Challenges facing business continuity planning

"Everything that can be said has been said, but we have to say it again because no one was listening."

Although this was first said by André Gide, a French novelist, it has been seen as appropriate for the state of affairs in business continuity planning.

More than two years after the attacks on the World Trade Center in New York brought home to many firms and agencies the risks posed by terrorism — as well as the risks from natural disasters such as flooding or the electricity blackouts in London, Italy and North America in 2003 — more could be done to limit the impact of any future catastrophes. Gartner Group, a market research firm, estimates that only 60% of large enterprises would have business continuity plans in place this year, although this was up from less than 25% in 2001.

Traditionally, this area has been seen as disaster recovery for information technology departments, to replace crashed systems with back-up computer files or whole financial trading floors. In data replication software alone, at the end of 2001 research firms International Data Corporation and Gartner estimated the market was worth US$1.1 billion. By 2004-05 they predict that the market’s value would have risen to US$3 billion for software alone.

Arden Bement, director at the National Institute of Standards & Technology, says: "The root of the problem in critical infrastructure control systems is a large legacy of hardware and software that was designed with two thoughts in mind: performance and reliability. Security, by and large, was not on the list. But now it must be."

In fact, the business continuity area has grown out of disaster recovery to encompass public services (such as utilities or phone connections) and staff protection. The Istanbul bombings of the British Embassy and UK-based bank HSBC identified to all companies and ministries that they could be targeted violently — not just from computer hackers and viruses.

London-based country risk analysts World Markets Research Centre in 2003 placed the UK as equal tenth with Sri Lanka in its Global Terrorism index due to its "sophisticated militant Islamic network"; its close relationship with the US; and a number of symbolic targets, such as the Houses of Parliament. The US was placed fourth behind Colombia, Israel, and Pakistan.

Michael O’Hehir, a director of global risk management solutions at PricewaterhouseCoopers Thailand, says that discussions with executive management at some Wall Street businesses that survived the 11 September 2001 attacks highlighted the following steps that are required for successful business continuity planning (BCP):

Commit to BCP. Following New York’s first World Trade Center bombing in 1993, many organisations began implementing disaster planning. It is unlikely that these organisations would have survived the 11 September attacks had they not already had such a strong organisational focus and commitment to BCP.

Clearly define communication strategies.

Internal and external strategies are necessary to ensure that employees are accounted for; to keep them well-informed; to keep them as safe as possible in a potentially unsafe environment; to respond to the media and family members; and to interact with government and law enforcement officials.

Utilise a scenario-based planning approach.

When planning for a crisis, many organisations have assumed that three crucial factors — most key personnel, regional public transportation systems and critical vendors — would be available. It is also commonly assumed that it would only take a relatively brief time to recover critical computer systems and vendors. Recent events have shown that these are not valid assumptions.

Divide the location of critical operations and keep them located at a safe distance from one another

If a business is to survive, off-site storage, recovery locations and emergency operations must be easily accessible to facilitate a timely recovery. However, companies that had multiple processing facilities, but located them too close to one another, were never able to recover.

Implement appropriate back-up technology.

In the first two days after the 11 September attacks, the most critical issue technical recovery teams dealt with was that of data reconstruction. Many business continuity efforts were at a standstill until the technical environments could be brought to a consistent point in time (the last time data was backed up) for all data. Current mirroring technologies (when all transactions are backed up on another computer system) and well-structured manual procedures must be aggressively considered to improve overall recovery capabilities. (The National Institute of Standards & Technology (NIST) added that in the North American blackouts, energy suppliers were using times set up to seven minutes apart.)

Realise the fallacy of a paperless environment.

Many organisations were surprised to learn that their paperless environment was not actually paperless. Their continued reliance on paper documents meant a significant investment in employee resources to reconstruct what was destroyed. Building a true paperless environment should remain a strategic option strongly considered by most organisations.

Understand the dependence on key vendors.

After 11 September, almost half the businesses that recovered operations at a commercial ‘hotsite’ (a site with an exact replication of a current computer centre) found their subscribed resources insufficient for their actual needs. A vendor review process should include assessing a vendor’s criticality; securing multiple vendors for critical processes; understanding a vendor’s preparedness to deal with disasters; and understanding vendor capacity thresholds and plans.

Test business continuity plans frequently and extensively

Organisations must understand the value of comprehensive testing of all elements of a business continuity plan. Such testing must cover end-to-end processes to proactively identify gaps or weaknesses within the plan.

Keep business continuity plans current through a strong maintenance process.

Organisations are in a constant state of change. Having a process in place to ensure that business continuity plans reflect these changes is key to ensuring the right people can be contacted and the right level of resources are available at a business’ alternative processing sites.

Assess the adequacy of existing business interruption insurance.

Existing insurance coverage, specifically business interruption insurance, should be evaluated. Understanding an organisation’s coverage before a disaster occurs is critical to responding quickly and establishing processes to capture the information required to prepare a claim.

For O’Hehir, the most important lesson learned from events such as 11 September and the New York power outage was that businesses cannot plan for every scenario, but they can prepare for how they will deal with the unexpected. Certainly, those organisations that had undertaken extensive planning were better prepared to react, recover and remain in business, he said.

It is not being left to individual companies to decide what, if anything, is to be done. After the attacks in New York, US regulatory and industry trade bodies have led the way in developing standards effective in maintaining business continuity. The UK formed the catastrophe group including the Bank of England, the Treasury and single regulator of the City of London, the Financial Services Authority, to identify keys issues to protect the financial services industry. As far back as 1996, the US Critical Infrastructure Protection initiative provided a key point in identifying areas and shortfalls in regulation for business continuity management.

In the US alone, numerous organizations provide laws or best practice guidelines for various industries. For example:

Talking about the National Strategy for Homeland Security, which led to the creation of the Homeland Securities Standards Panel in 2002, Dr Bement at NIST says that a set of priority standards areas has been identified: emergency communications; risk assessment; training for first responders; and cyber-security and biometrics, primarily for critical sectors, such as energy, water, power, and telecommunications although not overlooking building automation and control systems for heating and ventilation.

Dr Bement adds: "My charge to you is to keep hammering away at the theme that infrastructure security and protection is important. We must all fight the temptation of complacency and work together to get the job done."

While the risks are real, however, scaremongering can be counterproductive and expensive. There is a fine line between, on the one hand, becoming so scared of unexpected and unforeseen events destroying files, staff and business that too much attention and money is spent; and, on the other, ignoring the issue in the hope it will never happen.

As Samuel Taylor Coleridge, the English 18^th century poet, said: "In politics, what begins in fear usually ends in folly."

This might equally be applied to the rocketing expenditure on business continuity, although too often it appears that people would rather keep their heads in the sand.

James Mawson previously served as an International Editor at Financial Times Business and continues to write for both the Independent on Sunday business section and the Financial Times