Disaster Recovery Journal

Statistics taken from recent natural disasters (large and small) are enlightening and lead even the most fearless business executive to think twice about running a business without a plan addressing the unexpected. The following is a summary of some of the dangers that could result from a lack of business continuity planning:

• 43% of US companies never reopen after a disaster, and 29% more close within 3 years (U.S. National Fire Protection Agency).

• 20% of small to medium size businesses suffer a major disaster every five years (Richmond House Group).
• The 1992 Chicago flood resulted in 230 downtown buildings without power for over a week, affecting 8,000 to 10,000 businesses - estimated losses exceeded $1.5 billion.
• A January 1998 ice storm in Southern Quebec resulted in business losses estimated at $1.1 billion (DRJ, Spring 1998).
• 60% of businesses in the World Trade Center were out of business within two years of the terrorist bombing because they did not have business continuity plans (Canadian Insurance Company).
• The well-publicized eBay disruption last year resulted in between $3-5 million in lost revenues for the 22 hour outage (Dow Jones Business News, July 1999).
• 93% of companies that suffer a significant data loss are out of business within 5 years (U.S. Bureau of Labor).
• Computer downtime costs US businesses $4 billion a year, primarily through lost revenue (DRJ, Winter 1998).
• While 98% of Chief Information Officers polled agree on importance of a disaster recovery plan, 25% do not have one (RHI Consulting survey).
• Criminals now choose electronic methods of harming businesses more than any other (National Computer Security Association).
• The FBI estimates that computer crime in 1996 cost $10 billion in the U.S.
• Disgruntled employees are the largest and single most damaging source of risk (National Computer Security Association).
• Average financial impact of one hour of data center technology services down time

(Contingency Planning Research):

• Telephone ticket sales - $69,900
• Airline reservation centers - $89,500
• Retail catalog sales centers - $90,000
• Infomercial 800-number promotions - $199,500
• Credit card sales authorizations - $2.6 million
• Retail brokerage firm - $6.5 million

Business continuity planning means formalizing a company's strategy for dealing with the unexpected and unknown by planning, training and testing for the recovery of critical business processes and information technology systems in a timely fashion to minimize the impact of any disruption on the business and the customer. Common disaster scenarios addressed by business leaders include:

• Fire
• Flood
• Tornadoes
• Hurricanes
• Earthquakes
• Snow or ice
• Extreme heat

Yet, many businesses are willing to accept the risk of these natural disasters due to their perceived unlikelihood, hence they feel business continuity planning is not necessary. However, senior leadership often fail to recognize the following common threats that have nothing to do with geographic location or the threat of natural disaster:

• Work-place violence
• Leadership succession planning
• Terrorism
• Workforce unavailability
• Computer/Internet-based crime (including denial of service attacks)
• Geographic restrictions caused by events, such as chemical contamination
• Power outage, which caused 29.48% of computer outages (DRJ, Winter 1998)
• Computer viruses, which caused 7% of data loss (Ontrack Data Protection)
• Telecommunications failure, which caused 46.0% of U.S. companies to experience business interruption (CFM Magazine, 1997)
• Asset malfunction (including computer hardware and software failures)
• Human error, which caused 34.4% of business interruptions over the past five years (DRJ, Winter 1998)

Business continuity planning is not simply 'checking a box' by purchasing a hot site contract or a business continuity planning software package. Additionally, simply having a documented plan is not enough. Based on our experience with clients depending on a more traditional technology infrastructure, as well as companies relying more heavily on the Internet, we have identified the ten most common business continuity planning 'mistakes' and have included 'best practice' solutions to increase the likelihood of timely business process and information systems recovery:

1. Over Reliance: Relying on a business continuity plan can lead to a false sense of security and potential business failure if the plan is not updated regularly and fully tested. Formal mechanisms should be in place to force a plan update on a regular basis or when significant systems or business process change occurs. A comprehensive business continuity plan will include mechanisms to ensure periodic updates. In addition, recovery personnel must be trained on plan execution and employees must be aware of the plan's provisions.

2. The Wrong Owner or Project Manager: Senior management often appoints the wrong person to manage the BCP process. Someone should be named who has the power to lead, influence, support, prioritize and organize the project. Senior management must provide full support to the project team and mechanisms should be developed to keep the senior staff fully informed of the business continuity planning project status. Senior management will play a critical role not only in approving continuity strategies for critical business processes, but also in deciding which processes are critical and must be planned for. Additionally, if an outside consultant is named to the project, their role should focus on facilitation, not project ownership. Finally, the business continuity planning project team should plan to empower employees during the implementation of the plan whenever possible and strive to eliminate situations where centralized execution takes place. The plan should name plan individuals who are authorized to execute the plan (centralized control); however, once this execution order is given, the various recovery teams should know exactly what to do without further specific instructions (decentralized execution).

