Nearly 80 percent of U.S. companies don’t have sufficient plans and solutions in place to address network outages or system failures that could interrupt the flow of mission-critical business information.

While many enterprises, about 78 percent, reportedly have data backup systems, very few have a plan to access that data if and when a disaster occurs. And, on top of that, 90 percent of companies that are backing up are using tape—a backup technology that has proved inadequate for the rapid-fire, real-time business data scenario.

A wake-up call
The startling statistics were reported in a June survey conducted by SunGard Availability Systems. The survey, which polled 200 U.S. businesses with $5 million or more in annual revenue in a broad range of industries, was conducted by New York research firm David Michaelson & Company, LLC, from April 16 to May 2, 2002. SunGard Availability Services is a division of SunGard, an IT solutions provider for financial institutions as well as information availability systems and services. An information availability self-assessment tool is available on the SunGard Web site.

While past surveys and reports indicate that company executives are aware of the risks of not having disaster planning in place, few companies surveyed have done the required planning, preparation, and testing of backup systems to keep business data available, said SunGard CEO Jim Simmons. “Inaction seems to be the norm, more of the norm than I thought or hoped it would be.”

The inaction, added Simmons, means that companies are exposed to unacceptably high levels of downtime in the event of a 9/11-type or natural disaster. On average, companies surveyed said that it would take 50 hours to replace a failed processor, and four days to set up alternative work space.

In e-commerce environments, and enterprises whose customers require up-to-the-minute information, a matter of hours can be too slow—and potentially costly in terms of lost corporate revenue and corporate reputation damage.

Some have plans, but plans aren’t enough
There is some good news, noted Simmons. The few companies with business continuity plans are less likely to experience any kind of downtime in information availability. And as companies do the diligence required to create a plan, they tend to uncover areas of risk and address many of them during the planning process, he added.

According to the survey, small companies are in worse shape when it comes to disaster preparedness. Thirty-nine percent of small companies—with revenue of $20 million or less—are less likely to have written plans in place. By contrast, 60 percent of those with revenues of $20 million to $99 million, and three out of four (74 percent) with revenues of $100 million, have worked to ensure data protection.

Yet, just having a plan isn’t enough if it hasn’t been tested, and only a few of the surveyed enterprises have done the required testing.

Of those polled, only half of those with a plan had tested it in the past six months. Twenty percent of those with a plan have never conducted testing.

Best practices should be included
The SunGard report indicates that only a handful of companies with plans in place have followed best practices, which should include:

  • Storing applications and data offsite.
  • Having duplicate processors available offsite.
  • Updating the business availability plans regularly.
  • Testing the plan regularly.
  • Planning for staff evacuation.
  • Availability of an alternate network.
  • Planning for a command center.
  • Outsourcing some of the plan to a third party.
  • Having offsite facilities available for displaced workers.

The SunGard survey states that only six in 10 (61 percent) currently have mirroring in place, and even fewer (50 percent) have the required backup processors that could be needed in the event of a system outage. Just one in three have managed Web hosting (37 percent) or hot storage (33 percent), and only 19 percent have provisions for getting displaced workers into alternative facilities.

Uninterrupted access to mission-critical applications, such as e-mail for corporate leaders and board members, is only featured in 68 percent of company plans.

“What’s shockingly clear from this study,” said Simmons, “is that the planning companies do to protect their businesses is almost solely focused on protecting data in the event of disasters, rather than on implementing solutions designed to keep their businesses functioning….If there’s one thing to be learned from the events of the past year, it’s that companies should be asking, ‘What processes do I need to keep my business running?’ rather than ‘How do I protect my information?’”