DRJ's Spring 2019

Conference & Exhibit

Attend The #1 BC/DR Event!

Winter Journal

Volume 31, Issue 4

Full Contents Now Available!

Where Do We Go from Here?

We are presently in the midst of the greatest threat to business continuity since the ideas of disaster recovery were founded. I am not here to dwell on "the Y2K bug" as the popular media wants to call it, but to note that it is spotlighting the need for continuity planning now and in the future. We are seeing more companies wake from their "I’m safe" slumber to put disaster or continuity planners on new projects as well as the present states of business. The future looks brighter.

So, what is the future of Continuity Planning? We have seen our profession change in many ways over the last twenty years. We have gone from disaster recovery to continuity planning to resumption planning to continuity planning.

With disaster recovery we were involved in plans for the data center. We reported to the Data Processing Manager and were concerned with backup plans and hardware. Once some business entities entered into the picture we became aware of contingency planning. We needed to help a department to plan for contingencies when something happened in Data Processing that would cause them problems. This assignment was still part of Data Processing with some matrixed help from the department. Usually the Controller was in charge of business resumption planning. The tasks were expanded to include the needs of the business, as well as data processing, to resume somewhere else in case of a disaster. Business Resumption Planning was a necessary step in our evolution.

Now, we are continuity planners. The whole business is involved, not just in recovering the data processing department, or contingencies, or resumption, but in the continuity of the business. There is more need for involvement of business units and upper management. So where does Continuity Planning belong in the organization? I believe it belongs in the Strategic Planning area and we should be looking at the strategic plan.

The strategic plan for the business is a tool used by upper management to plan the long-term continuity of the business. Each year upper management goes to great lengths to set up or improve the company’s mission and strategies for the future. The strategic time period is usually three to five years. Some companies try for a longer time frame, but in our present world of computer processors doubling in speed every 18 months the usual frame is five years. Strategies are then broken down into yearly goals known as tactics. Budgets are then assigned to tactical plans for the next year.

This all sounds very familiar. Mission, Strategies, and Tactics are not the words we use, but maybe they should be. They are related to Purpose, Risk/Threat Analysis, Business Impact Analysis, and Mission-Critical Systems. Since we are concerned now with the ideas of business continuity and this continuity is multi-year planning, we should be involved in the strategic plan. How can we be part of the strategic process? Let us start with Strategic Continuity Planning.

What is Strategic Continuity Planning?

Strategic Continuity Planning is a new way of using old tools from both Business Continuity Planning and Strategic Planning. What we want from the outcome of Strategic Continuity Planning would be a Continuity Plan tied to the company’s Strategic Plan.

This sounds hard? So did the idea of taking the steps from DRP to Contingency Planning to Resumption Planning to Continuity Planning when they were first broached. However, we have two planning processes that are well defined. All that needs to be done here is to compare and couple some of the steps involved. Let us look at some of these components that we as Continuity Planners can become involved in.

The Mission

We often talk about mission –critical applications, but we seldom talk about the mission part of those applications. The company has a mission. The two places we can usually find the mission statement are the annual reports to stockholders and the strategic plan. We usually read neither of these items. How can we know what is mission-critical without knowing what is the company’s mission?

So the first tool in melding Continuity Planning into the Strategic Planning process is to look at the Mission Statement of the company. Below is an example from a university:

The University’s primary mission is to advance, transmit, and sustain knowledge and understanding through the conduct of teaching, research, and scholarship at the highest international standards for the benefit of the international and national communities and the state….

My first impression is that mission-critical would not include an athletic database. The likely candidates for mission-critical would be academic and research data, systems and auxiliary systems, hard data to the subjects. So, the mission statement says a lot about where to start in our planning. As a matter of fact, it is a good place to start wrapping the Continuity Plan around the Strategic Plan. We usually start with a purpose or mission in our plan. This is our focus just like the Mission Statement is the focus of the Strategic Plan. The strategic planners do not stray outside the mission of the company to create their plan. We work within our purpose or mission in our plans. If we are doing continuity planning on the company, we can use the strategic mission statement as our focus. We can wrap the continuity mission or purpose around the mission statement as follows:

The Strategic Continuity Plan will support the University in its primary mission by providing a plan for continuous operations in time of interruption.

