The Business Continuity Planning Process

The Business Continuity Planning Process by Mary Ainsworth Copyright 2009, Faulkner Information Services. All Rights Reserved. Docid: 00017609 Public...
Author: Violet Reed
4 downloads 0 Views 53KB Size
The Business Continuity Planning Process by Mary Ainsworth Copyright 2009, Faulkner Information Services. All Rights Reserved. Docid: 00017609

Publication Date: 0902 Publication Type: TUTORIAL

Preview Business continuity planning allows organizations to prepare a strategic response to a disaster. Plans ensure that organizations can bring IT systems, people, and key business processes back into operation in spite of business disruptions. Recent events such as tsunamis, hurricanes, and terrorist attacks emphasize the need for planning, but compliance to legislation/regulation and pandemic flu concerns are additional issues to consider. Today, most organizations realize that business continuity planning is mandatory - whether for internal controls or to meet regulatory requirements. Report Contents: ● ● ● ● ● ● ●

Executive Summary Description Current View Outlook Recommendations References Web Links

Executive Summary [return to top of this report] Effective Business Continuity Planning (BCP) allows an organization to maintain and recover critical business processes when operations have been disrupted unexpectedly. The goal of the BCP process is to develop plans that support timely restoration of key functions and capabilities to keep the business running. Disruptions can be caused by a variety of internal or external

events. BCP planners must address the business impact of internal changes such as losing key personnel, business partners, and outsourced service providers. External disruptions can include storms, terror attacks, power outages, and cyber attacks--with the threat of a worldwide pandemic adding a new planning dimension. Without effective plans, losses to any disaster can be catastrophic. Hurricane Katrina and other disruptions have caused many organizations to lose from US$100,000 to over one US$1 million per day and others to go out of business. These figures show that disasters can seriously threaten the financial health of an organization along with its integrity--a reality recognized by a majority of management. The AT&T 2008 U.S. Business Continuity Survey reports that 71 percent of responding IT executives rated BCP as a priority. Although no level of preparedness can totally eliminate risk, an organization needs to consciously choose its commitment to preparedness by developing and maintaining an integrated enterprise-level business continuity planning framework. This framework coordinates risk management, disaster preparedness, emergency response management, disaster recovery, and business continuity activities across the entire organization. While coordinating these efforts, organizations should also take an enterprise view of meeting regulatory compliance since many laws and regulations have the same core requirements. Legislation and regulations can apply to all organizations or be specific, based on the type of the business such as retail, healthcare, and government. The enterprise approach prevents duplication of effort while producing consistent responses. Enterprise-wide standards and policies were pivotal to global financial organizations surviving major risk events. The threat of a worldwide pandemic has added a new level to BCP. Planning for employee absences of nearly 40 percent for periods of weeks and months raises the bar. Pandemic response guidelines recommend that employees work at home, although it is unclear whether employees will have access to the requirements to perform their work there. Planners must also deal with the potential infrastructure concerns that teleworking presents. With "social distancing" such a key component in Pandemic planning, are organizations capable of handling telework? A survey finds that most organizations don't offer employees the option to work from home--with the exception of the U.S. federal government. The US government leads other organizations in offering the option, but some of its teleworking programs are lagging due to management issues. Although planning for the avian flu seems overwhelming, some US organizations overcame odds to effectively withstand and recover from the catastrophic wrath of Hurricanes Katrina and Rita. The organizations' survival strategies offer guidelines for other planners.