3. Segregated Planning Process: Companies often limit the scope of their efforts to systems recovery or consider information technology assets and business process separately. Business continuity planning requires consideration of both business process and systems recovery together, given technology often play's a critical role in the business process. The plan must address those processes that coincide with corporate strategy and objectives. Another common mistake related to project scope is focusing on either emergency response or recovery. The business continuity plan must address emergency response (employee/customer safety and situation containment) as well as business process recovery. Also, senior management is often unaware of their legal requirement to plan for the continuity of critical business processes and must understand local statutes and industry regulations governing business resumption and disaster recovery.

4. Lack of Planning Prioritization: Prioritizing key business processes is a critical step that often does not get appropriate attention from senior management. Without prioritization, a plan may recover less-than-critical business processes rather than the ones crucial for survival. Furthermore, vulnerability should also be considered and taken into account when prioritizing which processes will be planned for first. Additionally, each critical process that is identified should be assigned a recovery goal (timeframe) by senior management given that some business processes become more critical sooner than others. Finally, due to the fact that business processes are often interdependent, senior management must decide the order in which business processes and systems are recovered.

5. Safety Deficiency: At all stages of the business continuity planning processes, employee, business partner and customer safety must be taken into account. Plan tests must include safety mechanisms to ensure all parties understand the scenario and that it is only a test. Additionally, the plan should include safety controls to minimize casualties in the event of a disaster and ways to contain the situation to minimize or eliminate risk.

6. Inadequate Communications: Communications issues are often overlooked. Often, corporations lack formal communications plans to contact employees, vendors, business partners and clients. Strategies to address how these groups obtain recovery status updates is often inadequate. 'Best practice' business continuity plans should include contact information and communications strategies for employees, vendors, business partners and key clients. These plans typically include a voice mail box outside of the standard PBX system where employees and clients can call to obtain a status update in the event of a business process disruption, as well as web site addresses where employees and customers can go for further information.

7. Poor Security: Physical and information systems security controls are often disregarded during plan development and implementation, resulting in greater risk exposure during recovery operations. In order to recover equipment and/or supplies quickly and without interference, as well as to process insurance claims in a timely manner, physical security over a disaster site is an important consideration. Additionally, the same logical security controls should be in place for the back-up information systems as the primary processing environment.

8. Ineffective Public Relations Response: Practitioners often fail to plan for public relations and investor considerations, missing the opportunity to limit perceived impact by the public and investors. Business continuity plans should include a list of media-trained personnel, generic statements that can be customized quickly to provide the media with some initial information on the disaster/disruption, actions being taken to contain the problem and procedures to recover the business. Whenever possible, a single spokesperson should be responsible for communicating with the media in order to ensure consistency.

9. Lack of Insurance Requirements Planning: Many business continuity plans fail to adequately plan to support the filing of insurance claims, resulting in delayed or reduced settlements. In regard to insurance, the plan should include insurance company contact information, policy numbers and inventories of critical equipment (equipment name, serial number, cost, replacement cost, vendor contact information) to facilitate the processing of claims.

10. Poor Recovery Services Evaluation: Many companies poorly evaluate recovery products (hot sites, cold sites, off-site storage and planning software), relying on vendor-supplied information. Additionally, some companies eliminate the product or service simply due to cost without understanding how it could significantly affect the timely recovery of a critical business process. Others feel a hot-site or off-site storage is the sole solution to 'checking the box' for business continuity planning. Lack of foresight may lead to a solution that does not adequately address a company's needs. As part of the business continuity planning process, senior management and the project team must determine which business processes will be addressed in the plan and the budget for recovery planning. Once this important step is complete, professional recovery services should be evaluated as part of the overall recovery strategy, not the sole solution that can replace a documented and tested recovery procedure for the entire business process. Finally, although local authorities (police, emergency medical services, hospitals and fire departments) are not recovery services, their expertise should be taken into account when developing local business continuity plans.

The implementation of a strong BCP methodology for the development of a plan can help prevent making common planning mistakes. To start, a BCP methodology should have a business orientation, including a focus on the following key objectives:

• A concentration on business objectives and not on technical objectives
• A focus on critical business products, services and/or financial goals
• An integrated planning approach with all critical elements addresses, as opposed to a components-based approach
• Identification of key factors and performance metrics that will be critical in plan development and execution (i.e., maximum allowable downtime and data loss)
• A methodology that prevents over-investment or ineffective investment (i.e., solutions that focus on the recovery of technology but not business operations)

Numerous methodologies covering BCP plan development and execution exist; however, most methodologies have a basic make-up. The process can be summarized with the following key phases:
1. Discovery and Planning
2. Risk, Business and Cost Analysis
3. Plan Development and Maintenance
4. Plan Validation, Training and Approval

Discovery and Planning

The discovery phase involves defining the scope of the BCP project and gaining an understanding of the expectations and goals of the project. This phase primarily involves discussions with key management representatives from IT and all business units to gain a thorough understanding of critical business processes. During this phase, data collection is performed, which includes items such as business processes, asset inventory (equipment and non-electronic data), personnel directories and contact numbers, existing BCP and DRP plans and insurance policies.

