Still, many organizations fail to appreciate some of the fundamental aspects that comprise comprehensive BCP, which ultimately negates good intentions and initial efforts.

Consider this: On the morning of September 11, 2001, The World Trade Center provided more than 20 million square feet of office space to companies occupying the towers. After its destruction, there was only 10 million square feet of office space available inManhattan. While many companies had facilities to recover their IT systems, they had no work space for their employees. The issue of where employees go immediately after a disaster and where they will be housed during recovery is one of the most critical failures of that event, and serves as a constant reminder of how companies should approach BCP.

Fundamental Flaws

Since 9/11, some improvements have been made, but many more are necessary. While no business continuity program is perfect, organizations should make themselves aware of common pitfalls and seek to avoid them. The following are four areas that remain trouble spots for many enterprises:

Acknowledging Vulnerabilities

Too frequently, management fails to appreciate the relationship between BCP and disaster recovery. Trying to build recovery strategies without this business perspective is simply outdated thinking. 

Taking a composite picture of a business, acknowledging vulnerabilities, and identifying all possible crisis scenarios is a primary initial step for any company and should become part of the established mindset. As the company makes its initial assessment, it should keep top-of-mind those areas that are most challenging when establishing a BCP. These include a) identifying total recovery costs as they pertains to people, facilities and technology; b) identifying potential costs, such as loss of revenue, customers, and reputation; and c) assessing technology costs to support the recovery plan.

BCP is a dynamic, evolving process that needs to be adjusted according to an enterprise’s unique conditions and the changing business environments in which it operates. As such, it is highly recommended that each department, division, and layer of management be tasked with regularly collecting information and making aware the established risk management team or manager, of potential vulnerabilities so that they can be integrated into the overall BCP strategy. This practice conditions personnel of all levels to foreshadow possible crisis scenarios, while allowing management to identify gaps in recovery capability and better calibrate recovery time objectives and recovery costs. Also, by effectively serving as a self-audit, companies have the added benefit of examining operations from an entirely different perspective, affording the opportunity to implement changes and enhance overall business processes.

Prior to 9/11, one large financial organization had determined that their recovery time objective was 48 hours. This was a timeline generally accepted within such organizations. However, when a business impact analysis was finally conducted, it revealed that many critical processes and systems were not adequately addressed. For example, electronic transmissions of tens of millions of dollars were transmitted multiple times during each day. Without connectivity, companies could lose $50 million a day in lost transmissions. Also the impact of not having a Web presence to advise customers that their money was secure proved highly detrimental as it jeopardized the financial institution’s primary asset — customers’ faith and confidence.

Training across the Board

The failure of involved personnel to fully understand their roles and responsibilities during a crisis scenario is one of the most glaring oversights a company can experience. And it is, all too frequent, an occurrence. Training against a detailed crisis management plan is essential, ensuring that all employees understand exactly what they are required to do, without hesitation. Whether it pertains to participating in an employee call tree, contacting key suppliers and customers, conducting media relations, securing offsite data, or being prepared to work virtually — responsibilities must be defined and clarity must be emphasized to ensure that all mission critical activities are addressed and recovery time objectives reached.

Creating an internal awareness and training program focused on emergency response and operations is a critical first step. The training should be regularly scheduled, and in coordination with test simulations. As part of the training regimen, it is imperative that senior executives participate, especially those not playing a direct role within risk management. This will not only help to reinforce a proactive BCP mindset — and aid in overall coordination — but also will help to further address any specific shortcomings within individual business units.

Testing the Goods

A BCP manual gathering dust on a shelf reflects a job half-done. This, unfortunately, remains a reality for many companies that think drafting a plan and executing an initial trial run is sufficient. Given the dynamic pace of change in business environments and technology, nothing could be further from the truth. Proper BCP implementation includes a comprehensive series of tests and simulations to ensure the plan works, affirms an enterprise’s recovery objectives, and provides clear management metrics for future.

Testing should include the IT systems, and at a minimum, round table exercises with critical business functions twice a year — more frequently if a company operates in a high risk area or is especially vulnerable to certain threats. Testing of all critical IT systems should also be conducted utilizing real system users to validate that the information is current and that the critical business functions can properly function with the recovered systems.

It is also strongly encouraged that the program includes scripted tests along with random test element that measure the true capability of staff to think on their feet and ensure equipment is fail-safe.