Description [return to top of this report] The Business Continuity Planning (BCP) process prepares an organization to effectively deal with potential disasters or disruptive events. A well-crafted plan can both help to minimize an event's negative effects on the business and restore its operations in an orderly fashion. Since no disaster is predictable, the goal is to see that the response is as predictable as possible. Plans should be designed to deal with a variety of disruptions, from winter storm-related employee absences, to computer viruses that shut down systems and networks, to area-wide power outages that prevent normal operations from occurring for hours or days, to overwhelming natural disasters such as

hurricanes and earthquakes, to devastating terrorist attacks. Other possible disruptions include the loss of key personnel, business partners, or outsourced service providers along with the potential for a worldwide avian flu pandemic. As part of the BC process, planners consider the probability of these events happening and the potential impact on critical functions if they do; planners must also see that the organization meets its regulatory requirements. Plans must include appropriate remedies or recovery procedures that are practical, cost-effective, and, ultimately, business-saving. The BCP process can only be effective, however, if top management supports it, and this support is often lacking. Why? Because BCP does not immediately benefit the bottom line. For BCP to be most effective, its plans should cover the recovery needs of the entire business enterprise, not just individual departments--BCP should be part of the overall business plan itself, not a separate entity. The following are critical aspects of effective business continuity planning: ■

Business continuity planning should be conducted on an enterprise-wide basis.



A thorough business impact analysis and risk assessment are the foundations of an effective business continuity plan.



Business continuity planning is more than the recovery of the technology; it is the recovery of the business.



The effectiveness of a BCP can only be validated through thorough testing.



The BCP and test results should be subjected to independent audit.



A BCP should be periodically updated to reflect and respond to changes in the organization and the threats that surround it.

Today, business continuity planning generally proceeds in three phases: ■

Phase 1--Conducting a business impact analysis (BIA). The purpose of a BIA is to identify a company's critical business functions and the risks associated with each function.



Phase 2--Conducting a risk assessment. This assessment should include a prioritization of potential business disruptions based upon severity and likelihood of occurrence, a gap analysis comparing the organization's existing BCP to realistic recovery time and objectives, and an analysis of threats based upon the impact on the organization and its customers, not just the nature of the threat. The assessment should ensure that regulatory compliance is met and that awareness training is supported.



Phase 3--Developing alternate operating, or recovery, procedures. These procedures are invoked in the event that a disaster renders the primary, or normal, procedures unusable or ineffective.

Periodic reviews and revisions are critical. Organizations need to regularly evaluate their overall business landscape, and as their business opportunities, processes, threats and vulnerabilities change, BCPs must be updated to reflect the changes.

Sometimes referred to as disaster recovery plans, business continuity plans provide for the uninterrupted operation--or rapid recovery--of a firm's critical business functions in the event of a disaster. A disaster implies any event, circumstance, or situation that impedes the delivery--or is expected to impede the delivery--of one or more critical business functions for a significant period of time. Significant is a relative term, since some functions tolerate disasters better than others. In an IT environment, for example, online applications are more sensitive to disasters than batch systems. Disasters can be natural, like floods or fires; technological, like hardware or software failures; medical or biological like widespread diseases or pandemics such as influenza; and, most disturbingly, man-made, like sabotage, extortion, cyber attacks, or acts of terrorism. A critical business function is any activity that if delayed or eliminated could result in serious or irreparable harm to an organization in terms of: ■

Lost revenue.



Lost customers.



Increased operating costs.



Diminished market value.



Tarnished reputation.

In general, a function is deemed critical if it: ■

Effects a high profile client.



Generates significant income (or savings).



Satisfies a legal or regulatory requirement.



Provides vital services.



Protects the safety of the general public.

While a disaster is debilitating to an organization in terms of its physical effects (e.g., lost facilities), a more devastating consequence is confusion, often chaos. Without a formal, written plan for recovering-hopefully continuing--critical business functions in the wake of a disaster, a company has little hope for survival. For some companies, the financial toll from a disruptive event can be astronomic, with dollar losses per day ranging from under US$100,000 to over US$1 million. While an adequate insurance coverage can be a tempting alternative to adequate planning, most significant risks cannot be covered by insurance policies alone. An insurance policy, however, can be a useful tool within a BCP. A number of policy options are available including coverage of lost revenues following a disruption, computer hardware replacement, extra expense coverage, and valuable paper and records coverage. Since a BCP is designed to reduce risks, its existence could mitigate some concerns of the underwriters. Organizations, as well as their stakeholders, must be protected by an effective and actionable BCP that prepares them for possible events.

