Event
- A severe storm visits the area in which the organization is headquartered.
- Power is knocked out to all businesses in the area.
- The IS emergency generator kicks in and keeps the servers serving up data.
- The desktop computers, however, lack power and are useless.
- The special call center telephones lack power and are useless.
- Only the emergency lights are on.
- The air conditioning lacks power so the environmentally-sound building is not habitable for extended periods.
- But the servers are working.
- The IS interests are functioning.
However ...
Problem is, no one is able to enter data, to retrieve data, or to massage data to make the fully functioning servers anything more than heat-generating boat anchors.
If the organization had never experienced a disaster, the absolute focus on IS might be understandable. But the organization had experienced disaster – it had offices in one of the World Trade Center towers when the planes hit. (None of the organization’s personnel were injured; all escaped to safety.)
It cost the organization dearly to have outside vendors perform the work it had been doing in the tower.
Did management learn anything from 9/11?
Apparently not, at least so far as business continuity planning is concerned.
Business continuity, for IS, is first and foremost a matter of saving yesterday’s computer tapes at a commercial vault across town.
Given all of the above, should IS be in charge of the business continuity plan?
Shortly after the storm put the call center out of business for five days, a hardware failure put the call center out of business for five critical hours.
It wasn’t a big hardware failure. Actually, it was a board in a computer.
When the data center is critical to an organization’s success, it should be a safe assumption that there would be spares available. If not boards, then entire systems ready to load with the latest (yesterday’s) data. Maximum outage: one hour, maybe. Certainly not five.
Given all of the above, should IS be in charge of the business continuity plan?
If not IS ...
If IS can’t be depended upon to create a business continuity plan for the business, what department should inherit the effort?
Consider this. The best business continuity plan requires support from all personnel, from the newest intern to the most senior board member.
If top management is lukewarm to the idea, lower managers will perceive that when it comes to setting priorities, business continuity can be pushed aside. If time must be spent with the planner, let it be by someone other than a critical player – the new guy who really can’t contribute all that much right now.
Business continuity, then, needs a stratospheric sponsor. Someone with a “C” in front of the title, such as CEO, COO, or perhaps CFO.
Each of these “C’s” has one thing in common: they are charged with protecting the organizational bottom line, which, after all, is what business continuity is all about.
A board member might sound like the ideal sponsor, but board members often are from the outside; they are not visible bodies on a daily basis.
The CEO, COO, and CFO are more visible, and in order to succeed, the planning process needs sponsors who are highly visible.
There may be a temptation to put an engineer in charge, especially if the organization manufacturers a product. Engineering is IT with a slide rule.
Honest Brokers
All too often VP-level people get into “turf wars.” CEOs, COOs, and (usually) CFOs remain aloof from the skirmishes, waiting to be called in as “honest brokers” to make peace among the combatants.
The peacemakers – the diplomats upon whom everyone depends – are the only valid candidates to sponsor the business continuity effort (people who are at least perceived to be even handed and impartial).
Business continuity’s sponsor must have several attributes:
- The sponsor must be an “800-pound gorilla” within the organization.
- The sponsor must have a fiduciary interest in the organization.
- The sponsor must have financial influence to secure a business continuity budget.
- He or she must have the ability to – one way or the other – “encourage” everyone up and down the organizational ladder to candidly cooperate with the planner or planning team.
- Finally, the sponsor must understand that the flag waving must be ongoing. If the sponsor’s enthusiasm is perceived to waiver, the planning process is jeopardized.
Even a plan’s staunchest supporters realize that taking time out to work with the planner is taking time away from the “real” work – never mind the plan might save the “real” work processes if a risk occurs.
By the same token, the planner must provide the flags to wave. The planner can provide updates for house organs, meet with mid-level managers and staff, and generally be a “presence.” (Even planners working off site can have a “presence,” but it takes a little more effort.)
Mini Plans for Symbiotic Whole
I am in favor of creating a focused plan for IS. Likewise, a focused plan for facilities, HR, accounting, manufacturing, and each business and support function.
If something happens within a function that can be handled by the people in that function without a negative impact on other functions, that is where the effort should be made.
All the mini-plans need to roll up, eventually, into an enterprise plan.
The enterprise plan has two inherent advantages to focus-only plans:
1. It recognizes interdependencies, both internal and external.
2. It takes advantages of scale.
The first advantage – recognizing interdependencies – should prevent the situation described earlier where the IS machines were functioning, but the people who normally use the data on the machines were unable to work because the phones were down, the air conditioning was off, and the office was dark.
The second advantage – utilizing resources beyond a specific group or even campus – helps keep costs down while enhancing organizational control during and following a disaster event.
Bottom Line
The bottom line, as this planner sees it, is that IS should be in charge of business continuity ... for IS.
Likewise, production should be in charge of business continuity for production.
Each of the individual plans must roll up into a facility plan, and the facility plan should roll up to a corporate plan.
Each plan entity – IS, production, facility, and corporate – needs primary and alternate personnel assigned to both business continuation and to disaster recovery functions. Each level needs to know when, and how, to escalate a situation.
Finally, each plan must be exercised – not tested, since there is no pass or fail here – as an independent entity and again as part of the next higher level’s plan.
Overall plan sponsorship and control belongs in the hands of someone above the group level. To be successful, the plan must be above politics, and that means sponsorship at the highest level.
John Glenn, MBCI, is a certified business continuity planner who has been creating survival plans for Fortune 100s, government, and internationals since 1994. Comments about this, and other articles at http://johnglenncrp.0catch.com/ may be directed to JGlennCRP@yahoo.com.
