What is most likely to bring your systems down? A minor problem might be as bad as a natural disaster argues Illena Armstrong
Most everyone can readily recall the lip service countless C-level managers paid to business continuity planning (BCP) post-9/11. Renewed interest in BCP prompted some administrators, for a short time anyway, to believe that they were finally going to get the fiscal support they needed to keep IT systems up and running during cyberincidents and other types of outages. It turned out, however, that despite the talk, dollars were rarely allocated to business continuance efforts and far too many IT-reliant business processes were left exposed.
It now seems the cycle has come around once more. For the time being, naysayers can take heart, as several factors too large for enterprise leaders to ignore have revived attention in BCP.
Taking notice of worst cases
According to Gene Bounds, executive vice president, operations, for Robbins-Gioia, a management consultant headquartered in Alexandria, VA, executives are "revisiting and re-evaluating their readiness level." Although business leaders realized the "organizational benefits of disaster recovery (DR) plans" before and immediately after 9/11, they now view them as absolutely critical in view of the increasing threat of terrorist attacks and the geopolitical state of the world.
"Our definition of worst-case scenarios has changed," says Pat McAnally, senior director of marketing, Planning Solutions, a business unit of SunGard Availability Services. The IT security threat landscape continues to grow more complicated with the likes of Code Red and, more recently, SQL Slammer coming on the scene. In addition, while organizations once thought about hurricanes or fires, they now also include planes fully loaded with gasoline plowing into a building as a very real possibility after 9/11.
On top of these scenarios, additional U.S. regulations from the likes of the Federal Trade Commission or the Federal Reserve are calling for better BCP, with some mandates demanding that geographically diverse data centers be established, she adds. Congressional acts, such as HIPAA, have come into force and include mandates to test, document and execute a business continuity plan as well.
Now, C-level executives, such as CEOs and CFOs, are also skittish when it comes to ensuring that pertinent data is protected, says David Purdy, director of business continuance for EMC, in light of the Sarbanes-Oxley Act. This piece of legislation aims to hold top executives directly accountable for adhering to higher standards of disclosure and corporate governance in view of last year's multiple financial scandals. And, in the U.K., such government regulations as the Turnbull Report (see supporting feature on page 28) demand that organizations buff up on their business continuity planning.
Moving beyond just awareness
According to recent statistics from analyst firm Gartner, about 60 percent of U.S. businesses relying on information technology to conduct their day-to-day and critical business activities have failed to spend enough money on business continuity or disaster recovery tools and plans. This happens despite the fact that many organizations hit with some sort of disaster never recover, according to Gartner. Around two out of five organizations experiencing some sort of disaster actually go out of business within five years of the incident, according to the group's research.
Rick Cudworth, head of business continuity services at KPMG in the U.K., says that undertaking BCP is more than just drafting a plan so as to check it off one's 'To Do' list.
An impediment to organizations progressing with business continuity planning lies with a question that many executives have trouble answering: "What's good enough?" From Cudworth's perspective, companies must find the answer to this question by balancing its three parts: the cost of creating a business continuity/disaster recovery infrastructure, the level of potential risk, and the total in lost revenues when a disaster occurs.
"Decisions about the level of resilience and recovery need to be made, but you also need to think about what will be involved in maintaining the investment you make," he says. "Plenty of organizations provision, but they don't manage. So, as new systems are added and data changes, the parallel recovery systems are not updated in tandem." Companies need to think about what level of ongoing management is important to the business for the recovery plan to be effective.
Part of this management involves moving past that which often motivated many businesses in the first place. So 9/11 in many people's minds proved a wake-up call to how important business continuity plans truly are. Yet the likes of 9/11 are far from the only events for which to plan, says Dennis Richardson, senior director of managed security services for WorldCom.
"It's important to recognize that business continuity extends far beyond 9/11 and natural disasters," he says. For instance, business services could come to a screeching halt as a result of a misconfigured router. Businesses have to ensure they can survive the normal outage occurrences as well as the big events.
Indeed, when it comes down to it, a long list of possible scenarios with appropriate contingencies is probably not that important, says Jim Grogan, vice president of strategic alliances with SunGard. The particular outage, in a sense, is not important relative to planning he says. "What's important is that you must have thought through in advance all of the aspects of that disaster to get back to production."
In this way, people know their responsibilities, critical data is already and on an ongoing basis being preserved at an alternate site, and processes are in place to keep business operations going.
Today's business reality
With growing interconnectedness, businesses deal with partners, customers and employees via the internet. More and more these days are making use of applications and services that cater to all a corporation's users.
This kind of environment demands that corporations "continue their operations in a business-as-usual manner in the event of a disruption," says Thomas Hudson, CEO and chair of CNT Corporation. No longer is business continuity merely an exercise in recovering operations days after an incident. Furthermore, Hudson notes that such plans should not just be left to the domain of keeping up with servers and mainframes.
"Recent events, including 9/11, made it clear that business continuance planning has to encompass the whole enterprise, including the personnel and facilities as well as the larger corporate IT and communications infrastructure, and physical assets such as work spaces," he says.
Putting a comprehensive plan in place to support the whole of a business has traditionally been viewed as a costly endeavor. Now, this can no longer be used as an excuse, since tools, such as storage networks or disk mirroring and auditing solutions, have evolved and their price points dropped, says Bob Gilbert, director of product marketing for Disk Sites, Inc. Plus, as long as organizations are evaluating what their most critical business processes are, and ways to recover tier-one and tier-two information when disaster strikes, they can cover themselves pretty well without too much capital outlay these days.
BCP can add "immeasurable value to a company," says CNT's Hudson. "An IT infrastructure built for business continuance means a company can depend on being able to do business around the clock," he explains. "It can mean the difference between having a future as a business and going out of business. CNT had 40 customers with offices in the World Trade Center and surrounding buildings [during 9/11]. Not one of those customers lost their data or their ability to continue serving their customers in real-time without human intervention. This was true business continuity."
Sure, his clients had to invest in solutions to bolster their BCP up front before such a catastrophic event like 9/11 occurred, but the benefits of doing so were palpable. Planning for business continuance not only allows them and other companies who have undertaken such preparation to be at the ready for any future terrorist attacks, but also helps them to confront widening regulation, auditing demands, stockholder expectations and still other forces that are quickly assembling to make BCP a top-of-mind issue these days. n
Illena Armstrong is U.S. and features editor for SC Magazine