“I only believe in statistics that I doctored myself.” Winston Churchill said a lot of things, but despite the rumors, fact checkers don’t believe he really originated this saying. It is actually a common joke in the German language that the Nazi propagandist Goebbels misattributed to the British leader. Another false quote did not really come from Mark Twain: “There are three kinds of lies: lies, damned lies, and statistics.”
Statistical humor notwithstanding, number crunchers of all stripes, as well as their clients, have discovered value in the results of their intricate methods of counting. The Disaster Recovery Journal (DRJ) thought these practices were important enough that they have partnered with the American market research firm Forrester to assess the trends and travails related to areas such as IT resiliency, business continuity planning, risk management, and disaster recovery preparedness.
In the case of the DRJ-Forrester Research partnership, the purpose is to see what truths may unfold from the responses provided by business and IT professionals. These surveys are listed and described on the DRJ website going back to 2008. All these surveys are available for you to download, and you can dig deeper into their findings at your leisure. For this article, we will focus on the last four Forrester surveys:
[Note: There is some discrepancy about which year to use to refer to the studies. The one I call 2014, for instance, seems to have been written in 2013 but published in 2014.]
There are apparent similarities among the surveys through the years, and some seem to be repeats of previous surveys, albeit with slight modifications. Obviously, the data sought by DRJ continues to evolve as the industry evolves, and the experts at Forrester keep tinkering with the questions to extract the relevant information. These surveys are filled with colorful charts and graphs, which we will not include here. Rather, we’ll touch on some of the target areas of the surveys and try to bring out the highlights.
Disaster recovery preparedness is a common theme in several of the surveys, including 2008, 2011, 2014, and 2017. In reality, best practices are actually a common thread in all technical documentation. In asking what businesses are currently doing in terms of preparing for the worst scenario and subsequent recovery, there is a presumption that some practices are better than others. There are plenty of articles and guidelines out there that discuss best DR practices, including this one from Forbes. So what assumptions can we infer from the survey questions?
Companies should provide adequate funding for business continuity (BC) and disaster recovery (DC). The 2015 survey says the business continuity management (BCM) funding had increased since 2011, and that 37% of respondents expected further increases within the following 12 months. In the 2016 survey, the author writes: “New investment is going to automated communication and BC planning software.”
Preparing for disasters requires an up-to-date business impact analysis (BIA) and regular BC and DR testing. The 2017 survey offers the latest update in this regard:
“Most experts will agree that running tests are the best way to ensure preparedness. In the past, survey results have returned disappointing results around organizations’ testing regimens. However, this iteration reveals some good news: 43 percent of organizations are now running a full test once – a slight increase from 39 percent in the prior study.”
Other best practices are evident in the objectives of the various surveys. Do companies have alternate recovery sites? They should. What about the existence of formal business continuity management programs? Are business owners involved in the BCM lifecycle? How good is the documentation? These and other concepts related to best practices are queried among the surveys.
We dealt with this one in a previous article on this blog. The issue is included in both the 2014 and 2017 surveys, as well as other previous ones. According to the 2014 market study, “it’s still the mundane events such as power failures, IT failures, and human error, that top the list of causes”. The chart for the 2014 top causes of downtime puts terrorism, chemical spill, and earthquake at under 1%, while power failure hits a whopping 43%, and IT hardware failure comes in second at 31%. Third place goes to network failure at 16%.
Figure 14 in the 2017 survey is called “Top Causes of Declared Disasters”, and gives results for the question: “What was the cause of your most significant disaster declaration or major business disruption?” The question is the same as for the 2014 study, but the answers seem to be packaged differently:
It’s noteworthy that human error dropped from 5th in a list of 15 causes in the earlier survey, but drops to last in the later one. Did something change? More automation perhaps? Or did the regrouping in #1 (hardware, software, or network) skew the results in terms of comparison? Getting the most out surveys depends both on how they are done and how they are reported.
Since 2017 is basically a repeat of 2014, the question about company confidence in DR solutions is roughly the same. Researchers saw that confidence eroding in 2014:
“Given the longer recovery times, more critical systems, and increased complexity, it’s no surprise that confidence in our DR preparedness has fallen during the past few years. Today, our confidence in our ability to meet recovery objectives is significantly lower than it was in 2010….”
