The DCL Group: An IT Management Consulting Company

It's Time to Consider Business Continuity Planning

By: Donna Sandorse, Managing Member, The DCL Group LLC

That a business must stand ready to respond to a crisis is obvious. A company needs to protect both its people and its assets. Planning for the continuity of business in the wake of a disaster is a prudent business practice, but the reasons for a comprehensive Business Continuity Plan (BCP) go beyond the obvious. There are compelling legal and financial incentives for businesses to develop and maintain a comprehensive BCP.

The failure to plan can result in damage that threatens the very survival of the business. A representative of Compaq, quoted in Server World magazine, stated that half of those companies that lose their data in a disaster never reopen for business. Of those that survive, only 10 percent stay in business longer than two years.

While most workplaces have a physical evacuation plan and perform the periodic fire drill, many do not have a plan to deal with all of the safety and recovery steps needed to successfully weather a disaster. Emergency planning, disaster recovery, business continuity, contingency planning, technical recovery - there are a variety of names with some technical distinctions, but they all refer to a company's ability to address major events that, at a minimum, disrupt the ability to do business and at a maximum, can result in personal tragedy.

Whatever you choose to call it, if you are responsible for a business, you should have a comprehensive documented strategy to turn to in a time of crisis.

What is a Business Continuity Plan and What Does It Do?

In general, a business continuity plan (BCP) is a set of detailed advance arrangements and procedures that allow a company to respond to a major "interruption" with limited disruption and a controlled response. The plan is developed in a time of calm to be applied in a time of chaos. The BCP is the cornerstone of an ongoing program, supported and funded by senior management, ensuring that needs have been assessed; resources allocated and procedures developed for such situations. On an ongoing basis, these arrangements are reviewed, revised and tested. In addition, all employees are aware of their existence and have been trained to effectively enact them.

A comprehensive BCP increases the probability that a company will survive as a business entity in the event a disaster disables their operations by minimizing the operational impacts of the incident. Further, a company's response to a disaster can minimize negative impacts to the company's reputation.

Are There Other Benefits to Maintaining a Business Continuity Plan?

Even absent a disaster event, the development of a sound BCP can have direct financial impacts that more than justify the plan's cost of the preparations. In many cases, business insurers now provide discounts for businesses that maintain effective business recovery planning programs. The discounts are usually for business-interruption insurance. Even without such discounts, the BCP reduces the exposure of a business to expenses and loss as the result of a disaster. Having such a plan (and an overall program that includes employee awareness and training) means that, in the event of a disaster, people know what to do; when to do it; and the most efficient way to do it. As such, the costs that are incurred during a disaster and its recovery are minimized and the elapsed time to respond and recover is shortened.

The maintenance of a Business Continuity Plan can even impact a company's ability to obtain financing. This became widely visible several years ago, as many commercial banks and other institutional lenders took great pains to investigate their borrowers' preparations for Y2K. With some justification, many believe that the Y2K issue was overdone. But with the lackluster state of the general economy, and with ongoing terrorist concerns looming large, lenders are looking more carefully at the businesses that they finance. For many lenders and equity sources, investigating a business' preparations to deal with a crisis is becoming a standard part of their underwriting protocol.

There are legal reasons for having a comprehensive BCP. First, depending on the type of business, there may be laws, statutes or regulations that require a business to have such plans in place. In other cases, a business may have individual contracts with customers for whom it provides service that require recovery capabilities. An additional legal concern falls into the more nebulous area of "common law" and personal liability. In this area, a business might be construed to have certain fiduciary obligations and "duties of care" to its employees or customers. In most jurisdictions, officers of corporations are required to exercise "good business judgment". It is not unreasonable to expect that this might extend to business/disaster recovery.

Finally, regardless of the health of the business or any threat of legal exposure, the most important resources of any company are people -- employees, customers, or anyone else who might be on-site or called to respond to a disaster. A BCP is a basic consideration that should be made out of respect to these people. At a recent disaster recovery conference that was reported in Infoweek, it was noted that the Gartner Group encouraged companies to expand their plans beyond business equipment and assets to include the safety of personnel and the coordination of employees if they're displaced from their offices.

What comprises a Comprehensive Business Continuity Plan (and Program)?

While many aspects of the business continuity plan are specific to the individual company, there are a number of basic areas that should be considered and included:

Roles and Responsibilities:   Clearly define the roles and responsibilities of the staff during the disaster. A team, whose role in a disaster is the coordination of the response, should be pre-defined. This team is led by someone who is experienced and well-versed in disaster response and that can clearly take charge of the situation. Frequently, this person is not someone who is responsible for day-to-day management.

One of the recurring themes that I have heard after 9/11 underscores the need for this strong focal point.

More than one person working at the World Trade Center that day has said that sometime after the first plane hit, people were told to return to their work areas -- that the building had been secured and there was no need to completely evacuate. In some cases, it was a manager that told them this; in others, it was based on a building announcement. Those who had experienced the first WTC bombing in 1993 tended to ignore such advice. As soon as it was clear that a major event was occurring, they grabbed their belongings and headed for a stairwell. No one would have convinced them to do otherwise. In many cases, though, it was not clear to people who was in charge and whose directives should be followed. One company in particular was ready to address the crisis. The story of Rick Rescorla of Morgan Stanley has been documented in the book "Heart of a Soldier" by James B. Stewart. Mr. Rescorla, a former soldier, was in charge of security for Morgan Stanley. For years, he had warned that the WTC was an easy target for terrorism and Morgan Stanley had prepared accordingly.

