With the rise in cyberattacks, terrorism, and industrial sabotage—not to mention natural disasters such as tornadoes, floods, earthquakes, and hurricanes—business continuity management has quickly come to the forefront as more and more enterprises are being forced to invoke their disaster recovery plans. If concerns for business survival, damaged reputation, and eroding investor confidence aren't enough to convince you it's time to get on the bandwagon, then how about the growing pressure from government regulations like Sarbanes-Oxley requiring you to prove that your plan is a viable one?
Joyce Repsher, director of Global Business Continuity Management Services for Dallas-based Electronic Data Systems, offers TechRepublic readers eight concrete steps they can take to ensure that their companies are amply prepared to face any business disruption.
Step 1: Be proactive rather than reactive. It's cheaper in the long run.
Work through the possible disaster scenarios ahead of time so that you have an idea of what might happen to company operations and what steps you'll need to take to counteract the disruption. You're going to spend a lot less money when the real disaster hits because you have all your ducks in a row. You'll pay a premium for resources if you're caught scrambling after the fact.
Repsher tells of an EDS client, a retailer with several branches across the United States, who rejected spending $700,000 to implement an enterprise-wide virus prevention package. About a month later, the Nimda virus hit and the enterprise was down for over a week. "It cost them 10 times the amount of the originally proposed antivirus package to restore their operations and get the virus cleaned out of their systems," reports Repsher.
Step 2: Don't put all your eggs in one basket.
Spread your vital operations across more than one location to provide sufficient redundancy to fail over to another facility should a disruption occur. Make backups frequently and store them outside the facility. If you can afford it, make and store backups in several locations. Randomly and periodically check on the backups to make sure they're actually viable and accessible. And don't forget your PC data!
"What many enterprises overlook is that a lot of vital company data resides on employees' laptops," notes Repsher. "And if it's not backed up, you're really out of commission." She recalls one forward-thinking global company whose executives were traveling through Europe attending several strategic planning sessions. During the journey, one executive's laptop was stolen. But because she had been conscientiously backing up her data through a mobile information protection package, she was able to quickly recover the financial, HR, and operations data she needed to participate in the meetings.
Step 3: Make your business continuity plan part of your change management culture.
Don't leave your plan gathering dust on the back shelf. It needs to be a living document to remain viable. If business models change or business processes undergo reengineering or key emergency contacts no longer work for the organization, your plan needs to be updated.
"Business continuity management needs to become part of your corporate culture, part of your change management process," insists Repsher. "When changes occur, every employee needs to automatically ask themselves how it changes their part of the business continuity plan." With greater emphasis on regulatory compliance, it's not enough to have a plan and policies in place. You have to demonstrate that they're workable.
Step 4: Aim for the quickest recovery you can afford.
When disaster strikes your company, your competitors will jump at the chance to fill the void. A strong business continuity plan will ensure that you don't lose market share in the event of a disruption. Especially if yours is a Web-based operation, you need to get up and running again as fast as possible. Statistics show that oftentimes when prospective customers can't log onto your Web site, they don't come back.
"Business impact analysis is one of the key components for determining if your business continuity plan is workable," explains Repsher. "Look closely at your recovery procedures and see how long it will really take you to get back up and running following a disruption."
She tells of a Fortune 100 client who had a real wake-up call when they realized that if they followed their current business continuity plan, it would take the company 22 days to get back up and running. EDS reviewed the document and was able to recommend strategic changes to the way the company handled backup and restoration of data, the technologies it used for storage, and the way it configured its networks and IT operations that would enable the corporation to restore operations in a more competitive time frame.
Step 5: Routinely test your plan to keep it current.
Generally, people talk about the three Ps of disaster planning: people, property, and priorities. But EDS recommends three more: practice, practice, practice. The drills you do today may be critical to your company's survival. It's all part of making sure that your plan stays current. Those drills can be as simple as asking a few well-pointed questions:
- Is your crisis management procedures manual readily accessible from several locations?
- Have you looked at it lately to make sure that the contact-in-case-of-emergency phone list is current?
- Do you know when to call in local authorities and who has the authority to make that decision?
- How well do you control vendor and visitor access to your facilities?
- Do your security procedures reflect what you really expect your employees to do in an emergency?
Repsher tells of one CEO who was so committed to business continuity planning that he instituted a corporate-wide policy that any meeting involving three or more employees had to open with a five-minute discussion on a business continuity topic. At first it was viewed as a joke, but gradually it gained widespread acceptance because employees realized that the broad range of topics covered over the course of a year were really preparing them well to react to any disruption to normal operations.
Repsher recommends making sure a triage process is established for the command center to confirm the impact of disaster on the business. Otherwise, in the heat of a disaster, those heading up the team might decide to change priorities based on the last phone call received, rather than on an integrated approach to business recovery.
