Press Release

STAMFORD, Conn., January 9, 2008 View All Press Releases

Gartner Says Most Organizations Are Not Prepared For a Business Outage Lasting Longer Than Seven Days

Business Continuity and Disaster Recovery Strategies to Be Discussed at Inaugural Gartner Business Continuity Management Summit, March 5-7 in Chicago

Business continuity management (BCM) and disaster recovery (DR) programs are getting better, however, work still needs to be done to increase the quality and maturity of BCM/DR programs. According to a Gartner Inc. survey of 359 information security and risk management professionals from the U.S., U.K. and Canada, nearly 60 percent of organizations only plan for their longest outage to be seven days.

“The fact that most organizations plan for an outage that lasts up to seven days indicates a huge hole in those organizations’ ability to sustain business operations if a regional disaster strikes,” said Roberta Witty, research vice president at Gartner. “The impact of a disaster that lasts more than one week can have enormous negative impact on revenue, reputation and brand. Regional incidents, terrorism, service provider outages and pandemics can easily last longer than seven days. Therefore, enterprises must be prepared. More mature BCM/DR programs plan for outages of at least 30 days.

When planning for specific types of disaster scenarios, 77 percent of companies have a plan for a power outage or fire, and 72 percent have a plan for a natural disaster, such as a flood or hurricane. At least half the companies surveyed also have plans for IT outages, computer-virus attacks, terrorism and key service providers’ failure. “With the growing use of third-party service providers to conduct mission-critical business functions, organizations that don’t plan for this type of business outage can find themselves in a tough position in the event that this scenario becomes a reality,” said Ms. Witty.

Most BCM/DR plans are for a single facility outage, and planning for regional disasters has dropped in priority during the past couple of years. Organizations are, however, taking pandemic planning warnings more seriously than in the past (29 percent in 2007 vs. 8 percent in 2005).

With the growing awareness that continuing business operations after a disaster requires a lot of planning, organizations are also realizing that the approach to best manage an incident is to have a dedicated group of people on a crisis management team. A total of 37 percent of organizations use a physical crisis command center to coordinate emergencies, such as a local hotel room or conference room. However, understanding that many disasters happen when employees are not in one place, 31 percent of companies have established a virtual command center so that traveling or off-site personnel can be included in the management of an incident.

Conducting a business impact analysis (BIA) is the most critical process in the development of a DR strategy and associated plans because it provides the business requirements used to develop the plan. Exercising (formerly called testing) on a regular basis is the second most-critical component of a BCM program. Having a plan is only a fraction of the maturity of the BCM/DR process. Knowing that the plan works during an actual emergency is key to a business's survival. A total of 28 percent of organizations reported that their last DR exercise went well and met all their service targets. However, 61 percent of survey participants reported that they had problems with the exercise, which should not give any organization a good sense of security that their DR program will meet the business recovery needs when a crisis strikes.

“Enterprises with the best BCM and DR practices have a corporate culture that values availability and an understanding of the costs (in terms of the financial and reputation implications) associated with business process outages,” said Ms. Witty. “These enterprises also realize that following a well-defined process when disaster strikes is significantly better than trying to respond to an incident in crisis mode without the benefit of planning, coordination and testing, which helps minimize downtime and costs.”

More information on BCM/DR plans and strategies will be presented at the inaugural Gartner Business Continuity Management Summit taking place March 5-7, 2008 at the Sheraton Chicago Hotel & Towers in Chicago. The Summit will focus on the key trends, best practices, technologies and services needed to develop and implement a risk-based strategy and framework for ensuring an organization's recovery from various types of business and IT disasters and interruptions. This summit is co-located and runs sequentially with the Compliance & Risk Management Summit. Attendees interested in both can take part throughout the entire week. More information can be found at Members of the media can register by contacting Christy Pettey at



About Gartner

Gartner, Inc. (NYSE: IT), is the world's leading research and advisory company and a member of the S&P 500. We equip business leaders with indispensable insights, advice and tools to achieve their mission-critical priorities and build the successful organizations of tomorrow.

Our unmatched combination of expert-led, practitioner-sourced and data-driven research steers clients toward the right decisions on the issues that matter most. We're trusted as an objective resource and critical partner by more than 12,000 organizations in more than 100 countries—across all major functions, in every industry and enterprise size.

To learn more about how we help decision makers fuel the future of business, visit

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.