It is necessary to also include such parameters as the loss of a key individual’s knowledge, the impact of unfamiliar work environments, employees’ obvious stressed state of mind, impaired ability to communicate or even the simple difficulties in commuting to and from work.
It’s difficult to imagine, much less incorporate into a business recovery plan, the amount of employee time and productivity lost, for instance, in hospital visits to injured cohorts or the staggering number of death services and funerals to be attended when thousands are impacted.
Simple things like having a place for a person to work, with a telephone and network attached desktop PC become incredible challenges.
During a time when an erroneous decision could possibly result in placing the entire company in jeopardy’s way, effective, level-headed decisions are expected from people who have just recently lost family, friends, cohorts, managers and acquaintances. Analyzing this in a calmer light would reveal management expectations, such as this, are totally unrealistic.
It’s easy, from an individual’s prospective, to define what portions of contingency planning are the responsibilities of IT and which portions belong to facilities and so on. However, many of the real issues can fall in the huge gray area lying between those, so called, obvious responsibilities.
It would be nice if each company had a contingency planning organization with corporate authority and worldwide responsibility. That organization could then take full responsibility for all activity necessary to guide the company through a period like the World Trade Center businesses are currently experiencing.
Painful lessons have been learned. It is now necessary for all of us (IT, facilities, emergency health services, purchasing, space planners, security, etc) to polish up our collective crystal balls and utilize the resources at our disposal to identify all conceivable activities of potential impact. This doesn’t mean we must commit to a multi-million dollar, automated recovery plan for each remote possibility; but we must, at least, have a comprehensive plan identifying the real business impacts and an approach for addressing each of them.
The plan must determine where each business function is going to be performed, who is going to do it and the availability of recovery equipment i.e. servers, phones, PCs, printers, copiers, faxes, as well as obvious factory equipment.
The plan must also provide an approach, when necessary, to quickly access trained, non-emotional personnel (managers and staff), who have, as a course of business, received continuous advanced cross-training, that will allow them to immediately step in and hit the ground running.
Today’s conventional organizational structure does not specifically identify business contingency planning as a corporate function. Consequently, the only way to accomplish this level of business recovery planning is to enlist, with management support, the involvement of multiple organizations. A task force should be formed from these participating groups with the main goal being a comprehensive business impact analysis to identify and quantify the value of each business critical corporate function.
My definition of a “business critical function” is, simply; to build and retain satisfied customers effectively. This requires:
• Designing quality product or service;
• Marketing and selling product or service;
• Creating quality product or service to design specification;
• Shipping product or performing service;
• Receiving payment for products/services.
If a function is necessary to properly perform any of the above activities, it is business critical and must be effectively performed through any type of adverse situation. We have to get better:
• Executive management involvement must be prevalent;
• Continuous multi site management and employee cross training should be the norm;
• Active, multi organizational task force must be formed, activated and gathered periodically to create and review any potentially new or changed requirements:
• Identify all business critical processes;
• Perform and periodically update an in depth business impact analysis.
• Total business contingency planning must be a recognized priority activity
• Disaster recovery exercise to be religiously conducted with realistic, specific disaster scenarios spanning the multiple corporate functions
• Contingency planning and exercise responsibility should be included in each responsible individual’s goals and objectives.
It will not be possible to accomplish all this overnight, but it is extremely important to expeditiously pursue this activity while the stark memories and repercussions of these terrible attacks are vivid in our minds.
Dan Perry has managed different computer support systems support organizations for more than 20 years. He has been in management with AMD for more than 13 years and currently holds the position of senior IT staff member responsible for IT disaster readiness worldwide.