Mr. Rescorla was not the most senior manager in the building that day, but because of the plans in place, he was recognized as the person in charge in a time of physical crisis. He was able to step to the fore, make the necessary decisions and as such, was responsible for the successful evacuation of some 2,700 Morgan Stanley employees from the south tower that day.

Potential Disaster Scenarios:   Consideration should be given to the scenarios that could occur and the response to each. Prior to September 11, scenarios such as natural disasters (floods, lightning strikes), fires, power failures would come to mind. Now, consideration is given to terrorism (including chemical, biological and electronic).

A company that is highly dependent on telecommunications (i.e. telemarketing) would want to consider the things that could impact their connectivity while a company that is highly dependent on supply chain partners might need to have plans in place for disasters that befall these other companies.

Emergency Phase Response:   The response taken during the first minutes of a disaster is often a critical factor in the ultimate impact of the disaster. Steps should be documented for responding to the emergency, assessing its impact, and setting the plans in motion.

Business Process Continuity:   Critical business processes should be identified and workaround solutions formulated to maintain the business should necessary resources be unavailable. For example, manual workarounds might be put in place if technology is unavailable.

Business Process Recovery:   Once the disaster has been resolved, the output of any workaround solutions needs to be integrated into the normal business. For example, hard copy documents created as part of a work-around process may need to be entered into a system. Plans should be established to ensure that there is a way to do this and that it is subsequently done.

Technical Recovery:   If not already in place, technical disaster recovery plans should be developed. This may include the establishment of technology from an off-site or alternate location.

Critical Documentation and Information:   Technical documentation (network diagrams, PC specs, etc.), evacuation plans, facility layouts, directions, contact telephone numbers, emergency numbers -- should all be in a single place that is readily available.

Business Continuity Program:   Schedules and responsibilities for maintaining the BCP should be established, including regular updates to the plan, recovery team training, testing of the plan and procedures and employee awareness.

How Can a BCP Help in a "Real Life" Situation?

I can personally attest to the way in which having a solid Business Continuity Plan and Program in place can minimize the negative impacts of a disaster.

As part of the management team in a 300 person Information Technology Division, I was responsible for support services. I generally considered updating my division's business continuity plan an annoying task, at best, but I worked for a company that took it seriously.

One Sunday evening, I received a call at about 6:00 PM from the CIO. A power arc had wiped out the power to our corporate data center. While emergency generators could keep the mainframe and servers running, no staff could work in the building. I was responsible for keeping the "technology support people" supporting people -- and I was glad I had been forced to address business continuity planning. Calling lists were readily available; a clear chain of command was in place along with the criteria for making decisions.

An immediate decision was made to have as much of the staff work from home as possible. Only the staff that was critical to the actual data center recovery reported to the affected building. Of all the remaining staff, only those that needed to be directly connected to technology were to report to the company -- and in their case, it was to an alternate location.

A few phone calls on the CIO's part set calling chains in motion and a few calls on my part put my staff into action. The next morning, they were in place to direct people to available work spaces, maintaining a log of the phone numbers that were assigned to people for the day. Essentially everyone was productive upon reporting to work with minimal inconvenience.

How Does a Company Justify the Expense of a Comprehensive Business Continuity Plan (and Program)?

Obviously, there is an expense involved with business continuity planning. Developing the plan requires employee time and often, consulting expense as well. Establishing preparations in advance -- the availability of extra equipment, physical space, off-site data centers or back-up sites, etc. can lead to further costs.

Enacting the BCP has inherent costs as well. Only key people should be able to "declare a disaster". The criteria for doing so should be pre-determined as part of business continuity planning so that during the event, there are clear guidelines for making decisions. Having prior management consensus as to what steps will be taken and the triggers for doing so prevents "second-guessing" during the crisis and "finger-pointing" afterward.

The Gartner Group has stated that companies typically spend 3% to 8% of their IT budgets on business-continuity and disaster-recovery. Factors that go into the calculation of a reasonable expenditure include how much downtime will cost in lost revenue and productivity.

According to a recent InformationWeek Research survey -- of 250 IT and business managers responsible for their companies' business-continuity and/or disaster-recovery plans, more than half the managers surveyed said their companies will increase spending on business-continuity planning, including 10% who expected a significant jump in expenditures.

The best way to determine and justify an "appropriate" amount of expense is to do an "Impact Analysis". Identify the potential risks to the company and the likelihood that they might occur. Consider the impacts in both dollars and intangibles associated with the loss of equipment, productivity, etc. (not to mention potential liability). Then determine the best/most appropriate response preparations to take. In some cases, it may be contingency plans and locations; in other cases, it may be insurance. By including all key parties in the impact analysis and decision process, consensus can be reached and an effective strategy developed.

Business Continuity Planning is an expense you can afford today. The failure to plan can result in devastating expenses that can threaten the very survival of a company tomorrow.

The DCL Group: An IT Management Consulting Company
The DCL Group  •  1545 Crabapple Lane  •  Plainfield, New Jersey 07060  •  (201) 320-2006