In addition to the above, many organizations now realize that an event like 9-11 requires that companies not only focus on their own individual recovery plans, but they must also consider how the recovery efforts of other companies in their industry, as well as customers, suppliers or supporting industries must be coordinated so that normal, or near normal operations could resume. They also now realize the impact that outages of the public infrastructure could have on their individual or collective abilities to recover.
First and foremost, there is a need for federal, state, and local authorities to have a vision of the impact of a terrorist event or other crippling widespread disaster in the major metropolitan cities of the United States. Using Chicago as an example, a terrorist event in the downtown financial district would have a wide-reaching impact on a number of firms – including the electric power, natural gas, communications, and transportation industries that support the district – even though the target might have only been one organization or building.
For instance, while the Sears Tower might be the target of a terrorist attack, the impact would affect at least 30 buildings, including nearly 20 major exchanges, banks, and critical businesses. Such an event would also affect critical utilities and transportation services, creating a much broader impact zone.
Second, the events of Sept. 11, 2001, are bringing about a clear need for a business continuity blueprint that firms can follow to ensure that, not only is their plan adequate, but that it fits into an industry recovery framework that ensures all like, and dependent/complimentary firms can recover with similar recovery points and recovery times. That framework also needs to address the non-information technology requirements of companies, such as facilities issues, personnel loss, paper records protection, and communications/public relations requirements.
The Business Continuity Industry Today
The past history of the business continuity industry is one where the vendors focus on discrete contracts for individual companies. These contracts are not synchronized, in almost any way, with those of other firms that could be required in order for an industry segment to recover.
Essentially, the industry leaders offer services that provide recovery facilities, network connectivity and equipment for individual companies to use, assuming no conflict with another customer that prohibits use. While that strategy has served us well over the years, our premise is that a more comprehensive strategy might now be required.
Any organization that approaches the topic of business continuity typically goes through approximately four sets of steps. While methodologies vary among vendors, the following overall process is typically undertaken.
1. Business Impact and Recoverability Analysis – Determining the Risk
2. Recoverability Strategy Development – Setting the Course
3. Implementation – Putting the Solution In Place
4. Maintenance and Testing – Making Sure it Works
This four-step process starts with that first step, the business impact analysis. This process, often carried out by experienced continuity consultants, is designed to understand the financial, contractual, regulatory and legal impacts, to that organization, of an unanticipated interruption to their business operations.
The BIA report, which helps to determine the organizations recovery time and recovery point, focuses on an individual company’s needs but generally disregards the impact on other organizations. Two or more organizations, in the same or reliant industries, might have totally different recovery times and points, and not know it until they both would go through the recovery process. This occurred in New York during Sept. 11, 2001, and many organizations found their plans were either short sighted or more comprehensive than others, and they were delayed in their recovery until the organization with the lesser plan was ready; essentially the “weakest link” scenario was played out.
Sept. 11, 2001, has highlighted the current BIA process does not go far enough, either for an individual company, or now, as important, for the authorities to gauge a complete picture of how an industry or business district would be affected. Essentially, what the federal government needs, to ensure the continuity of the nations economy, is to make sure that the BIA process focuses on a geographic (building or metropolitan area) or industry recovery, not just individual businesses.
The purpose of this article is to propose an alternative that addresses the narrow scope of today’s independent BIA studies by casting the net wider. Based on input from various public and private organizations we have divided the approach into three main phases. These phases address some of the concerns regarding timing as some organizations require a faster path to a solution and others are interested in a more complete analysis before moving forward.
The three main phases are: infrastructure interdependencies exercise (short term), regional business recoverability analysis (medium); strategy development and implementation (long term).
Infrastructure Interdependencies Exercise
a) Develop an awareness of the need for public and private sectors to work together.
b) Begin to identify priorities and participants in the next phases.
The first effort we are suggesting, or the “short-term” effort should be to conduct an Infrastructure Interdependencies Exercise (IIE) workshop in a given metropolitan area or geographic region of the country. It is estimated that this workshop would be conducted in a day or two, depending on the size of the particular region being studied.
