Disaster recovery plans at many companies are on the rise, but the management of business continuity remains an...
area of weakness, according to a recent survey.
Deloitte & Touche LLP and CPM Global Assurance conducted a survey of 200 corporate and IT managers from various industries and found that more companies are executing DR plans that will keep a business running in the event of a terrorist attack, computer virus or natural disaster. Fifty percent of respondents said that they have formal crisis management and emergency response plans, and test them at least annually, a 20% increase from five years ago.
But although more and more replication technologies are being implemented for DR, 20% of respondents said they felt that their IT recovery plans were still focused only on "bringing the box back," an indication that more needs to be done to integrate technology with the continuity needs of a business.
"Technology can solve many problems, but it can't do it all … business continuity is about communication," said Arun Taneja, consulting analyst and founder of the Taneja Group.
Steve Ross, a director in Deloitte & Touche's information security services group said companies that "focus too much on technology have to realize that they are not a computer center; they are running a business." Ross added that replication technologies from storage vendors are improving, but successful business continuity starts with IT and business units agreeing on how technology drives the business.
Still, at many companies, executive management is not involved in the DR conversation, according to the survey. Ted DeZabala, principal and national security services leader of Deloitte & Touche, said that "only a third of the survey's respondents believe they have comprehensive business continuity management (BCM) governance in place, and only half of them include their senior executives in the program management."
The Deloitte & Touche report pointed out some other factors that explain the lag in business continuity planning:
- Most organizations lack a senior-level business continuity management person that can influence both the company's culture and financial resources.
- Business units are reluctant to spend the time and money to implement "optional" programs.
- Corporate executives may operate under the belief that "it will never happen to our organization."
- Organizations that are already resource-constrained may feel overwhelmed by the prospect of creating an enterprise-wide BCM program.
Steven Jones, applications support manager at Chittenden Corporation, a bank holding company headquartered in Burlington, Vt., said his company's DR and business continuity plan was a collaborative effort. "I think you'll find that business and technology work better together in banking because there's so much on the line with compliance regulations."
Chittenden replicates data between two IBM AS/400 systems in Burlington and Brattleboro. The DR portion of their plan focuses on replicating and restoring data at the bank's remote data center in Brattleboro. For business continuity, IT and business units have to ensure that, in case of a fire or some other disaster at their Burlington headquarters, the company can set up shop in a nearby DR office in Burlington and begin replicating data from Brattleboro. "We test this annually because the compliance regulators can check your DR plan at random," said Jones.
Taneja agreed that banking is the most efficient industry when it comes to DR and business continuity because of the "massive impact of compliance regulations."
He added that poor communication between business and technology happens in industries that are not heavily regulated and are more apt to take DR and business continuity lightly. "It's like life insurance -- if you're young and healthy, you feel like you don't need it, so you put it off and hold on to your money."