In the wake of September 11 companies have been scrambling to review and update their disaster recovery and business continuity plans.
In this discovery phase most firms are recognizing that their current disaster recovery programs are not adequate to prepare for the magnitude of disaster that struck the companies located in the World Trade Center towers and surrounding buildings. The conventional wisdom is that this inadequacy is due to an underestimation of the worst-case scenario. We assert, however, that this lack of preparedness has less to do with the disaster scenario and more to do with the changing nature of critical information that resides within an organization. This article examines the changing role and importance of information assets to a business and explores the challenges in setting priorities for business continuity planning and its relationship to information security planning.
Business-critical vs. Business-sustaining Information
A critical component of disaster recovery and business continuity planning (BCP) is information assessment. Information can be separated into two types: business-critical and business sustaining. Business-critical information is information absolutely essential to the day-to-day business function. For a financial services firm it may be the trading positions and financial holdings of the firm. For a manufacturing concern, it could be current inventory levels and production plans. Whatever information the business needs to survive is business critical.
Business-sustaining information is that information which allows the business to function smoothly and more efficiently, but which is not absolutely essential to the ongoing operations of the firm. Data warehousing and business intelligence data is a good example of sustaining information for most businesses. Email logs may be business sustaining, while order entry forms and payroll data are considered business critical. Financial services firms are incorporating instant messaging into their business processes. Soon these transcripts will be considered business-critical information along with the account positions.
Most companies soon realize that the ratio of business critical to business sustaining information has increased significantly just in the past few years. This places an increased burden on disaster recovery planners who only a few years ago could de-prioritize or even ignore email logs and personal digital assistant (PDA) files. One of the lessons learned from September 11 was that traditional disaster planning failed because too much emphasis was placed on protecting the centralized computing infrastructure and not enough emphasis on supporting the business end-user environment and critical end-user applications.
Rapidly changing IT environments quickly outdate a recovery plan. One challenge for disaster recovery planners is in determining the importance of new information sources. For example, are contact information records that reside in a salesperson's personal information manager business critical or business sustaining? The multifunction PDAs that are starting to appear further complicate matters. Phone logs, instant messages and contact databases are becoming increasingly important to the sustaining, if not the critical business operation, of many companies. These 'mini-warehouses' of critical information are often overlooked or inadvertently de-prioritized in the disaster recovery planning process.
The Role of Business Unit Managers in BCP
The conventional wisdom in BCP is that the business owners have responsibility in determining what constitutes business-critical information since they are closest to the day-to-day operations and can make the best business decision. However, there are problems with this approach:
Business unit managers don't know what they don't know. Of course this is true for everyone, but business managers are experienced at segmenting their knowledge bases into two camps - those that they understand (and can control) and those that they can't (and should delegate). Unless a business unit manager has an IT background or takes extra steps to understand the technological underpinnings of his or her operation (a Herculean feat), they may be able to identify the critical business processes but have no grasp of the essential IT systems that support them.
Business unit managers are optimists, not skeptics. Business unit managers are biased towards looking at the bright side of things - their glass is always half full, not half-empty. Worst case scenarios are not something that business managers are paid to think about - their job is to identify business opportunity and seize upon it, not to sit back and think of all the things that can go wrong. Worst-case scenario planning is counter-intuitive.
Business unit managers are paid to take risks, not avoid them. This is related to the previous point - business unit managers are risk-neutral with respect to business opportunities and will 'go for it' even with (and despite) the risk of failure. A system failure due to a catastrophic event is not something that the business unit manager sees as an opportunity, unless he or she happens to be in the business of providing disaster recovery services (a separate topic altogether).
Who Owns Business Continuity Planning?
Ideally the BCP function should be owned by a combination of the business and IT managers. The problem is essentially one of communication: business units don't speak the native tongue of technologists and vice versa. In many ways security planning and business continuity planning go hand-in-hand; both deal with unexpected threats, analyzing the impact in dollars and cents on an organization, and identifying cost-effective mitigation strategies for reducing that risk. Security and BCP also share many of the same challenges: the reliance on physical security to provide some level of protection and the difficulty in performing risk assessment and explaining what is the 'right' level of investment to senior management. An effective business continuity plan improves the information security plan and vice versa.
Recent events have raised the level of awareness for both information security and business continuity planning to the C-team and boardroom. Before they fall back down to the operational groups, however, it would behoove the champions of both causes to put a strategy in place to align business objectives, business recovery and information security. There is no better time to act than now.
Robert Lonadier is the president of RCL & Associates, a Boston-based analyst and consulting firm specializing in providing implementation-ready counsel and advocacy services to senior management in information security.