Organizations are faced with a variety of threats and vulnerabilities, and these continue to evolve. Business disruptions can include natural disasters such as floods, fires, hurricanes, and power outages. Since 9/11, the threat of man-made disasters such as terrorist attacks has taken on a sense of urgency as well. The increasing density of our population further exacerbates the threats posed by both natural and manmade disasters. Although business continuity planning and disaster recovery planning are now generally recognized as vital, creating and maintaining a sound plan is quite complex.
Business continuity planning addresses the prospect that a disaster might interrupt an organization's business operations. Whether an organization is for-profit, non-profit, or governmental, the need to mitigate disaster risks has become especially salient. Firms should evaluate their degree of exposure to disaster, both externally (e.g., floods, fires, hurricanes) and internally (e.g., HVAC failure, sabotage).
A business impact analysis helps management to understand the criticality of different business functions, recovery time required, and the need for various resources. The question of which corporate functions receive top priority should be addressed. In selecting a strategy to protect the organization, cost-benefit comparisons are made with regard to the effects of doing without various services and functions (e.g., call centers, production locations, proprietary data) at specific points in time, and developing plans for optimum recovery periods for each service and function.
Thus, a business continuity plan includes the procedures and information about resources to help an organization recover from a disruption in its business operations. In the financial markets, major industry players have responded to the 9/11 terrorist attacks by attempting to deal with future risks, especially risks regarding trading operations. But because most networks rely on the open Internet, viruses or other service attacks remain potential threats.
A central office failure brought about by a fire or power outage can also affect trading operations. Redundancy (including back-up sites and additional staff and technologies) is recommended, albeit expensive. An additional risk is that an entire network (such as AT&T) might go down. Jay Pultz, research vice-president at disaster and business continuity consultancy firm Gartner, Inc., is concerned that failures will increase because the companies that provide the networks are collapsing their infrastructure to a single backbone, as opposed to separate backbones for the Internet, phone, data, etc.
Business continuity and disaster recovery planning can demand a great deal of resources. For example, Voca (the United Kingdom direct debits clearing house) spends about 35 percent of its IT budget on these plans. But the alternative may be worse. Losses can mount quickly when firms cannot access data.
According to a study by Gartner, Inc., the average cost of computer-network downtime is $42,000 an hour. Technology-dependent firms such as online brokerages may incur costs of $1 million or more an hour. To ensure seamless service in case of disaster, Voca runs its business from a back-up site for up to five weeks a year. Off-site backups appear to be a favorite method for protecting data for 58 percent of solution providers, according to recent CRN poll data.
The Confederation of British Industry and security firm Qinetiq report that, even after overhauling business continuity plans, 60 percent of British companies are concerned about their preparation for disaster. Almost 70 percent of respondents to Information Week Research's Outlook 2005 survey ranked business continuity planning or disaster preparedness as a high priority. Still, according to analyst David Hill of Mesabi Group, most companies have neglected some operational needs, such as recovering data after a virus attack. Moreover, many business continuity plans are never even tested, and according to Peter Gerr of the Enterprise Strategy Group, one out of every five recovery efforts fails.
But forward-thinking enterprises are recognizing both external and internal signals for the need to formulate contingency plans. Externally, business continuity plans may be driven by regulation, as in the banking industry. Internal risk exposure, however, is a critical driver as well. A case in point is Madrid-based Banco Santander International, the largest commercial bank in South America and the tenth largest bank in the world. If operations stopped and trades or payments failed, the bank could be liable for compensation.
To maintain protection of business-critical customer data at its private banking center in Miami, Banco Santander chose a solution from VERITAS Software Corp. based on its compatibility with the bank's infrastructure. Data could then be replicated between Miami and New York sites over the IP network. During the rash of hurricanes that hit Florida in 2004, every time a major warning was issued and facilities evacuated, primary operations were transferred to New York until the threat passed. The system is viewed as an insurance policy for the bank.
Oddly enough, smaller businesses have been found to lead many midsize businesses in implementing true disaster-recovery solutions. Small businesses often rely on value added resellers (VARs) for their solutions, and larger firms use internal IT departments. Midsize firms, however, are too complex to be relocated quickly, yet lack the internal staff to restore business processes rapidly, increasing opportunities for VARs to offer business continuity services to this market.
Outsourcing has become a standard practice among many organizations as a way to add flexibility to the supply chain. Often a particular task can be done more efficiently and/or effectively by an outside vendor. The advantage for the focal firm is that it can focus on its core competence, or at least those functions it does well, and outsource other functions so as to gain efficiency. Thus, rather than integrating all functions within the firm boundaries, the trend toward outsourcing and a variety of cooperative relationships continues. Ironically, the gains in efficiency and flexibility may often be outweighed by risks of being dependent on sole suppliers.
