week.
Given these findings, Gartner analyst Roberta Witty questions whether disaster plans are adequate, considering the fact that some recent events, such as Hurricane Katrina, took out power for much longer than a week. Witty says organizations also fail to adequately plan for disruptions in services provided by third parties.
Companies are taking note, though. Forrester analyst Stephanie Balaouras says Hurricane Katrina was a louder wake-up call for businesses than the Sept. 11 terrorist attacks. She says most companies don't operate in major urban areas or near landmarks that could be terrorist targets, but they do see themselves as vulnerable to weather-related catastrophes and other natural disasters.
But Balaouras points out that the vast majority of business disruptions aren't caused by big events like hurricanes. It's the more mundane scenarios, such as power outages, IT failures and human error, that are more likely to bring down a whole IT infrastructure.
Companies shouldn't focus on a specific event, however, Balaouras says. They need to plan for the resulting disruptions. After all, anything from wildfires to floods can knock out power, take out infrastructure and scatter workers.
"This really needs to become part of change management," Benvenuto says. "Whenever you add a new process, you need to think about how it affects disaster recovery."
Pratt is a Computerworld contributing writer in Waltham, Mass. Contact her at firstname.lastname@example.org.