As part of the testing phase, critical analysis and attention to detail is essential and will help to produce results. For example, while Oppenheimer Funds inNew Yorkwas undertaking a BCP test walkthrough in November 2002, the issue of blackouts was raised in discussion and quickly included as part of the company’s crisis scenarios. As a result, by attempting to exhaust every “what if” scenario, the company was prepared to effectively deal with the blackout of 2003 and preserve sensitive customer data as well as its reputation.

BCP Champions

The critical difference between a solid BCP effort and its shaky counterparts is often the one individual that champions BCP as a priority investment. Having one advocate tasked with administering all aspects of BCP company-wide can prove highly advantageous. A range of enterprises, from leading financial institutions such as Goldman Sachs, BNP Paribas and Credit Suisse, to insurance companies such as New York Life, to universities including George Mason (Va.) and George Washington (D.C.), all have designated a senior individual with coordinating business continuity plans, normally with substantial assistance from their IT departments.

Ultimately, the demands associated with BCP mean that senior management and in particular, a company’s Board of Directors, must become more engaged in the process. The causes vary, including the growing wave of regulations (e.g. Gramm-Leach Bliley and HIPAA) that made senior leaders take action; pressure from interest groups; or simply factors linked to liability or reputation. The bottom line is that, as the global business world becomes ever more interconnected, the risks for crisis contagion become that much greater. Therefore, senior management must be engaged and assume leadership role.

Future Aspects of BCP

As a result of the tragic events of 9/11, many observers forecasted an immediate rise in both the quantity and quality of business continuity planning. Unfortunately, the human race suffers from short-term memory. Clearly, adoption of BCP by some companies is only very recently taking hold and becoming more of a business foundation. This is in great part due to more recent events, such as Hurricane Katrina, theLondonterrorist bombings and concerns around SARS and other health pandemics. If 9/11 served as wake up call, then this series of events represents the call to arms that can change people’s outlook and bring BCP to the forefront.

Today, it is encouraging to see companies in various industries and of different sizes attempting to map BCP to their specific business priorities. Small and medium enterprises no longer view BCP as solely a responsibility of large companies. They too face similar threats, and one can argue that they are at greater peril given limited resources to recover financially from a crisis. While large companies must deal with issues of scale, smaller firms should be encouraged to adopt activities that, at a minimum, can help address their recovery issues at minimal cost.

Assisting all enterprises will be the continued introduction of advanced technologies. The wealth of applicable innovations include software that will improve the ability to maintain and update plans, ensure constituent communications, and execute training simulations; biometrics, which could aid in security efforts; and Distributed Denial of Services Attacks and DNS Pharming to protect IT systems from corruption. Other innovations include fine-tuning fail-over technology and storage technology that allows for the easy deployment of data mirroring. Also, hot site service providers and co-location facilities are slated for rapid growth. Given their growing popularity, these technologies are being made as affordable as possible to smaller organizations with limited resources.

Making sense of the wide range of available technologies, BCP services, and growing compliance with regulations and standards is feeding the growth of a specialized cottage industry. When one considers that recent research conducted by IDC found companies with in-house data storage are less confident in their recovery ability than companies that outsource, we can expect to continue seeing a significant upsurge in specialized consulting services being offered for a variety of BCP and recovery elements. Beyond the varied expertise on offer, an added benefit of external advisors is their ability to help mitigate internal political obstacles that frequently block plan roll-out, particularly if there is no BCP “champion” within the company.

BCP represents a learning continuum, where beyond required, fundamental aspects, there will continue to emerge best practices and lessons reflecting specific environments and the changing needs of every company. Recognizing this means that the shortcomings touched upon here can easily be rectified and help foster a mindset that underscores vigilance, ensures executive sponsorship and governance and ultimately allows the BCP process to become more comprehensive and effective. Given what is at stake, there is really no alternative. 

Mike Hager has over 30 years of experience in designing and managing business risk management programs. He is a retired Special Agent for the Air Force Office of Special Investigations. He was selected by Computer World magazine as one of its Top 100 IT Leaders and has acted as a member of the editorial advisory board for CSO magazine. Prior to joining Unisys, Mike held senior-level security positions in both the federal government and private sector. He is co-author of the book Business Driven Information Technology: Answers to 100 Critical Questions for Every Manager. He is currently an enterprise security advisor and senior security architect with Unisys and can be reached at (303) 646-2642.