Using this purpose for the Continuity Plan puts us at the Business and Strategic level. When we use the other tools described here we will be on the strategic level of the business. That is where we must be in our future dealings with Executive Arrangement.

Strategic Tools

Financial Tools. Our next stop on the tour of a strategic plan would be the tools used to create the strategies. The first one that most strategic planners use are accounting or finance tools. These are the current ratio, quick ratio, return on investment, return on equity, etc. A financial measure we use is ALE, annual loss exposure. How do we put our loss estimates into line with the strategic financial tools? A simple example would be return on investment (ROI). ROI is a measure of profitability. It is the percentage of the net earnings attributed to total assets or the percentage of earnings that was contributed to the company by all the assets the company owns (e.g., machines, buildings, equipment).

Our measurement, ALE, is the less attributed to uncontrolled vulnerabilities such as earthquakes, tornadoes, or, most common of all power failure and unintentional employee sabotage. Add a frequency value - once, twice, three times a year or more - and we have our Risk Exposure (RE). So, how do we show what could happen in financial terms to uncontrolled risk. We can show this in the strategic numbers by subtracting the RE from the Net Earnings. This would show all across the budgeted financial calculations. To see the impact we can take an example with the ROI described above.

ROI = Net Earnings/Total Assets

Say Net Earnings are $5,000,000

Total Assets are $50,000,000

And Risk Exposure involves 4 power outages a year at loss estimate of 50 hours at $5,000 per hour or 50 X $5,000 X 4= $1,000,000

Without the RE taken into account, the percentage would be:

ROI = $5,000,000 / $50,000,000 =  10%

The ROI with RE would be:

ROI = (5,000,000-1,000,000) / 50,000,000 =  8%

If this calculation is not convincing to Senior Management, then nothing could convince them that planning for loss control would be worthwhile. This is just the tip of the iceberg financially speaking. Think of what Risk Exposure does to liquidity, leverage, and activity ratios. By working on the strategic level, we can point out where the future loss estimates could cause problems and vulnerabilities. Projecting what could happen with these financial ratios tied to the Risk Exposure, and projecting risk out through the strategic plan’s life would show a clearer picture of why we need to have Continuity Planning.

In table 1 we have several financial indicators that are used in strategic planning. They are broken down into several categories such as liquidity and returns. They have been modified to add the RE component. If we do the math, it shows the importance of the risk exposure factor (see table 1).

Note that the ratios in this table are only examples. There are many more accounting ratios that are used in strategic planning which can be adjusted by our Risk Exposure for use in our Strategic Continuity Plan.

The SWOT Analysis. Financial equations are only one of the many tools that can show why we need Strategic Continuity Planning. Another set of tools, the marketing tools, can show us not only why, but also with what to work. The first marketing analysis tool that would be useful is the SWOT analysis. SWOT stands for Strengths, Weaknesses, Opportunities and Threats.

We have all worked with threat in our Risk/Threat analyses. Risk is the potential for a loss. As seen before, in the financial analysis, we try to quantify that loss possibility. A Threat is the trigger that causes a risk to become a loss. Threats we have thought about are power, weather, sabotage, and equipment failure. Threats in the case of strategic planning are outside forces that could cause problems to the company. These include labor ,competition, spying, regulations, market evaporation, and competitors coming out with a better product or taking a larger market share.

Opportunities are also external to the company. They are the openings that a company can take advantage of to create or expand market share. These can include new markets for present or old products, new product development, less competition, and less regulation. We seldom think about opportunities when we think Continuity Planning, but we should.

We can look at the opportunities and threats analysis as the Strategic Risk/Threat Analysis. What are the threats to the company? They are not internal and local. They must be the external. They are triggers to external risks.

Marc Reich, MBCP, CDP is a Disaster Recovery consultant for Inteliant Corporation. He has worked on disaster recovery planning in government, industry, healthcare, and small business for many years. His background includes over 20 years in Data Processing with 10 years in consulting. Mr. Reich can be reached by e-mail at This email address is being protected from spambots. You need JavaScript enabled to view it..

Part Two of this series will appear in the upcoming Summer 1999 issue of DRJ.