As Information Technology (IT) has increased in sophistication, decreased in price relative to computing power, and become more important throughout business operations, organizations came to rely more heavily on the availability of their IT systems. Disaster Recovery, which anticipated a certain length of down time, gave way to Business Continuity. Business Continuity aims at making any down time transparent to those outside the organization, i.e. the customer. In essence, Business Continuity attempts to foresee potential disasters and develop plans that would allow service to continue through and after the disaster. Furthermore, as use of technology becomes common place throughout organizations, planning efforts are struggling to become "enterprise wide" and seek to incorporate user needs with the data center response plan. Top corporate management support is needed to implement these activities, and keep them up-to-date.
Planning: History of Highly Protected Risks (HPR) & HPR Insurance
The Highly Protected Risk (HPR) evolved as a response to the industrial revolution. An agrarian society with a barter system of commerce was transformed into an industrial society with a monetary commerce system. Wealth, in the form of the means of production, became centralized and concentrated in cities and huge factories, mills, and manufacturing complexes. Corporations and trusts were formed, building large, highly valued plants. The HPR insurance market was established to underwrite these huge concentrations of value. Loss Prevention became and still is the underpinning of the Highly Protected Risk seeking to ensure that all reasonable actions are employed to prevent losses before they occur.
Highly Protected Risk insurance underwriters established criteria, listed below, which are used to qualify a specific facility or corporation as worthy of HPR consideration.
1. Concerned management interested in implementing an aggressive program of loss prevention and control.
2. Substantial construction in good repair with adequate exposure protection.
3. Appropriate automatic extinguishing or suppression systems installed wherever there is combustible construction or occupancy.
4. The identification and evaluation of all hazards peculiar to the class of occupancy, with the provision of proper supplementary protection.
5. Provision of an adequate water supply for automatic extinguishing systems, interior standpipes, and exterior hose lines and hydrants; and the availability of a public fire department and private emergency response team that can manually effect final extinguishment of a fire, or provide a trained response to non-fire incidents.
6. Adequate interior and exterior surveillance, using guard patrol tours, electronic surveillance systems, continuous occupancy, or a combination of these.
Clearly, many of the objectives and activities required of current Business Continuity Planning are similar to traditional HPR loss prevention. Both activities require the active commitment of top management. Both activities rely on accurately assessing hazards and employing appropriate mitigation techniques.
HPR insurance, which was in its infancy, provided the business continuity planning of the period around the industrial revolution. Since this was a century before computers, attention was not limited to a data center but directed throughout the entire organization. And, since time was not such an essential factor in business processes of this time, monetary recompense (insurance) was the historical equivalent of a hot site. It allowed an organization suffering a disaster to recover by providing the financial resources to rebuild. In today's electronic age, insurance alone no longer responds fast enough to ensure an organization's survival. A Business Continuity Plan is often necessary in order to recover quickly enough from a disaster to remain viable.
Both DR/BCP and HPR Insurance seek to fully understand the client's business in order to develop reasonable solutions. However, because of the historical development of HPR Insurance and Business Continuity Planning, the HPR field generally has a great deal of expertise in the manufacturing industries while the DR/BCP field generally has a great deal of expertise and client base in the service industries.
Participation in various Disaster Recovery and Business Continuity forums, symposiums, and exhibitions reveals that most Business Continuity professionals still maintain a Data Center mindset. Enterprise wide planning exists in a data center universe in that the definition relates to all "critical" users of data center services throughout the organization, not necessarily to all critical production processes or facilities. Reviewing those attending these events we find the majority of vendors supply IT Recovery services. The majority of consultants develop plans and software aimed at accumulating data of IT applications, hardware requirements, etc. Furthermore, the majority of attendees are data center personnel, usually from information intensive service industries.
The business requirements of some industries, such as the service sector, are particularly well suited for this model of Continuity Planning. In these industries the means of production can be considered the IT systems of the corporation. The product is basically information provided in a particular format at a specified time. For these industries it is easy to assess the impact of a disruption. Likewise, it is also easy to devise economical solutions: hot, warm, cold sites, secondary data centers, rerouting of calls through different switches, as examples.
