Home > Security > Business Continuity

Computerworld - Some months after the 9/11 attacks, I interviewed the CIO of a large Wall Street law firm located only blocks from the collapsed World Trade Center towers. She talked about the tremendous outpouring of sympathy and concern from hundreds of the attorneys' clients in the 24 hours after the disaster.

Then Day 2 dawned, and the story changed. The clients who called wanted reassurances that their files were safe and that business would promptly get back on track. I remember being shocked by the self-centered attitude of those demanding customers. But it was a reminder that even a major disaster has a short shelf life as an excuse in the business world. What matters most is the speed and effectiveness of recovery.

So it's odd that nobody likes to talk about disaster recovery. Vendors use euphemisms like "business continuity" to avoid those two scary words. Companies give lip service to how important such planning is but then fail to fund programs to test their own disaster plans.

We recently surveyed IT professionals from companies with disaster recovery plans. When asked, "Could you locate your disaster recovery plan in the next five minutes?" one-third of the 227 respondents admitted they couldn't. Of 281 IT pros asked how often they perform remote-office data backups, only 58% said they were doing so every day.

With all the risks to manage in the world today, from natural disasters to man-made ones, you'd think this little item would be at the top of the "Important Things We Do to Stay in Business" list. We learned otherwise in talking with a host of experts and executives for this week's Knowledge Center on disaster recovery . Many of our sources made it clear that this is truly more of a business issue than a technology one. But guess who's usually in charge of the disaster response plan? IT, of course.

Don O'Connor, CIO at Southern California Water Co., contends that even underprepared IT organizations have at least given some thought to system recovery and uptime restores. But business units are much more likely to be clueless about their roles. "In my experience, IT can respond relatively quickly," O'Connor says. "The part that's missing is the users."

If that's the situation at your company, what should you do about it? In this issue, we provide plenty of cost-conscious tips and insider advice from IT managers who have faced disaster and recovered. Their experiences raise questions you should be able to answer. For starters:

• How strong is your disaster recovery documentation? What if the head of sales is the one who has to turn on the systems in the data center? "We fashion our document so anyone in the business should be able to restart an application," says Elbert Lane, a lead software developer at Gap Inc. in earthquake-prone San Francisco.


• Which applications are really the most important ones to restore first? At most companies, it's probably e-mail, not the SAP system or the Oracle database.


• How robust and ready are the plans at your suppliers, your outsourcers, your business partners? Who's checking on them?


• What are your most critical access issues? Getting to the data, the systems or the people?

Disaster recovery is one test that IT can ace -- without big budgets or expensive consultants. It's a matter of common-sense planning, attention to process and doing your disaster homework.

Maryfran Johnson is editor in chief of Computerworld. You can contact her at maryfran_johnson@computerworld.com.

Read more about Business Continuity in Computerworld's Business Continuity Topic Center.