With various parts of the country still reeling in the wake of tornadoes, earthquakes, too-early snowstorms, hurricanes and wildfires, the past few months have taught us that no geographical area is safe. There's never been a more compelling time to develop or fine-tune a disaster recovery and business continuity plan for your business.
Disaster recovery is, quite simply, being able to continue your mission-critical business operations after an interruption of some kind. Companies must be able to resurrect their applications and processes -- their entire business operations -- at the point where they were before the outage occurred, says Robert Amatruda, research director for data protection and recovery at IDC. And this is true whether the outage resulted from a natural disaster, a server or storage system malfunctioning or "someone pulling a plug they shouldn't have," he says.
While business continuity is about being able to keep functions going, disaster recovery means being able to get everything back to whole again, explains Carl Pritchard, senior risk management consultant at advisory firm Cutter Consortium. "The difference is business continuity is keeping the patient alive. Disaster recovery is getting them back to being healed and walking again," says Pritchard, who is also the author of Risk Management: Concepts and Guidance, 4th Edition.
And if you think it won't happen to you, think again, Pritchard says. "At some point, no matter what aspect of life you look at, the walls come crashing down around you. People with a business continuity plan and disaster recovery plan have the ability to get back to a semblance of normalcy in a much shorter span of time than those without."
Preparedness varies
But many small and midsize businesses are not prepared for a disaster. According to a 2011 SMB disaster preparedness survey commissioned by Symantec, 57% of respondents in small businesses do not have a plan in place to deal with an outage or disruption to their computer or technology resources, compared with 47% of midsize businesses.
There is more encouraging news among larger enterprises; in 2010, 66% reported having a recovery site for their data center and IT operations in the event of a disaster or other primary site failure, while 30% said they have more than one recovery site, according to a recent report by Forrester Research. Yet, the same report also noted that disaster recovery budgets have "declined sharply" since the global economy began a downturn in 2008.
One byproduct of the decreased investment in disaster recovery is that actual recovery times from disasters or other major business disruptions are increasing, a separate Forrester report noted. (See chart.)
Other findings included the number of companies with disaster recovery plans in place, which stayed flat at 79% between 2007 and 2010, and that companies reported updating their plans less frequently, according to Forrester. Testing has also declined. Almost a quarter of companies reported testing their plans twice a year, and around half test once a year, while Forrester recommends companies conduct at least two full tests a year followed by several component tests throughout the year.
The arrival of Y2K
The latest scenario contrasts markedly with all of the preparations for the Year 2000 changeover, which some say spurred many companies' disaster recovery efforts.
The so-called Y2K issue centered on the inability of software to deal with a four-digit year -- most systems had been designed to support only two digits. In the years and months leading up to 2000, companies spent billions of dollars replacing or patching their applications.
Many companies address disaster recovery and business continuity only after a national or global event or an internal crisis, and Y2K filled that bill. "Then all of a sudden people get religion," says Pritchard. "It's not one single event. Y2K was a freight train that was bearing down on every business in the world ... It was a brilliant risk mitigation day.
"Y2K was a driver, and it helped popularize the notion [of disaster recovery] because organizations felt if they got caught doing nothing it would be the end of their organization." The beauty of it was, he says, that not only did organizations create plans, but they also carried out mitigation ahead of time.
But some companies have short memories. By the time 9/11 occurred, some businesses never fully recovered because they weren't ready for a catastrophe and lost everything they had because there was no plan in place, Pritchard says.
Even some of the businesses that had the foresight to back up their data still lost it. "One of the tragedies of 9/11 is some businesses had their backup data in the building itself," Prichard says, while others had stored it across the river in New Jersey. Those companies suffered outages because of communications problems, but they eventually got their data back, he says. Now, many of those companies store their data in the Midwest, "because it's unlikely both the Midwest and New York City will fail at the same time."