The objectives of a good business continuity plan include: ■

Guaranteeing the safety and well-being of company employees, customers, and business partners.



Coordinating the activities of recovery personnel, thereby avoiding confusion and duplication of effort.



Recovering critical business functions.



Limiting the effects of a disaster.



Mitigating any financial losses or legal liabilities.



Minimizing the direct and indirect costs or losses associated with recovery operations.



Guaranteeing regulatory compliance.

Because today's organizations are so IT-centric, IT can never be completely overlooked in the development of BC planning. From the small corner restaurant, that depends upon IT and telecommunications infrastructures for its credit card or point-of-sale system, to large organizations with mission-critical global systems, IT is a key component in BCP. Some large organizations may support a dual-data center environment; if so, the recovery plan may state that if one data center has been compromised, all critical applications will run on the surviving data center's systems. In mixed platform environments, the plan may need to address a potpourri of hardware and software, such as: ■

Mainframe Systems--Mainframes have become central to many businesses, providing 24/7 access for lots of users--both inside and outside the organization. In addition, today's mainframes are capable of creating their own complex environments--running multiple virtual machines, versions of operating systems, and application types. This diversity and the need for 24/7 availability present challenges for BC planners. In addition, recovery at the time of disaster often requires people with extensive skills in networking, environmental conditioning, and systems support.



Midrange Systems--The criticality of midrange systems is often underestimated. These systems share the same list of potential recovery strategies as mainframes. Shippable and transportable recovery alternatives may be feasible. Cold site and repair or replacement recovery time frames can be much shorter for midrange systems (e.g., days instead of weeks), because many systems do not require extensive facility conditioning.



Desktop Computers and LANs--Planning is difficult if there is an absence of standardized backup devices. If systems are old or outdated, it frequently is difficult to acquire older, compatible technology at the time of a disaster. As the occasion warrants, use current commercial, vendor shippable desktops, laptops or LANs.



Client Server--Highly customized system configurations are frequently not stocked in quantity by

local computer suppliers, and replacement in transportation burdened locales can be quite difficult. Internal reciprocal and redundant options can be used for the file servers. ■

LANs/WANs--Some network components can be workhorses; therefore, technological obsolescence must be considered in any long-term LAN recovery strategy. Additionally, special network wiring facilities make planning for relocation difficult. In a regional disaster, the safest alternative is using replacement desktops that can easily be above-ground wired or used wirelessly, provided there is electric current to drive a hub. It is also important that plans include different physical routes for facilities and networks; if the same routes are planned for recovery-and fail--redundancy will be lost. Lack of industry-standard communications hardware is a problem in local and wide area network recovery, making rapid replacement at the time of the disaster risky. If necessary, stockpiling of redundant equipment is helpful, but pre-planning and industry standard configurations are best. Wide scale business recovery for WANs, while attainable via mobile satellite trucks and other strategies is still in its infancy and primarily a network planning issue.



Network Recovery--Network recovery strategies should address all technology and facilities required to re-establish connectivity. This includes person-to-person, person-to-computer, and computer-to-computer connections.



Access to Communications--A disaster may affect the communications infrastructure outside the facility. Two possible recovery strategies can be used: relocating to an alternate facility in which the infrastructure is in place, or reconnecting to the surviving infrastructure through alternative facilities.

The function of business continuity planning is not to re-establish the status quo. Even in the case of critical business functions, some level of reduced performance can be expected. The goal is to buy time to ensure that the business survives until a more normal operating environment can be restored. To buy this time, however, it is critical to periodically review and test the effectiveness of the BCP document. Finding shortcomings during a test allows time to make changes and adapt the plan before--not during-an actual disaster. According to SunGard, it is important to "Test the way you recover and recover the way you test."

