According to AMR Research Inc, disaster recovery is a low priority in many companies, owing partly to the fact that it is a very unpleasant task, and partly to the companies’ overconfidence on their IT security. Of course, mistakes are bound to happen and no security measure is completely foolproof. This is exacerbated by the lack of resources devoted to disaster recovery, leaving many companies being more reactive than preventive and vulnerable to downtime or unrecoverable losses as a result of being unprepared once disaster strikes.
According to AMR’s study, there are a number of things overlooked by many IT managers and experts when it comes to disaster recovery planning, such as:
Doing the Proverbial Homework
A large number of IT groups tend to disregard end users and frontline executives when it comes to deciding which enterprise applications should be restored first after a disaster, leading to faulty assumptions that the heavy-duty enterprise applications need to be brought back first.
If these groups kept their ears close to the ground and asked for feedback from the users, they would know that the most needed applications are much more basic – from email to scheduling tools, the kind of small, minor things that the IT department tend to deprioritize but are actually very disruptive to operations if made unavailable. The main culprit here is the reliance on silos in an organization, where the term “mission critical” would have a different meaning depending on the department.
Approaching Disaster Recovery as Purely an IT Issue
On the other hand, there is also a danger in thinking that disaster recovery is a problem that’s entirely the responsibility of the IT department. This line of thinking is the reason why there are many companies with extremely agile and prepared IT workforces that still suffer from major disruptions when disaster strikes – because IT is only part of business continuity. No matter how agile or prepared they are, they still need the rest of the company – particularly the end users to do their part when it comes to disaster recovery.
Being Reactive Instead of Preventive
The problem with many companies is that they approach disaster recovery reactively instead of preventively. They basically plan based on the last crisis they had. One particular example is when the 9-11 attacks on the World Trade Center disrupted many New York-based firms that had no off-site backup facilities, so they spent a lot of money building backup facilities in New Jersey. Of course, a couple of years later the August 2003 blackout occurred, taking out electricity in New Jersey as well. The key thing is not to anticipate future events, because nobody can do that. Instead, a firm must plan for the effects and how to deal with them. The Gap is one good example, as they managed to survive the 9-11 because their servers fail-over to back ups located all over the world, with their NY servers managing to fail-over to ones located in the South.
Relying Too Much on Practice Drills
It is important to do some testing, and to do some drills, but some firms do it clockwork and treat it as some sort of a test that IT workers must pass or else. As a result, IT workers just prepare for the test itself, instead of being honed for the eventual disaster. Remember that when the drill is clockwork and consistent, it only trains people into being prepared for that same drill. The proper approach is to take some time in order to ensure that drills prepare workers for a broad range of situations, and there must be an effort to explain to the workers that the drills are meant to prepare them for future incidents and not meant to assess or test their skills.