1. The Need for a Disaster Recovery Plan

2. Plan Development Team

3. Disaster Recovery Plan Alternatives

4. Writing the Disaster Recovery Plan

5. Test the Disaster Recovery Plan

6. Maintain the Disaster Recovery Plan

7. Invoke the Disaster Recovery Plan

The Need for a Disaster Recovery Plan

Business interruption insurance can provide only for restoration-not the replacement-of data. To many people disaster recovery planning means planning for the restoration of mainframe operations following a catastrophe. This comes as no surprise considering that the traditional focus of disaster recovery planning has been the corporate computer, almost without exception a mainframe. Historically, disaster recovery plans dealt primarily with replacing a damaged or inaccessible mainframe with compatible hardware. Often disaster recovery planning was an activity confined to the data processing department of the company.

disaster recovery

Today, more and more, disaster recovery planning encompasses a wider set of objectives. It aims at the recovery of critical business functions rather than the restoration of data processing operations alone. This, in large part, is a response to changes in the environment in which disaster recovery plans are developed. Decentralization of data processing functions, the rise of personal computing, and the emergence of local area networks are just some of the environmental changes that are forcing contextual alterations in the field of disaster recovery planning.

To put the need for emergency preparedness planning into perspective, the National Archives and Records Administration (NARA) states that only 43% of businesses that suffer an incapacitating disaster ever resume operations. Of that 43%, only 29% of those are still in business two years later. Furthermore, the previously cited University of Minnesota study concluded that 93% of businesses that lost their data center for 10 days or more filed for bankruptcy within one year. Of those businesses filing for bankruptcy, 50% filed immediately.

In the 1997 Vulnerability Index commissioned by Comdisco, 55% of companies reported a business disruption of one hour or more; the median length of all those disruptions was eight hours. Figure 3 depicts the impact of outages of varying lengths.

More and more, emergency preparedness is becoming ingrained in the corporate culture of private industry. The genesis behind this movement is the realization that the ability to make a profit is directly linked to maintaining and increasing the client base.

Another reported statistic indicates that the average company loses 2-3% of its gross sales within eight days of a sustained computer outage. Therefore, private industry is becoming increasingly willing to invest in preparedness planning to ensure that, if the company suffers a significant incident, there will be a disciplined recovery and restoration process to maintain client support. Without this capability, there would be instant erosion of the client base and a corresponding decrease in profits.

Not only do companies face the direct costs associated with a disaster; there are many indirect costs to be considered. These intangible costs include:

disaster recoveryCash flow interruptions
disaster recoveryLoss of customers
disaster recoveryLoss of competitive edge
disaster recoveryErosion of business image
disaster recoveryLoss of market share
disaster recoveryLegal or regulatory violations
disaster recoveryLoss of investor confidence

Surveys of U.S. companies consistently reveal that an overwhelming majority of senior management believes that it is important to have a disaster recovery plan. Unfortunately, only about 25% of these senior executives admit that their companies actually have one. The most prepared companies seem to be those in the finance, insurance, and real estate industries.

In a study involving 10,000 Infosecurity News subscribers, Bernstein (1997, p. Figure 3: Decline in Operational Business Activities for the Finance Industry during the Two Weeks Following Complete Data Center Failure.

Most business recovery plans include the following areas:

disaster recoveryMainframe
disaster recoveryTelecommunications
disaster recoveryLAN
disaster recoveryHotsite contract
disaster recoveryWorkgroup

Although the study is skewed toward security/disaster recovery professionals, the results indicate that, even among practitioners, only 55% have tested their disaster recovery plans within the last year. If 45% of the practitioners have not recently tested their DRPs, what does that say about those organizations not concerned about protecting their information assets? Comdisco and Sungard, two of the major DR service providers, estimate that, among businesses in general, less than 25% have plans.

Safeware, The Insurance Agency, Inc. estimates that, according to reported cases, losses related to computers surged from $1.3 billion in 1992 to $2 billion in 1993, more than half of them being attributed to theft and power surges. Tables 3(a) and (b) present the major causes, number of cases reported, and dollar losses for each cause.

The average company spends approximately $3 to insure every $1,000 of corporate assets, and this cost continues to increase. Insurance companies have become a significant driving force in the development of disaster recovery plans by tying policy renewals and premium amounts to the level of disaster preparedness a company has. One source reports that disaster recovery planning can reduce corporate business interruption insurance premiums by 10 to 20%.

 

Download our Disaster Recovery Templates & Disaster Recovery Guide.