DISASTER RECOVERY 
JOURNAL

P. O. Box 510110
St. Louis, MO 63151
(314) 894-0276 
Fax: (314) 894-7474
Internet www.drj.com 
E-mail drj@drj.com

PUBLISHER &
EDITOR-IN-CHIEF
Richard L. Arnold, CBCP
richard@drj.com

SENIOR EDITOR
Janette Ballman
janette@drj.com

MANAGING EDITOR
Jon Seals
jon@drj.com

COPY EDITORS
Richard Sandhofer
richards@drj.com
Pamela Clifton
pamelaclifton@hotmail.com

ADVERTISING 
Robert Arnold
bob@drj.com

_____________

Corporate

President/CEO
Richard L. Arnold, CBCP
richard@drj.com

Vice President 
Robert Arnold
bob@drj.com

CONFERENCE COORDINATOR
Patti Fitzgerald, CBCP
patti@drj.com

CONFERENCE REGISTRAR
Merce Knese
mercedes@drj.com

CIRCULATION
Laura Baugh
laurab@drj.com

EXECUTIVE COUNCIL
Mike Croy, Forsythe
Jeff Dato, MBCP, KPMG
John Jackson, IBM
Edward S. Devlin, E.S. Devlin & Associates
James Hammill, CBCP, JMH Consulting Inc.
Pat McAnally, SunGard Availability Services
Randy Till, Mastercard International
Brian Turley, Strohl Systems
Belinda Wilson, Hewlett-Packard


INTERNATIONAL
CONTACTS
England: Thom Hetherington
Business Continuity 
Phone: 0161-237-1007
thomh@tempus.demon.co.uk

Australia: Anthony J. Harvey
Journal of Business Continuity
Phone: 0011-613-953-0055-8
fax: 0011-613-953-0528
sector@notability.com.au

Japan: Shinji Hosotsubo
Quake Japan Co., Ltd.
Phone: 03-3215-2880
fax: 03-3215-2881

Brazil: Jose Carlos Ferreira
Disaster Recovery Mercosul
Phone: 55 11 3666-9506
conc2000@uol.com.br

Click Here for a Printable Version

PLANNING ISSUES

Who’s in Charge?
Should Business Continuity be an IT Function?

By JOHN GLENN, MBCI

In many organizations, information technology (IT) has responsibility for the business continuity plan.
It is a natural. IT was the sponsor – and primary beneficiary – of an organization’s disaster recovery plan. Business continuity, as many in IT see it, is just the current name for disaster recovery. Thus, IT should retain sponsorship and continue to be the primary beneficiary of the business continuity or disaster recovery plan.

Scenario
- The organization’s principle business function is a call center.
- People call into the call center for information.
- People in the call center call out to move the product.
- Information systems (IS) is responsible for the telephones and fax machines used by call center personnel and for the desktop equipment and infrastructure that moves data to and from the servers in the computer room.
- The servers are equipped with an external generator with a 24-hour fuel supply and guaranteed fuel top-offs.
- IS sponsors the business continuity plan.

Event
- A severe storm visits the area in which the organization is headquartered.
- Power is knocked out to all businesses in the area.
- The IS emergency generator kicks in and keeps the servers serving up data.
- The desktop computers, however, lack power and are useless.
- The special call center telephones lack power and are useless.
- Only the emergency lights are on.
- The air conditioning lacks power so the environmentally-sound building is not habitable for extended periods.
- But the servers are working.
- The IS interests are functioning.

However ...
Problem is, no one is able to enter data, to retrieve data, or to massage data to make the fully functioning servers anything more than heat-generating boat anchors.
If the organization had never experienced a disaster, the absolute focus on IS might be understandable. But the organization had experienced disaster – it had offices in one of the World Trade Center towers when the planes hit. (None of the organization’s personnel were injured; all escaped to safety.)
It cost the organization dearly to have outside vendors perform the work it had been doing in the tower.

Did management learn anything from 9/11?
Apparently not, at least so far as business continuity planning is concerned.
Business continuity, for IS, is first and foremost a matter of saving yesterday’s computer tapes at a commercial vault across town.
Given all of the above, should IS be in charge of the business continuity plan?
Shortly after the storm put the call center out of business for five days, a hardware failure put the call center out of business for five critical hours.
It wasn’t a big hardware failure. Actually, it was a board in a computer.
When the data center is critical to an organization’s success, it should be a safe assumption that there would be spares available. If not boards, then entire systems ready to load with the latest (yesterday’s) data. Maximum outage: one hour, maybe. Certainly not five.
Given all of the above, should IS be in charge of the business continuity plan?