Step 6: Tailor your business continuity investments to likely threats and key priorities.
It's all about balancing protection against costs and survival. Recent events have made us think of terrorism as our foremost threat, but there are many other threats that are far more commonplace: employee or non-employee workplace violence, labor actions and disputes, cyberattacks (including computer viruses and denial of service), hoaxes, and industrial espionage. Your plan needs to focus on those issues most likely to cause disruption.
According to Repsher, while employees are considered a company's greatest asset, they can also be its biggest threat. She cites statistics that indicate 80 percent of business disruptions are caused by employees, whether maliciously or accidentally. It could be deliberate sabotage, such as e-mailing a competitor your vendor list. Or it could be simple carelessness in leaving confidential company information at the shared printer for anyone to see. It's important to instill awareness into employees as to how their actions can impact and disrupt normal operations.
Physical plant security is another issue to consider. Does the physical security plan include instructions for contacting local fire, police, and rescue authorities? Do employees know where to report for work in case their usual facility is unavailable? Do you have technology in place to allow them to work from home? Can another facility provide space and resources in the event of a disaster at one location?
It's important to realize that it is neither possible nor cost effective to try to protect everything. You need to examine your operations and determine what you really need to survive. Can you fall back to data that's more than a week old? Or is it vital that certain information be backed up every two hours? How many employees need to be trained in redundant skills should another facility or department be put out of commission? In the wake of 9/11, there's been a lot of emphasis on worker recovery. But how vulnerable to drastic workforce reductions are you?
Step 7: Check that all your plan components sync with each other.
To effectively respond to a business disruption, your business continuity plan needs to incorporate all the components required for your successful recovery: your data, your workforce, your facilities, your networks, even your vendors and suppliers. You must have procedures in place to ensure that events occur in the right sequence to get you back up and running as promptly as possible. It's a delicate balance, but a crucial one.
Repsher cites one company that had a dedicated recovery center. But it took two weeks to pick, pull, pack, ship, and restage the 30,000 tapes needed for recovery. She observes that it doesn't help to have backup data with nowhere to restore it, or have a place to restore it but no way to connect to it. She recommends closely examining your recovery procedures to guarantee that all the elements of the plan truly work in sync with each other.
Remember that your vendors and business partners are integral participants in your business continuity plan too. Repsher sees a growing trend among enterprises to insist that vendors demonstrate the viability of their own business continuity plans as a contingency of doing business with them.
Public reaction can sometimes make or break your recovery, too. "If you have employees speaking to the media about a disaster," says Repsher, "make sure they're trained in media relations. Otherwise, they may inadvertently say something that could create a competitive disadvantage, erode customer confidence, or place the company in a compromising situation."
Did you know?
Worms and viruses hit a record level in January 2003, numbering close to 20,000 and causing more than $8 billion in damage worldwide. If the rate of attack continues, it's estimated there will be more than 180,000 digital attacks for the year, costing between $80 and $100 billion in damages (mi2g Ltd).
In a recent crime survey, 85 percent of respondents had experienced computer viruses, 70 percent had some form of Web site vandalism, and 12 percent had some form of theft of transaction information (Computer Security Institute and FBI Computer Crime and Security Survey, 2003).
Forty-one percent of Fortune 100 firms see spending money on business continuity management in 2004 as a priority to ensure compliance with government regulations (Forrester, 11/03).
Step 8: Be cognizant of how regional disasters can dictate priorities.
Let's face it: In case of a flood, hurricane, or other regional disaster, getting a factory or a retail store up and running is going to take a back seat to hospitals, police, fire stations, and other facilities focused on citizen safety and security. Know your local emergency response organization and what actions they're likely to take during a response so that you can plan accordingly.
Also, suggests Repsher, when you build your contingency plan, think about alternate locations that can pick up the workload outside the affected region. Don't put your disaster recovery solution too close to your main operation. And make sure the alternate location is on a different power grid from the disaster site.
Repsher advises that when you look at business continuity, don't think of it as a plan that you review once a year. "Business continuity management needs to become ingrained in your corporate culture," she insists. "It's amazing how little it costs to change the corporate mindset and how big the potential payoff can be in the case of preparedness for disaster."
And speaking of cost, Repsher cautions not to spend more money than you really need to. "Weigh protection costs against your company's ability to survive the disaster or business disruption. Don't feel you have to protect everything. And rehearse the plan on a regular basis," she counsels. "If you aren't practicing your plan every chance you get, don't expect a smooth response when disaster strikes."
While the goal of a business continuity plan is to get you back up and running as quickly as possible, your vigilance and diligence before the fact may even help you prevent some disasters and business disruptions from ever occurring.