The feasibility of Continuity Planning for manufacturing industries may be different. In each of these organizations there may be multiple products, with a multitude of production methods, in a multitude of countries, with complex relationships between plants, suppliers, and customers, all using different currencies. Critical production processes may not be in the control of the planning organization, such as the case with just in time manufacturing. A manufacturing facility with complex automation and environmental controls cannot be drop shipped to a cold site overnight. Competition has produced the need to trim expenses and hence eliminate redundant facilities or excess capacity.
Although many of the questions asked and activities conducted are similar, they are employed for different purposes. For instance, the DR/BCP "customer" asks, "What is the impact to my organization?" The answer to this question is then managed with a Business Continuity plan, employing hot sites, call lists, emergency procedures etc. The HPR Insurer asks, "What is my exposure (Insurer) as limited by the policy?" The answer to this question is then managed with underwriting, re-insurance, etc.
Two very different responses to the same question caused by the need to meet different objectives.
Loss prevention from a HPR perspective surveyed facilities, assessed risks, offered mitigation recommendations, and managed the resultant risk through underwriting. Concern is placed on high valued locations, products, and equipment. The exposure to the insurance company is purely financial. All claims are paid in dollars. Therefore, the critical nature of an operation is not as important as its cost. Items affecting a firm's reputation, earnings, stock price, market share, are therefore, technically unimportant to insurers as they are uninsurable. Of course, in the truest sense, if the customer goes out of business, the insurer also loses income.
Business Continuity views the organization through the eyes of a customer. What processes are needed to meet the customer's expectations. These processes, regardless of dollar value, are the critical operations which must be protected. Protection can include mitigation through risk control services, risk financing activities, and development of contingency plans, which is the realm of disaster recovery and business continuity.
The continuity planner looks at how long an interruption can be tolerated regardless of cause. The analysis may include reviewing intangible "processes" as well as physical assets. This may not necessarily result in a high dollar value event from an insurance standpoint. Insurance looks at the largest down time for an operation with a given loss to physical assets, almost exclusively in terms of dollars.
The traditional DR/BCP customer views exposures from a business standpoint. Concern is based on threats that can interrupt production, tarnish reputation, hurt earnings, or depress stock prices. Insurers view exposures from the policy standpoint. Concern is based on covered perils and insurable losses only.
Changing the Culture
The insurance industry can benefit from further implementation of Business Continuity Planning concepts throughout general industry. It is important to recognize that BC plans will not stop losses from occurring, but if properly developed and implemented, continuity planning should significantly decrease business interruption or time element exposures. Business organizations stand to gain by expanding their plans to encompass larger portions of their business thereby protecting their ability to meet customer and shareholder expectations.
There is tremendous expertise in the HPR loss prevention industry in assessing and mitigating risks throughout manufacturing enterprises. This fact coupled with the DR/BCP industry's expertise in information technology and business function can expand the scope of Business Continuity Planning to provide truly enterprise wide planning solutions to a broader segment of industry.
Most people in this business realize that there is a substantial demand for DR/BCP services with a well developed market place, primarily providing IT solutions and consulting. With that in mind, here are some items your organization might want to consider. Take a second to think about the answers your firm might have to the thoughts below.
There are no right or wrong answers to these questions; the only answers that count are the ones that fit the situations of your organization. A little "crystal ball" that decides what is needed has yet to be developed for everybody in the universe. This whole issue is a personal thing, and your organization gets to decide.
Jonathan William King, PE, CBCP, currently represents HSB Industrial Risk Insurers as the primary member to the National Fire Protection Association's (NFPA) Technical Committee on Explosives, and the alternate member to the NFPA Technical Committee on Telecommunications. He was awarded CBCP status in January 1998.
This article Printed in Volume 13, Issue 1