Current View [return to top of this report] While IT executives are generally supportive of business continuity planning, some holdouts remain. In AT&T's 2008 U. S. Business Continuity Survey, "business continuity planning was seen as a priority by seven out of ten (71%) IT executives. Four out of ten (43%) indicated it had always been a priority for their business, and more than a quarter (28%) indicated it has become a priority in recent years because of heightened awareness of natural disasters, security and terrorist threats. That positive finding is somewhat offset by the fact that three out of ten (28%) said business continuity planning was 'not a priority.' "While eight out of ten (80%) executives indicated their companies had a business continuity plan, one-

fifth (18%) said they did not. This finding is proportional to the size of the enterprise. As company size increases, so does the likelihood that companies will have a plan (88% of those with 500 or more employees compared to 78% of those with 100 to 499 employees and 75% of those with fewer than 100 employees). "The survey also found that companies are more diligent about updating their plans than they are about testing them. A majority (59%) of companies have had their plans updated in the past 12 months, but fewer (46%) have had the plans fully tested during the same time period."1

Business Continuity Planning Resources The most critical tool for developing sound BCP policy is support from top management through organizational policies and funding. With that support, a variety of resources are available to help an organization implement its business continuity plan. The plan, however, must meet not only the requirements of a specific organization, it must also comply with applicable laws and regulations. A discussion of some BCP resources and legislation/regulations follows. Benchmarking. Online benchmarking solutions are available that allow organizations to compare their BCPs to peers and competitors. Participants receive monthly or quarterly reports on industry segments; reports can be used to determine the effectiveness of BC plans and to establish a baseline. BCP Software. Traditionally, BCP software tools cover both disaster prevention and recovery solutions. Most provide the capability of performing "what if" scenarios, essential for any organization's BCP guidelines. Organizations use the software in a number of ways including: ■

Managing and updating business continuity plans.



Managing and coordinating a crisis management response.



Training personnel.



Evaluating the adequacy of existing capabilities.

Any viable software solution should support the identification and documentation of an organization's relationships. Comprehensive business continuity planning software suites allow an organization to map out and understand complex, many-to-many relationships such as applications to technology, technology to locations, business processes to applications and business processes to locations. Planning for information availability requires that an organization understand how all components of its infrastructure work together and which are dependent upon each other. This demands that organizations not only understand their technology and systems, but also can identify which business processes rely on which applications and platforms. Some organizations use packages from software providers, while others develop their own in-house BCP software solutions. Electronic Vaulting. This business recovery strategy can decrease loss of data and shorten recovery windows. Commercial disaster recovery vendors provide both remote transaction journaling and data base shadowing services. The business impact analysis process helps determine when this strategy is

justified. Hot Site Recovery. Hot Site recovery solutions provide guaranteed offsite access to standby computer hardware equipment and redundant communication networks. This allows organizations to recover quickly in the event of an outage. Some can also provide temporary workspaces which include work areas, computers and phones for each employee, power and telephone connectivity--including both analog and VoIP access, and LANs/WANs with full Internet access. Additionally, some hot sites can operate as standby operations centers providing a mirror of an organization's complete, pre-configured central and critical computer systems, with exact network access and power conditioning. Cold Site Recovery. A cold site is a computer-ready physical location that can be used as backup. Since no computers or infrastructure are located at the cold site, it is much less expensive than a hot site. In the event of a disaster, however, it may be difficult and expensive to obtain the needed technology to install and operate at the cold site. Mobile Recovery. Mobile recovery solutions can provide fully operational facilities that help organizations resume business operations within one hour of their arrival. For organizations that may need to immediately recover and return to contingency operations with a full staff, they provide a viable and immediate solution. Mobile recovery centers can offer up to 14,000 square feet of work space that can include mid-range, distributed systems, server and desktop environments, voice and data communications, terminals, printers, and climate support. Many mobile recovery centers are custom-designed and equipped with the exact system configurations needed for each individual organization's recovery. Typically, each contains the basic required equipment needed to resume operations including computer hardware; a mobile generator; full voice and data communications access; peripheral equipment such as terminals and printers; climate control features; employee amenities such as kitchen, restrooms and audio-visual equipment; seating for 10 to 50 or more employees; full lighting; circuit breaker protection; and physical security.

