Businesses unprepared for IT disasters

A third of businesses have no disaster recovery plan in place at all, according to a report produced for AT&T by the Economist Intelligence Unit (EIU), while another third have a disaster recovery plan that has not been tested in the last year — and so can be assumed to be useless.

The survey, of 240 senior executives round the world, released today paints a far gloomier picture than Business Continuity Insitute, which claimed in March that 20 percent of companies had no disaster plan.

The lack of preparedness is even more stunning, given those executives' claim to be prioritising business continuity; even though two-thirds said business continuity was a top priority, two thirds of companies surveyed were not suitably prepared, according to researchers.

Forty-six percent claimed preparing for disaster or disruption had always been that important, while 18 percent said it had become more critical since the terrorist attacks of 11 September, 2001. A not inconsiderable portion (28 percent) had actually had first hand experience of a disaster or severe disruption to their systems.

"Business continuity is securely up there as a board level issue," said Gareth Lofthouse, research director at EIU. His organisation's findings show, however, that despite the board's fine words, business continuity is not being implemented effectively.

The EIU's study was global, but the UK picture may be even worse, said Lofthouse. "The US are a bit more focussed on this issue," he said. "Forty-six percent of US respondents said continuity was a priority, against 25 percent in the UK. It is possible that the British are a bit more measured, and showing reserve about the issue."

The EIU found no clear ideas about who should be responsible for business continuity. "Every man and their dog is in charge," said Lofthouse. "There is no clear single function — and business continuity is often bolted onto someone's full time job."

Nine percent of the companies surveyed had a dedicated business continuity manager, though Lofthouse judges that more than half were large enough to justify such a post. The rest dumped the business continuity function on other people: the CFO (19 percent), the CIO (14 percent) and others including the corporate planning officer and chief risk officer.

Companies that fail to get business continuity in place face a much more certain doom than earthquake, fire or terrorist activity, warned Lofthouse. "Regulations such as Sarbanes-Oxley and Basel 2 require companies to prove that certain processes are protected and recoverable," he warned. "That's more predictable than a tsunami or a 9/11."

Other mundane disasters might include the loss of business with a major customer. Rover's business partners should have had a plan in place, said Lofthouse, as should Marconi, which recently failed to win a BT contract on which it was relying.

The only bright spot is that financial-services companies, who have faced these regulations first, are the most advanced at formalising continuity plans, said Lofthouse.

"The Bank of New York is a good example," he said. "They have invested a lot in business continuity, and created a sophisticated strategy. They are doing testing and pursuing geographical diversity." The Bank had to evacuate 8,000 people after 9/11, he explained, and get their processes back immediately. "They've vowed never again to have this concentration of resources in one centre."