Did that confidence grow within the next four years? Apparently folks are becoming more comfortable with the advancements. Here’s a section heading in the 2017 study: “Firms Turn To Advanced Technologies To Protect The Growing Number Of Critical Systems”. It makes sense that confidence would improve. The industry has seen significant advancements within the last few years in the areas of artificial intelligence (AI), machine learning, and data analytics. Data centers continue to include more data points in their environmental monitoring as well as their infrastructure surveillance. The more this is integrated into robust disaster recovery plans, the more in control tech managers and owners will feel.
One byproduct of a lack of confidence in DR preparedness, however, is the decision not to pull the failover trigger. The 2017 assessment talks about “organizations that likely had major disruptions of one or more systems but opted not to failover – a typical occurrence when many organizations lack confidence on their capabilities”.
“What is driving the need to improve your DR capabilities?” goes the question in Figure 2 of the 2017 survey results. The top three responses are pretty close:
Those results are similar to the 2014 survey. But something jumps out when looking at the 2014 chart. It compares the data with the 2011 results, which put one market driver at 60%: “fiduciary responsibility to stakeholders, employees, customers, etc.” Again, it seems that the answers are grouped differently in similar surveys. But it might be interesting to dig into this one. Were stakeholders exceptionally nervous about the state of disaster recovery back in 2011?
The importance of this topic is obvious in that DRJ and Forrester devoted an entire survey to it. The 2016 survey is called “The State of Enterprise Risk Management”. The objectives of the study covered the roles, responsibilities, and reporting structure of enterprise risk management (ERM), its relationship to business continuity, crisis response, and ERM solutions.
The study found some good news. More companies have formal ERM programs, Risk management objectives are being dealt with higher in their organizational charts. Some firms even have a chief risk officer (CRO). Those dealing with risk are expanding their responsibilities, expanding their ownership of ERM issues. And risk managers are working more closely with business continuity teams.
One of the questions that was asked in the ERM study had to do with documentation. “Do you have documented response plans for the following risk scenarios?” Respondents scored high on data/information tampering at 77%. But other threats, such as rumors, product tampering, or product recalls scored much lower. Perhaps it’s hard to cover everything.
This article includes just a sampling of the insights that Forrester has uncovered for Disaster Recovery Journal. There is much more in these studies than we could possibly cover here. They say that a picture is worth a thousand words, but what about charts and graphs? As you see the numbers lined up in association with particular ideas, they may trigger many more questions.
There’s no doubt that the researchers at Forrester will continue asking penetrating questions and collating their answers into useful reports. And partners like the Disaster Recovery Journal will keep on digging to find the gaps in the industry that need to be addressed. The pace and success rate of these endeavors bear watching. And when a brand new disruptive technology pops on the scene, they will be there to document and learn from it. Whether you believe in all these statistics or not, it’s fair to say that it is well worth your time having a look at the significant work that’s been done.
On an Air Force base in San Antonio, Texas, two men walk into the base exchange. They show their IDs to the clerks, don Halloween masks, and proceed to play the part of terrorists. “This is a drill! We want liberation! This is only a drill!” Airmen shopping in the facility give them funny looks, […]
When designing an IT DRP (Information Technology Disaster Recovery Plan), businesses need to seriously consider the services that they offer internally and externally in order to determine which are the most important to the success of their organization. Rather than taking the approach of “everything must remain online”, which can be extremely costly and oftentimes […]
Many organizations have a business continuity or disaster recovery plan and have even implemented multi-data center redundancy with servers and other critical infrastructure at a separate location to that of their primary site. But the challenge every organization faces is how to easily and seamlessly redirect traffic from one site to another when disaster strikes. […]
After unabashedly extolling the virtues of redundancy in a recent article , you may be wondering why we would follow up with another post questioning whether sometimes too much (redundancy) was just too much. Credit fellow staffers for the suggestion that we revisit the issue. The problem was clearly a part of our initial research, and it deserves […]