Legislation/Regulations Not all BC planning is internally driven for business recovery purposes; legislation or industry regulation also drive many BC planning initiatives. Regulatory compliance was ranked as management's second highest priority in the 2007 Global Security Survey from Deloitte and Touche. (Disaster recovery/business continuity followed closely behind as the number five priority.) Some relevant U.S. laws and regulations follow. Financial Organizations. Rules 3510 and 3520 for NASD and Rule 446 for NYSE address BCP. These rules require member firms and their organizations to have written business continuity plans and listings of emergency contacts that are maintained, reviewed, and updated. Plans should reasonably allow an organization to continue business if there is a significant disruptive event. Since 1983, banks have also been federally mandated to have business continuity plans. All financial institutions must consider privacy regulations when developing BCPs. The Gramm-Leachy-Bliley Act requires these institutions to have written plans to protect the privacy of customer information.

Medical/Health. Business continuity plans are federally mandated for health services and covered entities (CEs). In addition, BCPs must comply with protecting patients' privacy as detailed in the Health Insurance Portability & Accountability Act (HIPAA). Public Companies. Section 404 of the Sarbanes-Oxley Act requires that organizations publish and enforce rules that implement internal controls on financial data; rules hold senior management accountable. Requirements of the Sarbanes-Oxley Act along with the Foreign Corrupt Practices Act (FCPA) should be considered when developing a BCP. The FCPA also holds senior management accountable for mismanagement of corporate assets. All Organizations. IRS Procedure 86-19 requires that computer records containing tax data must have backup and be recoverable. In addition, the Federal Information Security Management Act (FISMA) and the Federal Rules of Civil Procedure (FRCP) have imposed regulations on archiving email. FISMA also requires tracking of contents of all outgoing email. FRCP amendments mandate that organizations that could potentially be involved in a lawsuit should be prepared for electronic discovery. The amendments add that failure to provide timely discovery could result in losing a case. Federal Government. The 2004 Continuity of Operations planning (COOP) guidelines from DHS and FEMA are central to BCP for federal government agencies. COOP guidelines stress resumption of key processes within a small window of time. In 2006, FEMA expanded COOP guidelines in a memo that discusses planning for a pandemic. To address fiscal responsibility, the Office of Management and Budget (OMB) updated Circular A-123; the new version holds senior management within the federal government accountable for the effectiveness of internal financial controls. Requirements within the OMB document are similar to those in Section 404 of the Sarbanes-Oxley Act. In late 2007, GAO released results of Forward Challenge, a 2006 test of COOP plans and exercises. GAO found that the eight participating agencies were unable to substantiate many of the tests and activities that were performed. Why? Because agencies were unclear about documenting tests/results so there was insufficient documentation to substantiate activities. As a result, GAO recommended that FEMA require participating agencies to document the specific tests and activities that are conducted in future COOP tests. Merchants. Many merchants are now faced with compliance to the Payment Card Industry (PCI) Data Security Standard (DSS), a global standard that provides security for credit card transactions. The standard was developed by the Payment Card Industry Security Standards Council, a council that was formed by representatives from major credit card companies. To reach compliance, merchants must be audited by trained professionals who are certified by the PCI Security Standards Council. Failure to comply can result in stiff contractual penalties or sanctions from members of the payment card industry.

Outlook [return to top of this report] Organizations will continue to grow their boundaries in a trend that increases risk. The expanded organization includes global offices and offsite employees--as well as business partners, suppliers, and customers. All must be considered in business continuity planning. However, management support for BCP remains mixed even as threats to organizations become more complex. Concurrently, requirements for regulatory compliance and a potential pandemic add increasing layers to the BCP process.