If not IS ...
If IS can’t be depended upon to create a business continuity plan for the business, what department should inherit the effort?
Consider this. The best business continuity plan requires support from all personnel, from the newest intern to the most senior board member.
If top management is lukewarm to the idea, lower managers will perceive that when it comes to setting priorities, business continuity can be pushed aside. If time must be spent with the planner, let it be by someone other than a critical player – the new guy who really can’t contribute all that much right now.
Business continuity, then, needs a stratospheric sponsor. Someone with a “C” in front of the title, such as CEO, COO, or perhaps CFO.
Each of these “C’s” has one thing in common: they are charged with protecting the organizational bottom line, which, after all, is what business continuity is all about.
A board member might sound like the ideal sponsor, but board members often are from the outside; they are not visible bodies on a daily basis.
The CEO, COO, and CFO are more visible, and in order to succeed, the planning process needs sponsors who are highly visible.
There may be a temptation to put an engineer in charge, especially if the organization manufacturers a product. Engineering is IT with a slide rule.

Honest Brokers
All too often VP-level people get into “turf wars.” CEOs, COOs, and (usually) CFOs remain aloof from the skirmishes, waiting to be called in as “honest brokers” to make peace among the combatants.

The peacemakers – the diplomats upon whom everyone depends – are the only valid candidates to sponsor the business continuity effort (people who are at least perceived to be even handed and impartial).

Business continuity’s sponsor must have several attributes:
- The sponsor must be an “800-pound gorilla” within the organization.
- The sponsor must have a fiduciary interest in the organization.
- The sponsor must have financial influence to secure a business continuity budget.
- He or she must have the ability to – one way or the other – “encourage” everyone up and down the organizational ladder to candidly cooperate with the planner or planning team.
- Finally, the sponsor must understand that the flag waving must be ongoing. If the sponsor’s enthusiasm is perceived to waiver, the planning process is jeopardized.

Even a plan’s staunchest supporters realize that taking time out to work with the planner is taking time away from the “real” work – never mind the plan might save the “real” work processes if a risk occurs.

By the same token, the planner must provide the flags to wave. The planner can provide updates for house organs, meet with mid-level managers and staff, and generally be a “presence.” (Even planners working off site can have a “presence,” but it takes a little more effort.)

Mini Plans for Symbiotic Whole
I am in favor of creating a focused plan for IS. Likewise, a focused plan for facilities, HR, accounting, manufacturing, and each business and support function.
If something happens within a function that can be handled by the people in that function without a negative impact on other functions, that is where the effort should be made.
All the mini-plans need to roll up, eventually, into an enterprise plan.

The enterprise plan has two inherent advantages to focus-only plans:
1. It recognizes interdependencies, both internal and external.
2. It takes advantages of scale.

The first advantage – recognizing interdependencies – should prevent the situation described earlier where the IS machines were functioning, but the people who normally use the data on the machines were unable to work because the phones were down, the air conditioning was off, and the office was dark.

The second advantage – utilizing resources beyond a specific group or even campus – helps keep costs down while enhancing organizational control during and following a disaster event.

Bottom Line
The bottom line, as this planner sees it, is that IS should be in charge of business continuity ... for IS.
Likewise, production should be in charge of business continuity for production.
Each of the individual plans must roll up into a facility plan, and the facility plan should roll up to a corporate plan.
Each plan entity – IS, production, facility, and corporate – needs primary and alternate personnel assigned to both business continuation and to disaster recovery functions. Each level needs to know when, and how, to escalate a situation.
Finally, each plan must be exercised – not tested, since there is no pass or fail here – as an independent entity and again as part of the next higher level’s plan.
Overall plan sponsorship and control belongs in the hands of someone above the group level. To be successful, the plan must be above politics, and that means sponsorship at the highest level.

©Copyright 2004 Systems Support Inc. All rights reserved. Reproduction in whole or in part in any form or medium without the express written permission of System Support Inc. is prohibited.