Survey finds firms have few plans to cope with disaster

By RICHARD PAMATATAU

New Zealand organisations have become complacent since Y2K and are ignoring business continuity and disaster recovery, according to a survey by consultancy KPMG.

Fewer than 35 per cent of the businesses surveyed in a KPMG Asia-Pacific business continuity management benchmarking survey have organisation-wide business continuity plans in place and almost one-third have no plan at all.

The result has shocked Rupert Dodds, KPMG Wellington director of information risk management. He said the report surveyed 200 organisations in the Asia-Pacific region, including 18 in New Zealand.

Doss was unable to say how much the lack of planning might cost New Zealand if disaster struck.

Many organisations thought that the work done for Y2K was enough but four years on information systems and staff had changed, he said.

In some cases staff did not know where or how business continuity plans were to be implemented.

Business continuity management identifies, assesses and manages events that may have a significant impact on an organisation's business operations.

Doss said the report showed that organisations were not doing structured risk assessments and might be speculating about the threats they were spending money on - and possibly leaving themselves exposed to the things that would hurt them.

Organisations were talking about terrorism, which was a real threat, but straightforward hardware or software failure also must be considered, he said.

"Nowadays, systems availability is seen as strategic in industry sectors such as financial services, infrastructure and government, and information, communication and entertainment.

"Loss of systems availability tarnishes an organisation's reputation for customer service and can lead to loss of new and existing customers within minutes."

Dodds said 21 per cent of the survey respondents estimated downtime losses of more than US$50,000 an hour and had a downtime tolerance of seven hours or less.

To minimise potential losses, some organisations were choosing to invest upfront with alternate processing facilities (66 per cent).

Of those with recovery facilities, 34 per cent of these were fully equipped "hot" sites and 42 per cent partially equipped "warm" sites.

The survey also revealed that organisations were failing to test their continuity plans, so money spent on planning and continuity infrastructure, like recovery centres, would not return value if these investments failed to meet the true business needs.

Basil Logan, chairman of New Zealand's Y2K Commission, said work done at the time was comprehensive but organisations had to keep up to date.

It was a matter of managing things and keeping an eye on risk, he said, and that covered everything from computer systems to the CEO being hit by a bus.