Surveys find that business continuity planning remains a high priority with management--disaster recovery/business continuity rated fifth of the top five security priorities in the 2007 Global Security Survey from Deloitte and Touche. BCP received similar high priority ratings in other surveys. Conversely, surveys also reveal that although management recognizes the need, funding for BCP has a much lower priority. Results show that the driving force for most funding is compliance with regulations; but peripherally, achieving compliance could require assigning some compliance funds to the development or strengthening of business continuity plans. In the wake of the terrorist and hurricane disasters of this new century, organizations see the need for business continuity planning--but not all are prepared for the worst. Just months after Hurricane Katrina hit the US, JPMorgan Chase polled attendees at a conference of the Association of Financial Planners (AFP) and found that only 37 percent rated their organizations well-prepared for a Katrina-like storm. When asked if organizations planned to test their BCPs as a result of the hurricanes, 50 percent answered that there were no plans to test. This response is alarming considering the overwhelming business losses caused by Katrina. According to a report by the International Economic Development Council (IEDC) over 80,000 businesses were impacted by Katrina; one-quarter of the collective business community were displaced, disrupted or at significant risk for loss. An estimated $200 billion in losses have been calculated. Katrina was a large regional disaster, devastating organizations as it caused: ■

Destruction of facilities.



Disrupted communications.



Lack of power.



Lack of mail service.



Lack of transportation.

A potential worldwide catastrophic pandemic looms that has taken the BCP process to a whole new level. According to the World Health Organization (WHO), employers could expect from 25 percent to 40 percent absenteeism for several weeks during a pandemic, with multiple waves of infection lasting for two to three months. This human resources challenge is just one of many facing pandemic BCP planners; other challenges include: ■

Curtailed transportation, limiting shipments of business-critical supplies.



Government-ordered staff reductions at some locations.



Infrastructure disruptions, both domestically and internationally.



Limited services from sub-contractors and partners due to reduced human resources.



Government control of critically-needed supplies and professionals for pandemic response.



Reduced need for business products/services as customers are affected by pandemic.



Quarantines imposed by local, national, or international policies.

To address a potential pandemic, Harvard Business School conducted a conference called, "Business Preparedness for a Pandemic." Attendees included 200 corporate and government leaders. One of the key themes focused on having an effective plan that includes well-defined HR policies and "triggers" for action. In response to concerns about avian flu, both OSHA and FEMA have prepared guidelines. OSHA provides employers with a handbook called, "Guidance on Preparing Workplaces for an Influenza Pandemic." In addition, its website www.osha.gov includes a checklist titled, "How to Maintain Operations During a Pandemic." In 2006, FEMA released a BCP memo for federal agencies called, "COOP Pandemic Influenza." For the business community, the federal government prepared a " Business Pandemic Influenza Checklist" that can be found at http://www.pandemicflu.gov/plan/pdf/businesschecklist.pdf. Many pandemic guidelines focus on "social distancing," allowing employees to work from home rather than in a central workplace. If employees are to work from home, the vision of BCP planners must extend beyond traditional BCP. To support telework, an organization must be able to manage a remote workforce and maintain strong network capabilities. Both of these are major issues, best resolved early in the BCP process. BC planning that is based on an "at home" workforce, however, assumes that the employees will have sufficient power, water, and food where they live. All of these assumptions are beyond the planners control. In spite of these issues, planners must deal with telework. In 2007, technology provider CDW Corporation conducted a U.S. national telework survey to determine the percentage of employees' with options to telework. Results showed that 44 percent of government respondents have the option to telework--up 6 percent from last year's survey. The survey also found that the private sector lags behind, with telework options available to only15 percent of respondents. In spite of the government's support for teleworking, the OPM finds that the number of teleworkers is decreasing due to problems in tracking teleworkers and security concerns--issues that need consideration during BC planning. To address emergencies that don't require social distancing, some organizations have arranged for remote employees to use alternate sites; sites include community meeting places such as schools, churches, and American Legion buildings. The network and Internet play major roles in most organizations and take an even more important role in teleworking. Adequate bandwidth would be necessary to support increased numbers of remote users. The network itself, however, is subject to many vulnerabilities; surveys find that virus attacks are a major management concern. To protect the network, planners need to know how suspected intrusions are handled--and develop a planned response if critical information has been compromised. BCP for virus attacks would require combined efforts of an organization's BCP planners and information security professionals in an enterprise approach.