The IIE is a workshop intended to understand the interdependencies of the local physical infrastructure components and the effect of an infrastructure failure or outage on firms in a given geographic area, should a terrorist or other crippling disaster scenario occur. It is vital that public and private organizations come together during this initial phase, including major businesses, communications, electric power, oil/gas, water, and transportation providers, as well as government services, hospitals, and any other major service suppliers.
The IIE workshop would be a first step leading to conducting a regional business recoverability analysis (RBRA) study. The RBRA study would then focus on the recoverability of companies and governmental agencies in the region, from an information protection and business infrastructure (offices, computers, phones, personnel) point of view. Then, a long-term strategy for the area that was studied can be implemented.
Results of this initial IIE exercise would include:
• A high level understanding of critical resources necessary for regional recovery
• Organizational awareness of weaknesses in business recovery strategies
• Development of a matrix listing identified weaknesses
• An understanding of the high level contingencies currently in place
Regional Business Recoverability Analysis
a) Define regional business recovery requirements.
b) Identify alternatives to meet regional business recovery requirements.
c) Identify interdependencies and vulnerabilities.
d) Prioritize recovery of organizations within the region.
e) Develop an ongoing implementation strategy.
The second effort we are suggesting, or “medium term” effort, would be to follow on to the results of the IIE and conduct a regional business recoverability analysis (RBRA) study. In an ongoing effort to further the protection of the U.S. economy, a Chicago based, not-for-profit association known as the Security Board has met with the leaders in the business continuity industry, as well as numerous organizations who would be affected by a terrorist event, and firmly believes that a RBRA, focused on major buildings or pockets (districts) of business and governmental facilities, would benefit both the organizations as well as the authorities. We estimate there are a number of cities or geographic regions that would benefit from this approach.
There would be four major project steps in completing an RBRA Study. Those steps are:
I - Project Definition and Inception
II - Conducting the RBRA Studies
III - Analysis, Data Assembly, and Presentation
IV - Development of the Ongoing Strategy
Project Definition and Inception
In this phase, the overall project would be organized and a project management office established. The various consulting firm personnel would conduct the RBRA studies and would be trained in the methodology, and all of the coordination completed.
Conducting the RBRA Studies
In this phase, a series of workshops and studies would be completed. The workshops would be utilized to get the firms participating in each region up to speed on the study to improve acceptance and progress of the consultants. The studies, to be conducted regionally by recovery industry experts, with specialized subject matter expertise as well as a consortium of experts from the construction, public utility, and transportation industries, will result in a standardized study deliverable (“The RBRA Report”) for each of the regions.
That RBRA report would provide businesses, governmental agencies and authorities with an unparalleled view of the direct and indirect affects of a terrorist event. Never before in the industry has a study been undertaken with this scope, but these studies would rely upon proven business impact analysis methodologies and experienced consultants used in hundreds of situations, however now with the expanded scope of a regional or multi building/organization event.
Analysis, Data Assembly, and Presentation
In this phase, the collective data gathered in the various studies would be consolidated, analyzed, and the overall summary and presentation developed. In addition, during this step, a crisis portal and crisis management data base should be developed and populated with the assembled data. Finally, the study results would be presented to the appropriate authorities.
Development of the Ongoing Strategy
In this final phase, a set of strategies would be defined that would ensure that the study results can be acted upon. These strategies may include:
• Additional regulation governing what companies must do to improve their recoverability
• Definition of supplemental recovery centers in the region.
• Definition of a subset of organizations deemed critical to the nations security or economic health.
• Determination as to how the nation’s telecommunications providers could assist in developing a network to support the defined center architecture.
