Business Continuity and Disaster Recovery Strategies to Be Discussed at Inaugural Gartner Business Continuity Management Summit, March 5-7 in Chicago
Business continuity management (BCM) and disaster recovery (DR) programs are getting better, however, work still needs to be done to increase the quality and maturity of BCM/DR programs. According to a Gartner Inc. survey of 359 information security and risk management professionals from the U.S., U.K. and Canada, nearly 60 percent of organizations only plan for their longest outage to be seven days.
“The fact that most organizations plan for an outage that lasts up to seven days indicates a huge hole in those organizations’ ability to sustain business operations if a regional disaster strikes,” said Roberta Witty, research vice president at Gartner. “The impact of a disaster that lasts more than one week can have enormous negative impact on revenue, reputation and brand. Regional incidents, terrorism, service provider outages and pandemics can easily last longer than seven days. Therefore, enterprises must be prepared. More mature BCM/DR programs plan for outages of at least 30 days.
When planning for specific types of disaster scenarios, 77 percent of companies have a plan for a power outage or fire, and 72 percent have a plan for a natural disaster, such as a flood or hurricane. At least half the companies surveyed also have plans for IT outages, computer-virus attacks, terrorism and key service providers’ failure. “With the growing use of third-party service providers to conduct mission-critical business functions, organizations that don’t plan for this type of business outage can find themselves in a tough position in the event that this scenario becomes a reality,” said Ms. Witty.
Most BCM/DR plans are for a single facility outage, and planning for regional disasters has dropped in priority during the past couple of years. Organizations are, however, taking pandemic planning warnings more seriously than in the past (29 percent in 2007 vs. 8 percent in 2005).
With the growing awareness that continuing business operations after a disaster requires a lot of planning, organizations are also realizing that the approach to best manage an incident is to have a dedicated group of people on a crisis management team. A total of 37 percent of organizations use a physical crisis command center to coordinate emergencies, such as a local hotel room or conference room. However, understanding that many disasters happen when employees are not in one place, 31 percent of companies have established a virtual command center so that traveling or off-site personnel can be included in the management of an incident.
Conducting a business impact analysis (BIA) is the most critical process in the development of a DR strategy and associated plans because it provides the business requirements used to develop the plan. Exercising (formerly called testing) on a regular basis is the second most-critical component of a BCM program. Having a plan is only a fraction of the maturity of the BCM/DR process. Knowing that the plan works during an actual emergency is key to a business's survival. A total of 28 percent of organizations reported that their last DR exercise went well and met all their service targets. However, 61 percent of survey participants reported that they had problems with the exercise, which should not give any organization a good sense of security that their DR program will meet the business recovery needs when a crisis strikes.
“Enterprises with the best BCM and DR practices have a corporate culture that values availability and an understanding of the costs (in terms of the financial and reputation implications) associated with business process outages,” said Ms. Witty. “These enterprises also realize that following a well-defined process when disaster strikes is significantly better than trying to respond to an incident in crisis mode without the benefit of planning, coordination and testing, which helps minimize downtime and costs.”
More information on BCM/DR plans and strategies will be presented at the inaugural Gartner Business Continuity Management Summit taking place March 5-7, 2008 at the Sheraton Chicago Hotel & Towers in Chicago. The Summit will focus on the key trends, best practices, technologies and services needed to develop and implement a risk-based strategy and framework for ensuring an organization's recovery from various types of business and IT disasters and interruptions. This summit is co-located and runs sequentially with the Compliance & Risk Management Summit. Attendees interested in both can take part throughout the entire week. More information can be found at www.gartner.com/us/bizcon. Members of the media can register by contacting Christy Pettey at firstname.lastname@example.org.
Gartner, Inc. (NYSE: IT) is the world's leading information technology research and advisory company. The company delivers the technology-related insight necessary for its clients to make the right decisions, every day. From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, Gartner is the valuable partner to clients in approximately 10,000 distinct enterprises worldwide. Through the resources of Gartner Research, Gartner Executive Programs, Gartner Consulting and Gartner Events, Gartner works with every client to research, analyze and interpret the business of IT within the context of their individual role. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, USA, and has 8,100 associates, including more than 1,700 research analysts and consultants, and clients in more than 90 countries. For more information, visit www.gartner.com.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.