Recommendations [return to top of this report] To address a potential bird flu pandemic, guidelines from OSHA and FEMA include plans that protect human resources. Organizations found that both human and physical resources were severely tested during Hurricanes Katrina and Rita; however, in spite of the hurricanes, some organizations did survive and have stories to tell. Their disaster-tested plans for business survival give guidance to other BCP

planners. Some organizations do not want to wait for a disaster to see if their plans work, so they regularly schedule BCP tests. Their test results provide additional useful insights. In spite of the reality of recent disasters, BCP does not have full organizational support. Therefore, it becomes useful to explore some real-world, i.e., non-disaster-related, benefits of BC planning. Management support for the BCP process could be strengthened by its alignment with Business Process Re-engineering and regulatory compliance. In many cases, planners need to protect the global enterprise and most need to adapt to other changes within evolving organizations. Planning should be considered for unpredictable disruptions as well as those that are highly likely. Protect Human Resources. Business continuity planning affects more than physical resources, it affects human resources as well. With the disruption caused to employees' lives by recent hurricanes and the potential for a bird flu pandemic, planners should determine and document the most critical activities and policies that employees need to know to protect themselves and the business during a crisis event. Plans should consider applicable OSHA and FEMA recommendations. Not only documentation but also employee training are critical to the success of the plan. Survive Disaster. Effective business continuity planning helped several organizations survive Hurricanes Katrina and Rita; their experiences provide valuable feedback to planners. Prior to the hurricanes these organizations had: ■

Established and regularly tested recovery sites (Before storms hit, the plan was pre-activated and people at the site empowered to act on the organizations' behalf.)



Cross-trained employees to perform business-critical functions.



Established nation-wide toll-free numbers and a Web site for BC purposes, alerted customers and employees to access the organization's Web site for updated information.



Utilized company's fully-functional branch offices outside of the disaster area as back-up sites, forwarded phones to branches, and used branches as temporary sites for evacuated employees.

During the storms organizations found the following were helpful for communications: ■

Text messaging--more reliable than cell phones or landlines.



Cell phones with area codes outside of affected regions.



Preloaded laptops with wireless cards.

Test for Success. Successful business recovery after a disaster is the ultimate BCP test. Organizations that survived the hurricanes report that pre-testing plans before the storms made a significant difference. Many organizations regularly test their plans to find problems before a real emergency. The following sampling of BCP test results was reported by varying businesses and provides further insights for planners; testing uncovered: ■

Communications connectivity problems--incorrect IP addresses, firewall configuration, portal connectivity, concerns with the reliability of legacy connections in a disruptive event and connectivity to infrequently used backup locations.



Errors and misinterpretations of the plans.



Lack of plans for laptops--that could easily be damaged or lost.



Lack of plans for alternative workplaces for employees.



Need to include each team member in creation of the recovery/restoration plan.



Need to document specific test exercise programs and activities.



During an emergency--need to move from current organizational structure to command and control.



During an emergency--need for leadership to change from the local site executive to the functional level most familiar with the site and effort.