Conducting a Pilot Exercise and Study
To ensure a smooth and successful project, we believe the consultants should conduct a pilot IIE and RBRA study. We are suggesting this first effort should be conducted in Chicago, focused on the Sears Tower. The resulting IIE and RBRA reports would be prepared and reviewed with the governmental representatives and all of the participating firms. Required or desired changes could then be made to the methodology prior to conducting similar studies in other cities or regions.
a) Provide guidance for next steps.
b) Enable critical businesses to recover in the event of a regional disaster event.
c) Define economic incentives to enable business and government to work together toward the overall goal of regional recovery capability.
The IIE and the RBRA study will have helped to define specific “long term” recommendations and actions that should be taken to improve the metropolitan area or region’s ability to sustain an outage and maintain critical business operations.
There are several possible long-term strategies that may be recommended for implementation, including:
• Developing and putting into law increased, enforceable regulation, similar to that in place for financial institutions which would ensure all organizations take this subject seriously and take advantage of the work that has been done.
• Selectively improving individual company’s or agency’s recovery plans.
• Conducting a simulation or war game within the region or area.
• Posing changes to the critical infrastructure providers to improve the resiliency of the infrastructure.
• Working with the existing recovery services providers in the metropolitan area to further develop the recovery assets available to customers.
An example of this last point (i.e. Chicago) might be to work with the State of Illinois Homeland Defense Agency and NASA’s Illinois office on the development of a highly secure facility located at the DuPage County Airport. This facility could serve as a nerve center for the crisis management portal and database. Second, it could serve as a crisis management command center at the time of an event. Third, it could serve to provide additional dedicated work area recovery space for companies and could house dedicated computer systems and storage to support the most critical of applications. Via network connections, this center could be tied into existing Chicago area hot site vendor data centers and that vendor(s) might provide management of the new facility.
The concepts outlined in this article present an approach to dealing with the fact that most, if not all recovery plans, are stand-alone islands. Most plans do not address the inter-relationship of the recovery times and the recovery points of organizations a company or agency relies upon and interfaces with. Most plans also do not take into account the regional effects on public infrastructure and how that might affect their ability to recover in a timely manner.
As the federal government and state and local authorities begin to parcel out homeland defense dollars, we believe conducting a series of infrastructure interdependencies exercises and regional business recoverability analyses is a critical step. These workshops and studies will help educate organizations on their interdependencies as well as alert public agencies about how they can help or hinder the recovery effort based on their own planning and how well that is communicated. Already this concept has gained awareness and support within government. Illinois’ Homeland Defense Director Matt Bettenhausen, as well as several other congressional members, have reviewed the concepts presented in this article and have provided written endorsement letters to the Security Board.
In closing, we believe there are some very tangible benefits that would accrue from this approach:
• This process provides government officials with an economic and business impact analysis that does not exist today.
• It provides a framework from which defined recoverability strategies can be designed and implemented to strengthen our ability to respond to a catastrophic event.
• The workshops and studies promote communication and cooperation between business and government.
• The efforts should utilize experienced specialists in the continuity industry to complete these projects in a consistent manner.
• This article outlines a strategy that could enhance the U.S.’s responsiveness to major disaster events and provides a mechanism for accountability for the spending of precious Homeland Security resources.
• Finally, and most importantly, it produces a repeatable and scalable model that can be used in communities across the nation.
We are interested in your views. Please send your comments or opinions to John Jackson at JJ@JAJackson.com and Daniel Dec at ALMA.Resiliency@attbi.com. Additionally, the Security Board is looking for additional members, so if you are interested in learning more about its efforts, contact Dick Arns, executive director at email@example.com.
John A. Jackson is the past president of Comdisco’s information technology services division, providing business continuity and professional services to more than 3,000 customers worldwide. Most recently, he was a senior vice president with SunGard Availability Services, and is now independent. John has more than 30 years of information technology industry experience and is recognized as one of the world’s foremost experts in the field of business continuity, disaster recovery, and information protection.
Daniel A. Dec is the owner of AMLA Resiliency LLC, a consulting firm focused on business continuity and security strategy issues. Dan is acting as a special advisor to the Security Board. He is a frequent speaker on these topics and has 20 years of experience in information technology, including being a partner with PricewaterhouseCoopers.