Network World reports: "Nearly two years after the Sept. 11 attacks, many organizations remain woefully unprepared to quickly recover their IT systems and key business processes in the event of a disaster."
For those enterprises that haven't yet gotten a reasonable and workable DR plan in place, this article has a nice 'jump point' checklist to get the wheels turning. Like a security policy, a DR plan is often one of the hardest things to get right in the total security picture.
One of the reasons? They ain't easy. The checklist here is good and mentions a test plan, but my recommendation is to execute on it regularly. Test and re-test, once a week if that's possible. Even the best laid DR plans can go awry if one of the critical components, say a back up server or tape drive, goes out. So get the plan in place, and then test it. Do dry run recovery to make sure it's working as expected.
Another point to add to your checklist- cost/benefit analysis. Security people get a bit tiresome repeating this, but it's a major success factor or stumbling block. Don't spend more to secure less. You wouldn't cover a $20,000 car with a $50,000 insurance policy, in large part because the auto insurance companies wouldn't allow it. While ascertaining the asset values of systems and employee down time, lost data, etc. is a lot squishier than getting a Blue Book reading on vehicle value, it has to be done.
There are some great resources out there to help with the risk analysis side of any security planning, including DR. A few are listed below to help get you started.
Danger money: The challenge of risk management
NIST's Risk Management Guidance for IT Systems
The USDA's Capital Planning and Investment Control Guide