Business Continuity and Disaster Recovery Planning

3571

3572

3577

4813

7372

7373

7374

7379

8742

INDUSTRY SNAPSHOT

Natural disasters, acts of terrorism, and other unfortunate events have threatened cities, towns, and commercial markets throughout history. Devastating fires in cities like Chicago spurred growth in the vital records preservation industry during the early twentieth century and companies began storing important documents in fireproof safes and vaults. Insurance policies also offered some protection against catastrophic loss. However, for many years, businesses were content to simply deal with disasters if and when they occurred, with little or no resources devoted to proactive planning.

In time, the storage and transmission of data became critical to the continuation of commercial and financial markets. The terms business continuity, disaster recovery, and emergency preparedness emerged as public and private organizations began devoting resources to ensuring their survival in the wake of potential catastrophes.

In Total Contingency Planning for Disasters, author Kenneth N. Myers wrote, "The primary function of business insurance is to provide a hedge against loss or damage. A disaster recovery and business continuation plan, however, has three objectives: 1) Prevent disasters from happening; 2) Provide an organized response to a disaster situation; 3) Ensure business continuity until normal business operations can be resumed."

By the middle of the first decade of the twenty-first century, business continuity and disaster recovery planning had emerged as its own industry. Serving the companies in need of such services were hundreds of consultants and service providers of all sizes, as well as government agencies and non-profit organizations. The industry's growth was supported by heightened concerns over terrorism and other disasters in the wake of the terrorist attacks on September 11, 2001; a massive blackout that affected the Eastern United States and portions of Canada on August 14, 2003; the U.S. military presence in Iraq; and Hurricane Katrina, one of the deadliest hurricanes in American history, which decimated the city of New Orleans, Louisiana, as well as much of the north central Gulf Coast, in the summer of 2005.

Despite a growing level of concern, many U.S. businesses had yet to engage in business continuity and disaster recovery planning by the early years of the twenty-first century's first decade. In a July 21, 2003 USA Today poll, 57 percent of respondents indicated that their companies had a business continuity plan in place, another 36 percent said their organizations did not have a plan, and 7 percent were unsure or failed to provide an answer. However, in the wake of disasters such as Hurricane Katrina, corporate preparedness had improved by the middle of the decade. A 2006 study conducted by the CPM Group and Deloitte & Touche's Security Services & Privacy Practice found that among those companies surveyed, 83 percent had established a formal business continuity management program.

ORGANIZATION AND STRUCTURE

Climate

The business continuity and disaster recovery planning industry's emergence and growth can be attributed directly to the environment of unprecedented risk that existed in the early twenty-first century. U.S. organizations of every type and size faced premeditated human acts like arson, sabotage, embezzlement, fraud, terrorist attacks involving chemical and biological weapons, theft, and vandalism. Environmental risks included everything from explosions, hazardous materials spills, broken water mains, labor strikes, and civil uprisings to power outages and transportation-related accidents involving airplanes, trucks, automobiles, and trains. These risks were in addition to a host of natural threats, such as earthquakes, wildfires, floods, hurricanes, and tornadoes.

Organizations

Within this uncertain environment, U.S. organizations without sound business continuity strategies had much to lose. In addition to critical assets like buildings, equipment, telecommunications systems, network infrastructures, and human resources, paper and digital assets also were at risk. These included multiple kinds of strategic, operational, and vendor data ranging from contracts, deeds, check ledgers, and credit applications to customer lists, employee files, invoices, legal documents, and titles.

In order to mitigate risks and ensure the continuance of operations, U.S. organizations employed a number of different tactics. Many companies simply relied on business insurance policies to cover potential losses. However, more progressive firms engaged in formal business continuity planning that addressed three principal areas. First was the aspect of disaster preparedness, which involved an organization's ongoing efforts to ensure readiness in the event of a disaster. Second was disaster response, which pertained specifically to a company's critical actions in the immediate wake of a disaster. Finally, disaster recovery encompassed the procedures required for maintaining or restoring operations.

The process of developing a business continuity plan varies from company to company, depending on an organization's size and focus, the industry in which it operates, available financial resources, and so on. It may involve completing a simple questionnaire, in the case of a smaller company, or involve several teams of staff and consultants in larger enterprises. In any case, the process often begins with some form of a risk assessment, whereby major vulnerabilities are identified in such key areas as telecommunications, computer networks, physical infrastructure, and equipment.

At some point, major business continuity goals and objectives are established. Virtually all organizational plans will share at least a few similar goals and objectives. These include preventing potential disasters, containing disasters that do occur, ensuring staff and customer safety, protecting assets, preserving data through back-up systems or network redundancy, identifying the exact manner in which the organization will respond during a disaster and how resources will be utilized, and minimizing or preventing disruptions to market share and cash flow. Beyond these, organizations may identify other goals and objectives that are specific to their enterprise or industry.

After goals and objectives have been identified, a period of information gathering often occurs, as key staff members or departments provide input regarding how their respective areas can preserve operations and continue to function in the event of a disaster. Once this critical information has been compiled, the business continuity plan is formulated. Following this, businesses must ensure that all employees are aware of the plan's existence and familiar with its contents. This is especially true of staff at the management level who may be required to fulfill a leadership role during a disaster. As part of their business continuity and disaster planning efforts, some organizations engage in regular disaster drills to familiarize staff with all elements of the plan.

Consultants

Consultants play a critical role assisting businesses of every type and size to engage in business continuity planning. In addition to a very large number of independent consultants and small consulting firms, virtually every large consulting enterprise was involved in business continuity planning by the middle years of the first decade of the twenty-first century.

In addition to traditional business consultants, some consultants specialized exclusively in the business continuity and disaster planning arena. As the U.S. Department of Labor's Occupational Outlook Handbook explains, "These consultants provide assistance on every aspect of security, from protecting against computer viruses to reinforcing buildings against bomb blasts. Logistics consulting firms also are finding opportunities helping clients secure their supply chain against interruptions that might arise from terrorist acts, such as the disruption of shipping or railroad facilities. As security concerns grow, rising insurance costs, as well as the threat of lawsuits, are providing added incentives for businesses to protect the welfare of their employees."

Product and Service Providers

Beyond traditional consulting players like Ernst & Young, many of the largest global technology and telecommunications firms offered business continuity services ranging from consulting to services for protecting and preserving data networks and digital assets. These included the likes of AT&T Inc., Hewlett-Packard Co., International Business Machines Corp. (IBM), and Electronic Data Systems Corp (EDS). They were joined by a vast array of small, medium, and large firms offering everything from business continuity plan software to safety products like disaster kits and fire extinguishers.

Government Agencies

A number of different government agencies play important roles in preventing and dealing with disasters. For example, low interest disaster loans are provided by the U.S. Small Business Administration. However, the U.S. Department of Homeland Security (DHS) arguably has the largest responsibility of any government agency. DHS carries out much of its emergency preparedness and emergency management efforts through the independent Federal Emergency Management Agency (FEMA), which became part of DHS on March 1, 2003. In addition to management of the U.S. Fire Administration, FEMA is responsible...