Frankly, I don't know why there is ever any resistance to disaster mitigation/recovery in businesses. I realize that this is one of those peculiar areas where a business might see this is a "no-value added" activity and hesitate to expend funds/time/effort, but the irony is that for companies that apply that sort of thinking very broadly, disaster preparedness is almost certainly the
one area that will provide the greatest ROI.
Annual seems right to me, but once there is a demonstrated "complete recovery" (whatever
that means) it is entirely possible that regular, smaller scope efforts could provide confidence that the plan is still valid.
I've faced a serious struggle convincing my peers to take disaster recovery
seriously. Some of the crumbs I've been dropping into the head-space to motivate actions:
- "If you think someone else has it covered, but don't know what their plan is, it is most likely there is not a plan."
- "If you think you don't need a plan because we trust in the talent of the people, then it should be trivial to establish a plan."
- "Disaster planning isn't about guaranteeing that we can immediately recover to the level where we are, it is about raising the floor so that we don't fall as far."
(1) is a common (understandable) attitude among managers, especially ones who feel that "it's not my area of authority". I appeal to such attitudes by saying something like "as a good manager, aren't you capable of recognizing when someone else has control over their own area without simply relying on testimony?"
(2) is by far the most annoying to deal with (IMO), because it walks the line between asking people who may or may not be prepared, but are certainly busy, to take the time to demonstrate their expertise... employees and managers in certain areas (such as IT) may not be used to oversight and often get overly defensive when "outsiders" start asking too many questions. It has been my experience that such folks usually have zero experience with typical quality system audits so I try to calm them by reminding them that this isn't radically different than a regular audit of financial systems (and transactions). I make sure to explain that I don't question their competence, I just want to know that there is an
established plan that they are going to follow so that when disaster happens they don't have to be distracted trying to explain what they are doing to "outsiders"... because if they are annoyed with questions when there
isn't a disaster in progress, I ask them to imagine how they are going to feel when three different directors and VPs are calling every 10 minutes for an update.
(3) This is supposed to be the explicit recognition that it is impossible to know the exact nature of the disaster. There will be common disasters that can be planned for, but there will be unpredicted ones as well.