Business Continuity Planning: Why Plans Are Not Enough

Corsis Confidence Index Finds Many Executives Fooled By Their Own Business Continuity Plan

How confident are you that your business continuity plan will actually work if your business experiences a technological failure? Do you even have a plan? If you do, are you sure it’s being followed?

Data from the Corsis Confidence IndexTM (CCI), a proprietary technology benchmarking standard that measures confidence in a company’s IT operations, shows that while the majority of technology company executives feel that their business continuity plans are adequate, critical details are being overlooked.

​Corsis has found that the overwhelming majority of companies being assessed operate under the misconception that they are safe from disruption because they are consistently performing nightly backups. Detailed data from the CCI indicates that while 94% of technology companies had documented Business Continuity plans, and 72% of companies included policies on backing up their critical technologies, only 6% of companies had actually bothered to make sure their backups were working properly and would be useful in the event of a failure.

Business continuity, one of the eight technology areas assessed by the CCI, is the area of planning and implementation that is intended to ensure that business critical functions continue to operate uninterrupted in the event of a disaster or disruption. Precautions that companies may take can range from deploying geographically dispersed failover resources to building alternate work sites.
​
For this article’s analysis, we looked 99 technology-enabled companies in the healthcare, ecommerce, data analytics and professional services industries with revenues ranging from $30 million to $100 million. We converted hundreds of data points, or TechIndicatorsTM, into a 1 to 5 scale, where one equates to the lowest level of confidence and five equals the greatest level of confidence. Overall companies evaluated in our study scored a below average 2.5, in the business continuity track, indicating a low level of confidence in their business recovery plans.

Additionally, further analysis of Confidence Scores from the Q1 2016 Corsis Confidence IndexTM found that the following TechIndicators received the lowest scores on average:

• Succession plan exists (1.0). Most companies don’t have a succession plan in place, in the event that a key employee is no longer available. This can leave a company vulnerable and without the resources needed to address critical issues should they arise before staff is replaced.
• Disaster recovery failover tests are regularly conducted (1.53). This is absolutely necessary, and perhaps one of the most important parts of business continuity processes because failover tests actually prove that your failover planning will work in the event of a disaster or disruption.
• Disaster recovery drills are regularly conducted (1.67). These are supervised activities that validate a specific operation or function and help to determine if plans can be executed as designed.
• Failover steps are explicitly defined in the documentation (1.83). Proper documentation of failover steps is most critical during an emergency. Without this information, there will not be a clear plan of action leading to greater downtime and confusion.
• Testing the integrity of backups (1.88). If companies are unaware of whether or not the backups that are relied upon so heavily work, then the entire exercise of backing up data is futile.

In conclusion, while business continuity exists for the majority of companies and most executives are comfortable with their backups, the finer details of business continuity planning are all too frequently disregarded. While IT teams may be stretched and have limited budgets, the cost of not properly planning for an emergency situation can be catastrophic.