Too often, organizations let regulators and other stakeholders direct the thrust of business-continuity efforts toward failure of a single IT processing site or component. In the rush to comply, business leaders have lost sight of the other risks they face - the myriad smaller incidents like the one experienced by the global bank. These smaller problems can create big losses when servers shut down or decentralized software fails. A small leak will sink a great ship, to quote Benjamin Franklin.

As a CIO, you can see early warning signs that your organization is ill prepared for disaster recovery by observing any of these conditions:

• The IT organization is more focused on reacting to the most recent interruption than planning for rapid recovery from a major unexpected problem.

• The IT organization plans for and rehearses disaster recovery, but overemphasizes obvious catastrophes like the loss of a building. Most real-world problems are much less spectacular.

• Your key IT staff members are getting closer to retirement. Decades of business and application knowledge will walk out the door as baby boomers retire.

• You're implementing service-oriented architecture (SOA), helping transform monolithic applications into layered composites built from various packages and custom applications, and increasing the likelihood of software bugs cropping up.

New Strategies

When disaster strikes, it doesn't matter what caused the problem. What does matter is how quickly and reliably the problem can be resolved to minimize business damage.

Prevention efforts, including standard backup policies and redundant systems, continue to be important, but they're not enough. To effectively minimize risk, IT leaders must turn their business-continuity efforts toward reliable recovery from the unforeseen.

What's needed now is a strategic emphasis on rapid and well-rehearsed recovery. Fortunately, some companies are pioneering new approaches to smart IT disaster recovery. Working with these companies, Accenture has identified seven critical points common to the new strategies. Each point requires a shift in mindset for IT leaders, but not a major capital investment. Together, they comprise a useful starting point for more detailed business-continuity strategy and action.

1. Discuss business value and business risk. Just as people in general tend to avoid detailed discussions about death, IT people tend to shy away from asking business users what they would lose if specific IT processes became severely compromised. A smart recovery strategy must uncover such specifics, however, in order to adequately allocate resources.

2. Play more war games. Simulations of recovery scenarios (war games) are rarely pushed far enough or fast enough. At the global bank, technologists weren't ready to manage the recovery because they hadn't rehearsed that scenario. The goal of conducting war games, which are relatively low-cost, is rapid resumption of operations with the least impact on customers, revenue, cost and time.

3. Stay in constant "debrief" mode. IT groups should have designated leaders to capture knowledge from failures. They should integrate outside knowledge and third-party perspectives as well. Each time there is a near miss, they should give comprehensive debriefings, dissecting the problems to capture and catalogue key lessons learned.