One of the most significant events involving lost data since the beginning of the information technology age was the result of the terrorist attacks on Sept.11, 2001. Of the 131 technology sites affected, only two performed a successful “failover” to a redundant system. Of the 129 sites that failed, 70% of data was recovered after 120 hours, but 30% was lost forever. This means $3.1 billion worth of technology did not work as expected.¹

Why weren’t these organizations’disaster recovery efforts more successful? First, the event was beyond the scope of most existing disaster recovery plans. No one expected to have to plan for such an occurrence. Second, the complexity of the IT environments made testing and verification impractical if not impossible—the systems were multi-vendor environments consisting of heterogeneous interdependent applications (no universal view of data), unknown application software dependencies, and vendor and product-specific scripting (only 5% of scripts ran cleanly during the actual outage¹). There was also a lack of process automation—a reliance on manual intervention and no enterprise-wide best practices.

As a result, for many companies the big technology issue became “how to rebuild”, not “how to recover.”

Unfortunately, this challenge is not unique to this event, and could impact virtually any company. Why?  A disaster recovery plan is geared to taking action when a disaster occurs. A business continuity plan (BCP), on the other hand, includes IT processes with built-in contingencies that prevent a severe business interruption despite a disaster, whether caused by a 9/11 attack, a Hurricane Katrina or a security breach caused by a teenaged hacker.

Risks to a BCP

Of course, developing a BCP is not without challenges. Even for those with a BCP in place, there are problems. According to a Sun Microsystems survey of 1,500 enterprise customers, most organizations may be a single event away from failure:

• 42% of managers believe their Business continuity plans are ineffective
• 92% of companies fail to update their configuration and policies following upgrades and changes to their system
• 62% of firms do not test recovery plans within a 12-month frequency
• 81% of firms do not have reliable compliance audit and control for their business continuity plan processes  

¹  Source: Center for Research on the Epidemiology of Disasters; SunGard; U.S. FEMA