Getting Started

By JEFF BLACKMON, CBCP

The majority of business continuity/disaster recovery articles written for trade journals are directed toward the technical audience. There is an abundance of information available on the steps necessary to implement a business impact analysis or build the disaster recovery plans necessary to restore critical systems. But there is very little information available as to what steps are necessary to start a business continuity project.
The project initiation can be one of the most difficult portions of the project to complete. Anymore, the business continuity professional needs to be just as much as a sales person as a business recovery planner. The sales of a BC project need to be made to upper management to get their support for the project. Without the support of upper management, there is little hope of getting the project off the ground.

What exactly is business continuity?
Business continuity is a well-defined recovery process to keep your company functioning through just about any disaster that may occur. This may be a natural disaster such as an earthquake, hurricane, or tornado. It can also be a man-made event such as a power outage, programmer error or malicious deletion of data. The end goal is to have a plan in place that mitigates the damage and keeps the company functioning in such a way that your end clients are unaware of the problem situation you may be dealing with. A business continuity plan is much more than just a data center recovery plan. A BC plan also includes recovery of critical data repositories, paper based functions and other critical items that are required to run your business. A complete BC plan will provide for the end-to-end, complete system recovery from the hardware perspective, and the steps necessary to recover the business processes as well.

Why do a BC plan?
The foremost reason behind business continuity planning is that it is good business practice. It assures your employees, stockholders and customers your company will still be in business after a disruptive event. Don’t forget federal regulations. Regulations may require some type of organizations to implement business continuity and disaster recovery projects. Senior executives may no longer have the option to choose whether or not they want to do business continuity. There have been an abundance of new regulations implemented that have reaching effects on many, if not all companies. Some of the following regulations may have an impact on your company business.

  • HIPAA Plan (§164.308(a)(7)(i))
    Every covered entity that deals with protected health information (PHI) must have a contingency plan in place.
    • Most companies should have been in compliance by April 14, 2003.
    • Small companies should have been in compliance by April 14, 2004.
  • National Association of Security Dealers (NASD) Rule 3510 and 3520
    Requires members to create business continuity plans and provide emergency contact information. Effective dates:
    • Rule 3510
      • Clearing Firms Aug. 11, 2004
      • Introducing Firms Sept. 10, 2004
    • Rule 3520 All Firms June 14, 2004
  • Sarbanes-Oxley Rule 404
    Management will establish and maintain internal control structures and procedures for financial reporting.Effective dates:
    • ully functional by April 15, 2005
  • Gramm-Leach-Bliley Act (GLBA)
    GLBA provides provisions to protect consumers’ personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and pretexting provisions. Effective dates:
    • Full compliance by July 1, 2001

A business continuity plan should be viewed as an investment in your company. It provides the security in knowing your company should be able to recover and continue from just about any type of disaster.

Where are we today?
With all of the new regulations and requirements in place, just where are most organizations in the BC development process? The most accurate assessment is that the majority of companies have a long way to go. Most, if not all companies have been battling the budget problems during the last five years or so. Almost all managers are under tight budget constraints, short of staff and short of the knowledge base required to plan and implement such a wide reaching project as business continuity. This still appears to be the situation today. Business continuity has a long ways to go before being complete. In fact, most studies show that business continuity planning is still in its’ infancy stages. Do not get the idea that your company is the only one out there that does not have a comprehensive plan. That is not the case. Below are a few studies that give good indications of where business continuity planning is at today.

  • An IDC Survey shows that 80 percent of large companies have developed BC/DR plans while only 40 to 45 percent of small- to medium-sized companies have done so.
  • Recent studies have shown that if a major disaster were to hit 100 companies simultaneously, only six would be in business after two years. Some 43 would go out of business immediately after the event and the remaining 51 would be out of business by the end of the second year.
  • A recent Roper study found there is also a great misunderstanding between business executives and IT executives concerning vulnerabilities. Some 52 percent of U.S. IT executives believe their organizations are very vulnerable to critical data loss while only 14 percent of business executives have the same belief.

