- What is Disaster Recovery Planning?
- Purpose of This book
- A Working Definition of Disaster
- The Time Factor in Disaster Recovery
- The Need for Disaster Recovery Planning
- The Auditor's View
- An Imperfect Legal Mandate
- Building Management Consensus for Disaster Recovery Planning
- Who Should Write the Plan?
- A Straightforward, Project-Oriented Approach
- A Note on Methodology
The Need for Disaster Recovery Planning
The need for disaster recovery planning is usually self-evident to an IT professional. Who, after all, has a more personal stake in the survival of a company's information systems than the manager whose position, prestige, and salary directly depend upon system performance?
In addition to self-interest, information managers often manifest a protective, almost parental attitude toward "their" systems. This is especially true when systems have been developed in-house. Effective IT managers and chief information officers (CIOs), like good parents, take a personal interest in the safety and health of their charges.
Beyond self-interest and psychological factors, the IT professional has an ethical mandate to protect data integrity and ensure system and network survivability. Service level agreements between the IT department and company's end user departments are one manifestation of this commitment to quality and excellence in IT services. Contingency plans must exist if service level agreements are to be made in good faith.
Given all the compelling arguments for undertaking disaster recovery planning, it may seem redundant for auditors and federal law to require it. Unfortunately, a 1998 survey of 4,255 IT and information security managers conducted by Ernst & Young and Computerworld revealed that over half had no disaster recovery plan in place for their companies.4 The study further showed a decline in attention to disaster recovery planning generally, despite increasing downtime-related costs:
While over 59% of this year's respondents said they experienced financial loss due to system downtime or failure within the past 12 months, only 41% of the organizations surveyed have a [disaster recovery] plan, compared to 55% last year; of that number, 34% have never tested the plan. In approximately 45% overall, there was no budget for [DR planning] activities....In 45% of the organizations surveyed, there were no full-time employees dedicated to [DR planning], while 26% had none last year. The number of part-time employees allocated has also decreased: in 1997, 20% had no part-time [DR planning] employees; this year it is 53%."5
One year before the Ernst & Young survey, the Meta Group interviewed 100 of its Fortune 1000 company clients and discovered that fewer than 5% had "back-to-front" disaster recovery plans in place. Missing were provisions for the recovery of client/server systems, even in those companies that were in the process of migrating mission critical legacy applications onto distributed platforms.6
In the absence of effective planning, it has fallen to auditors, and in some cases legislators, to apprise corporate information managers of disaster recovery planning requirements and to enforce them as a matter of law.