Speaking of disaster recovery (the preferred term, with a nuanced difference, is "business continuity"), how would you stress-test  your plans?  Some months ago, I wrote about how the Department of Homeland Security should learn "best practices" about how to detect potentially fraudulent/illegitimate activities through studying the data mining and surveillance techniques of the most sophisticated industry in the world engaged in that very pursuit as an essential core competence—Las Vegas casinos.

Here's a similar analogue:  The firm that suffered the greatest per capita losses on 9/11 was Cantor-Fitzgerald, tragically (in retrospect) housed primarily on the 100th and 101st floors of the North Tower.  Now, nearly three years to the day later, you might imagine they have gotten religion about data recovery and business continuity.

Indeed they have:  They practice "pop quizzes" of their recovery procedures, including such practices as:

• never ever "schedule" a drill; when it happens for real, it will be a surprise
• pick your targets carefully:  to wit, whomever you think is least prepared
• wait until nights or weekends:  the formal work-week makes up less than 25% of the hours in seven days
• assume the worst, namely that systems have to be rebuilt from scratch.

Now, does anyone else have such a demanding protocol?  Hardly anyone.  No schedule, full re-starts, and a never-ending sequence of pop quizzes.  Another benefit:  By definition, your business continuity plans will always be current and you won't find yourself, at the worst possible moment, fighting the last war.