Where do we start?
This may be the most difficult part of the project. BC/DR planning is now becoming a higher priority subject matter than before. Adding to the confusion is that many new players are getting into the business continuity consulting field without the required experience. For example, many ISP providers are now calling themselves disaster recovery/business continuity centers. Having a room full of disk drives to provide server backups does not qualify an organization to call themselves BC experts. This is the time to start asking for information on previous engagements and the qualifications of the people they are proposing to your organizations. Check to see if they have a dedicated, certified staff that will be assisting your BC project. I will say there is a strong chance the BC/DR process is new to them as well, and they are scrambling to get a foothold in the new market. They are probably also trying to obtain a qualified BC/DR professional to work as a sub contractor in case the proposal does goes through. This process seems to be prevalent at this time.

One direction to take in finding a qualified BC/DR professional is to speak with consulting companies that deal specifically in the area. There are the many major corporations in the BC/DR area that can provide the services you require. The easiest way to find a list of these providers is to look at the quarterly surveys and advertiser’s index in the back of Disaster Recovery Journal.

Your company may want to hire a single contract consultant to help develop a BC/DR plan. One of the easiest ways is to access the DRI International Web site (www.drii.org) and perform a search for DRII certified individuals by geography. A qualified professional will be able to lead your organization in developing a fully functional BC/DR plan for a smaller to mid-size company. Larger companies may want to bring in a certified professional to help coordinate activities or protect your company’s interest when dealing with the larger BC/DR service providers.

Pricing
I have witnessed multiple examples of companies wanting to implement a full business continuity plan from a fixed cost type of arrangement. A fixed cost pricing structure for the entire BC project is probably not the best way to proceed.
The first portion of the BC project is to complete a full business impact analysis (BIA). This part of the project should be handled as fixed price and separate from the rest of the project. The BIA determines the following information:

  • Identifies critical business processes.
  • Identifies recovery objectives such as RTO and RPO.
    • RTO (recovery time objective) – how long can your systems be down
    • RPO (recovery point objective) – how much information can your organization afford to lose.
  • Identifies risks that the organization is vulnerable to.
    The BIA is probably the most critical part of the business continuity plan. The output of the BIA is the input for the BC and/or DR plan.

There is no way to accurately estimate business and technical requirements of a BC/DR plan before the BIA is complete. Before a BIA has been completed, the scope of a BC/DR project is too ill defined to make educated cost estimates. Therefore, if you receive a fixed cost for the entire project before the BIA is complete, there is a very good chance the costs are inflated to cover many unknowns.

After the BIA is complete, the pricing for the BC/DR portion of the project can be negotiated. This now can be done as a fixed price project since the scope is much better defined. The other option is to continue the project under the pricing of time and expenses (T&E). The client company can then control the costs of the project and call in the BC/DR professional as needed. There are many steps of a BC plan such as public relations management, awareness training and others that can be completed by the client company. The BC/DR professional would be able to assist and supervise many of these subject matters, but leave major portions of the data collection and implementation to the client company. This is one way to help keep costs under control.

The project is now moving
The best approach to implement BC/DR is by taking a proactive approach and consider BC/DR requirements as part of the program development process. Understand that business continuity is not a static project with definite start date and a definite end date, but more of a continuing process of assessment and improvement. As your company changes, so does your plan. The best approach is to build the plan in incremental steps, not the big bang approach. This gives the business the ability to prioritize business functions and then develop BC plans for where they are needed most.

If your business continuity project has progressed this far in the develop cycle, then you are well over the major hurdle of getting it started. The rest of the project should start to fall into place and become more obvious as time goes on. There are also many steps of the project that can be addressed concurrently after the initial start-up phase. This is one of the ways to shorten the total time of the project.

The final objective of a successful business continuity project is to produce a cost efficient and effective business recovery plan. Best of luck with your project now that you have it off the ground and moving forward.


Jeffrey D. Blackmon, CBCP, is an independent consultant in the field of business continuity and disaster recovery. He has 25 years of experience in the IT field, both in mainframe and distributed systems. He is based in the Midwest and can be reached at jdblackmon@sbcglobal.net.

©Copyright 2005 Systems Support Inc. All rights reserved. Reproduction in whole or in part in any form or medium without the express written permission of System Support Inc. is prohibited.



«BACK to the Articles Index