Expecting the unexpected would seem to be a maxim of the business world; disaster strikes with little to no warning. Yet a recent survey shows that 75 percent of companies continue to plan for too short of an outage: seven days or less.
Further, most organizations surveyed have little ability to determine if their business continuity management (BCM) plan is even effective, according to a recent Gartner survey. Gartner surveyed more than 900 organizations in six countries, looking at their risk management practices.
Disruptive events are happening more often and with higher impact. According to a Swiss Re analysis of catastrophic events from 1970 to 2013, the number of man-made and natural disasters spiked in 1986, going from less than an average of 100 in the years 1970 through 1985 to an average of 150 from 1986 to 2013, with 2005 being the standout year in which such events totaled 250.
The fact that companies don’t have more robust BCM plans belies real world circumstances: 86 percent of organizations surveyed said they’ve had to use some sort of recovery plan at some point; meanwhile, within the last two years only 14 percent reported that they’ve never had use their BCM plan.
Gartner noted the irony of increasing catastrophic events and short term planning:
With the number of organizations that have had to invoke a recovery plan, and due to the increase in large-scale disasters that result in long-term outages for both businesses and residences, it is surprising that the majority (75%) expect to be out for less than seven days. Only 3% of organizations plan for an outage that might last for one month or more.
Employee count, geographic region or revenue size doesn’t seem to matter when organizations are planning for outages, Gartner said. However, specific industries do offer some insight: Banking (16 percent) has the highest percentage of organizations planning for a one-month outage, followed by wholesale trade (8 percent) and insurance and retail tied with 7 percent.
Most companies (53 percent) rely on internal audits to measure BCM effectiveness, while 42 percent rely on outside audits. “Relying only on audit reports can result in a false sense of security: Passing an audit may imply that you have the basic BCM program building blocks but not necessarily refer to any sense of the program’s effectiveness,” the report says. Audits are an acceptable “double-check” of BCM efforts, the report said, “but the leaders of these programs should be proactive in measuring program activities and communicating them to management to ensure appropriate funding and staffing are allocated to recovery efforts.”
Another 35 percent of survey respondents said they use exercises as a way to assess BCM effectiveness. “Exercise results and the resulting gap analysis showing expectation versus capability are key tools to use to measure and improve the effectiveness of your BCM program,” the report said.