Results of the discovery phase should include the following:

• A detailed project plan
• Documented business processes
• A database of resource and asset inventories related to recovery
• A listing of insurance and other policies related to recovery

Risk, Business and Cost Analysis

The analysis phase consists of completing a risk assessment, business impact analysis ('BIA') and a cost benefit analysis ('CBA'). The risk assessment determines the types of risks that are present for the business and industry, as well as all geographical locations. This analysis includes reviewing the likelihood of each type of risk and the critical business processes' vulnerability. This information will be used by the BCP management team to determine the key business processes that are vulnerable and therefore should be addressed by a business continuity plan.

The BIA takes the information from the risk assessment and estimates the potential losses to the business, from both a quantitative and qualitative perspective, for the different disaster scenarios that could occur. This will include assessing the impact to the business over a period of time. For example, a company may be able to continue business for 4 hours without information systems but would begin to feel a significant business impact without systems for 8 hours or more. Creation of the BIA will start the thinking process to formulate risk mitigation steps that will be addressed as part of the business continuity planning process. Additionally, by agreeing on criticality timeframes, recovery windows will begin to be developed.

The CBA is developed to weigh the options of addressing business process risks, including internal (IT, business resources, etc.) and external costs (equipment acquisition and disaster recovery / business recovery contracts). The CBA should be used to weighings the costs of each recovery strategy against the cost of doing nothing.

Results of the analysis phase should include the following:

• Risk assessment
• Business impact analysis
• Cost benefit analysis

Plan Development and Maintenance

This phase consists of developing the plan strategies, the BCP plan itself and maintenance procedures to ensure the plan stays current to meet the evolving needs of the business. Strategy development consists of formulating alternative strategies to mitigate the risks identified in the BIA. This phase involves substantial interviewing time with management and employees to ensure that an understanding of the business processes has been obtained and to ensure that each business unit supports potential BCP solutions. This provides senior management with complete information so that an informed decision can be made regarding the most appropriate and cost-effective solution.

Once a solution has been decided upon, a comprehensive plan can be created. The plan should address emergency response, business resumption and business restoration. The plan should be fully documented and available to all recovery personnel in the event of a disaster. The BCP management team should include several alternatives for plan accessibility (e.g., electronically stored on a Web server, off-site hard copies at key employee homes, off-site hard copies at recovery sites, etc.). Once a plan is developed, it is imperative that the plan be kept up-to-date to reflect the current business and technology environments. A procedure should be implemented to ensure the plan is updated on a periodic basis.

Results of the plan development phase should include the following:

• Recovery strategy recommendations
• Business Continuity Plan, including procedures for emergency response, business resumption and business restoration
• Recovery team procedures
• Plan change control and maintenance procedures

Plan Validation, Training and Approval

Once the plan is developed, the next step is validating the plan to ensure it will actually work according to expectations and requirements. The organization should run training sessions to walk recovery team personnel through their assigned responsibilities. The next step is to stage exercises to test all components of the plan. Once testing is completed and all results are accepted by business owners and senior management, the plan should be updated to reflect the results of the test and any areas that failed to recover a critical process should be revisited.

At this point, the plan should be officially approved by management, acknowledging the plan meets expectations. Testing and plan approval should be performed annually or whenever a major change occurs (e.g., merger or acquisition, technology infrastructure change, new business development, major personnel change, etc.).

Results of the plan validation, training and approval phase should include the following:

• Documented test plans and evaluation criteria
• Documented test results
• Trained BCP team personnel
• Structured training program and materials
• Management approval

Companies that avoid the ten common BCP pitfalls noted above and implement a sound business continuity planning methodology significantly increase their odds of a successful and timely resumption of business and information technology operations.

Dan Carson (ABCP) is a Manager and Brian Zawada (CBCP) is a Consultant in Arthur Andersen's New York Computer Risk Management (CRM) practice. CRM provides technology management and control-related support for the firm's Financial Audit, Business Advisory and Contract Audit Services practices. Dan is an Associate Business Continuity Planner (ABCP) and Brian is a Certified Business Continuity Professional (CBCP).