Re-Engineer the Business Enterprise. One of the earliest steps in developing a BCP is to identify a company's critical business functions. This process involves conducting interviews with managers and employees to determine which functions are vital--and which are not. It also involves dissecting these critical functions to determine how they are performed and what resources they require. If all this sounds familiar, it should. These are also the beginning elements of business re-engineering. In fact, the business continuity planning process can be leveraged to initiate a simultaneous business re-engineering effort, thereby providing an enterprise approach and doubling an organization's return on investment. An enterprise approach will help an organization deal with regulatory compliance, an issue that has management's attention and support. Within the burgeoning number of laws and regulations, many have similar core requirements. An organization that looks at the overall compliance picture, does not divide the regulations among separate functional areas. Instead, it reviews all regulations affecting the enterprise and avoids duplicate efforts. This broad approach to compliance also eliminates inconsistent responses and provides an excellent platform for enterprise BCP. Think Global Enterprise. The enterprise approach becomes even more critical during global expansion. As organizations cross international borders, exposures to business interruptions increase. Exposures can be caused by several factors including political interference, war, environmental/health issues, legal/compliance issues, and terror attacks. In 2007, IBM and the Wharton School completed a study that analyzed how 79 global financial organizations handled risk. Results showed that in the past three years, 62 percent of the organizations had experienced a major risk event; when an event did occur, 42 percent were ill-prepared. The best-prepared were integrated financial organizations that had instituted globally mandated enterprise-wide standards and common standard processes throughout their organizations. Adapt to Change. When important changes take place in the organization, it's time to review and update business continuity plans. Some triggering events include changes to key personnel, opening of new locations, changes to network and IT configurations, and mergers/acquisitions. Prepare for the Unpredictable. Many guidelines for pandemic preparedness stress "social distancing," allowing employees to work from home. In fact, having "at-home" employees may be an effective

recovery strategy for other disruptions. Before moving part of the office to the home, determine which functions could be performed offsite and what technical support would be needed. Issues such as supervision, human resources concerns, and others unique to an organization would also have to be considered. Establishing a telework program prior to an emergency allows for smoother transition during a pandemic or any disruptive event. The pandemicflu.gov website recommends that organizations work with community planners to integrate pandemic plans. Guidelines add that working with local and state planners is especially important for organizations that are part of the "nation's critical infrastructure or key resources." Prepare for the Predictable. While the ultimate value of a BCP is to safeguard a company against a disaster, such as a fire or a flood, such major disruptions are, at least for some geographic locales, thankfully, relatively rare. To gain economic benefit from a BCP, that plan should consider not just disasters that may happen, but disasters that actually do happen. Considering the short-term, in the Northeast, for example, it is common to lose work days due to winter storms. Developing a recovery plan that allows employees to work from home on days that they cannot reach the office would provide a tangible benefit--a savings that might, over the course of several years, recover the cost of implementing a BCP. The goal is to turn the BCP process from its traditional revenuenegative to a revenue-neutral, or even a revenue-positive, position. A firm's strategy should be based upon an event impacting an extended geographic zone and having a significant impact on the firm and its resources. Firms should be familiar with suppliers' and business partners' BC plans (both internal and external) and understand any associated risk. This knowledge is especially important for companies using Just-In-Time processes. Business units should ensure that redundant copies of vital records are stored in a secured and geographically diverse location and are available for use during an emergency within stated recovery objectives. In addition, the strategy should include a succession plan for the CEO and include offsite crisis meeting places for key management.

References [return to top of this report] 1

"AT&T's Business Continuity Survey: 2008." AT&T. 2008.

Web Links [return to top of this report] AT&T: http://www.att.com/ Contingency Planning & Management: http://www.contingencyplanning.com/ Deloitte & Touche: http://www.deloitte.com/ Disaster Recovery Journal: http://www.drj.com/ FEMA: http://www.fema.org/

GlobalContinuity.com: http://www.globalcontinuity.com/ IBM: http://www.ibm.com/ JPMorgan Chase: http://www.jpmorganchase.com/ SunGard: http://www.sungard.com/ US Department of Health and Human Services Pandemic Site: http://www.pandemicflu.gov/

About the Author [return to top of this report] Mary Ainsworth is a business writer and frequent contributor to Faulkner Information Services. Ms. Ainsworth has written about technology for more than 15 years, with a focus on information security products and issues. She has held positions as manager and analyst for Gartner and Datapro Research Corporation; while at Datapro, she was senior analyst for Datapro Reports on Information Security. Ms. Ainsworth has written articles on disaster recovery planning and access control for Government Computer News and Computerworld, as well as being a featured speaker at industry trade shows and on national radio. [return to top of this report]

Suggest Documents