In a Bank Technology News article titled "Business Continuity Planning Must Extend to Vendors," John Hoge argues that client-vendor relationships are symbiotic and should lead to greater efficiency and productivity in a variety of industries. In banking, technology vendors are critical for the bank's basic business processes. But if the vendor's systems go down, the bank's systems can go down as well.
The implication is that vendors are increasingly compelled to include business continuity and disaster recovery as key aspects of their activities. Some vendors have adopted business impact analysis to tailor a recovery plan to meet the recovery requirements of specific units. An interesting twist regarding the benefits of "leaner" supply chains is the increased need for contingency plans in case of disruptions.
The "dark side" of supply chain management is discussed in a white paper appearing in a March 2005 issue of Supply Chain Management Review. The authors explore the notion of supply continuity planning, which is a comprehensive approach to managing supply risk. They state that by employing their supply continuity planning model, organizations can guard against a major supply disruption that could potentially delay orders and result in loss of customers.
Whereas companies previously relied on inventory buffers (safety stock, lead times, excess capacity) to protect them, today's competitive environment makes these buffers less attractive. A consequence is that today's lean supply chains are increasingly fragile, or more sensitive to shocks and disruptions.
The authors make a strong case for how devastating disruptions can be by citing several events, including a fire at a factory supplying valves to Toyota, resulting in estimated costs of $195 million; an earthquake in Taiwan, hampering the supply of computer chips and computer demand during the holiday season; a lightning strike at a radio-frequency chip plant in Albuquerque, NM, resulting in a fire, production delays, and the eventual withdrawal of Ericsson from mobile phone manufacturing-because the plant was its sole supplier; and the 9/11 terrorist attacks, resulting in loss of life and loss of information databases.
Based on case studies of four organizations that proactively manage inbound supply risk, the authors present a framework describing detailed efforts focused on four major activities: creating system awareness of supply risk, preventing the occurrence of supply disruptions, remediating supply interruptions, and managing knowledge.
In a 2005 Canadian Business article titled "Always Be Prepared," an expert in enterprise risk presents a series of questions that managers should ask about the firm's state of readiness to continue business after a disruption. For example, does the business even have a plan? Is the plan tailor-made or "off the rack?" Are critical functions the basis of the plan? The maintenance of knowledge management, regular testing of the plan, and supplier preparedness are other important issues.
Being prepared for disaster is increasingly essential. The good news for those new to business continuity planning and disaster recovery planning is that information on how to prepare is proliferating. Business continuity and disaster recovery planning software explore the potential impacts of disaster, and underlying risks; constructing a plan; maintenance, testing, and auditing to ensure that the plan remains appropriate to the needs of the organization; and support infrastructure and services.
Barnes, James C. A Guide to Business Continuity Planning. New York, NY: Wiley, 2001.
"The Business Continuity Planning & Disaster Recovery Planning Directory." Disaster Recovery World. Available from < http://www.disasterrecoveryworld.com >.
Garvey, Martin J. "From Good to Great (Maybe)." Information-Week, 3 January 2005, 45.
Gerson, Vicki. "Better Safe Than Sorry." Bank Systems & Technology 42, no. 1 (2005): 41.
Hanna, Greg. "How to Take a Computer Disaster in Stride." Strategic Finance 86, no. 7 (2005): 48–52.
Hofmann, Mark A. "Y2K Spurred Continuity Plan That Was Put to Test by 9/11." Business Insurance 39, no. 16 (2005): 71.
Hoge, John. "Business Continuity Planning Must Extend to Vendors." Bank Technology News 18, no. 2 (2005): 47.
Hood, Sarah B. "Always Be Prepared." Canadian Business 78, no. 6 (2005): 61–63.
Huber, Nick. "Business Continuity Plans Eat 35% of Clearing House's Core IT Spend." ComputerWeekly, 8 February 2005, 5.
Roberts, John, and Frank J. Ohlhorst. "Disaster Planning Promises Big Channel Profits." CRN 1130 (2005): 22.
Sisk, Michael. "Business Continuity: Still Not Entirely Ready For Disaster." Bank Technology News 17, no. 12 (2004): 41.
Zsidisin, George, A., Gary L. Ragatz, and Steven A. Melnyk. "The Dark Side of Supply Chain Management." Supply Chain Management Review 9, no. 2 (March 2005): 46–52.