If there is good news about disaster recovery, it's that 91% of global IT organizations tested their disaster recovery plans before there was a disaster this year, according to a new survey. The bad news, however, is that 48% of those tests failed. That factoid was just one of the findings that should get IT and business professionals' attention in a recent global study of enterprises and telecom service providers sponsored by Symantec Corp.
The survey also revealed that 48% of the organizations surveyed had to put their disaster recovery plans into action in the past year.
The Symantec Disaster Recovery Research 2007 report, conducted by independent market research firm Dynamic Markets in July and August 2007, surveyed more than 1,000 IT professionals in large organizations in the U.S., 11 European countries, the Middle East and South Africa.
"We do a survey every year to understand the pain points customers are having in terms of disaster recovery," according to Dan Lamorena, senior product marketing manager for Symantec. "We ask what their biggest threats are, and how they're planning and testing for them so we can get a feel for their biggest concerns."
The survey also revealed that 48% of the organizations surveyed had to put their disaster recovery plans into action in the past year rather than leaving the instruction binders on a shelf. A full 44% of the organizations that didn't have a disaster recovery plan experienced a problem or a disaster; while 26% had two or more issues; and 11% had three or more disasters or problems.
In the last year, there have been floods, fires, power outages at data centers, and all sorts of other problems, Lamorena pointed out. But beyond natural disasters, the leading cause of downtime is change and human error.
"A lot of processes are still quite manual when starting up an application. If you rely on people rather than automating solutions, you could be at risk in the event of a pandemic, for example," Lamorena said.
Despite the threat of losing corporate data, the survey found that the most feared consequences of disasters among IT professionals include harm to the company's brand and reputation (69%), a negative impact on customer loyalty (65%), damage to their competitive standing in the industry (65%) and loss of company information (64%).
Natural disasters topped the list of what prompted 69% of IT organizations to create disaster recovery plans. Virus attacks were of concern to 57%, and 31% cited war or terrorism.
Taking the time to test
Having a disaster recovery plan in place appears to be one thing, while taking the time to test it is quite another. Survey respondents said the main barriers to running full scenario tests include resources in terms of people's time, disruption to employees and lack of budget. "Disruption to employees" was an issue for 19% of respondents in the 2003 survey, a figure that has grown to 47% this year.
Even for those whose disaster recovery tests succeeded, this year's survey showed that companies are concerned that their impact and probability assessments aren't comprehensive enough, which then leaves their effectiveness in question, according to Lamorena. Only 40% of organizations carried out a probability and impact assessment for all threats, while 88% carried out probability and impact assessment for at least one threat.
Who's driving disaster recovery planning?
Businesses often decide to live with a certain amount of "acceptable" risk. According to the survey results, 89% of the respondents said they have agreed upon acceptable levels of risk with non-IT business executives in their companies, while only 33% have done so for all of the threats to which they feel exposed.
Despite the legal requirements and fines that companies can face if they don't have adequate disaster recovery plans in place, the study showed that 77% of CEOs do not take an active role in disaster planning committees. The silver lining is that there is increasing awareness of disaster recovery planning at higher levels, Lamorena said.