IS YOUR BUSINESS READY FOR THE WORST?
CNETAsia Magazine ( 12 October 2001 )
By David Berlind
If last month's terrorist attacks and security intrusions
served as a wake-up call to those charged with business
continuity, you wouldn't know it from the number of attendees
at Gartner's special town hall session on the topic. Only
about 100 people appeared; the other 6,000 Symposium/ITxpo
2001 attendees apparently hit the snooze button.
This is a sad commentary on the impact that recent events
have had on our industry. Thousands of business and technical
executives travel hundreds or thousands of miles, each
paying more than $4,000 to attend, in order to receive
strategic advice on how to align their business and technology
priorities. Yet most of them ignored Gartner's emergency
session addressing what must now be considered any company's
top priority: business continuity.
According to Gartner spokesperson Carol Wallace, the low
attendance wasn't due to lack of promotion (although the
session was a late addition to the conference schedule)
or the quality of its content. Wallace suspects that "clients
were attending sessions since eight in the morning and
the sheer physical exhaustion of the long day kept them
away from the evening session."
I have to agree with Wallace's assessment. The ad-hoc
town hall meeting was indeed well-publicized, the content
extremely rich, and the topic was perhaps the most timely
of all topics covered at the event. Considering the low
attendance, Wallace said, "there was great dialogue."
Indeed, there was much practical advice from leading business
continuity experts across a variety of industries, including
financial services, government, and security.
The advice focused on four primary issues of business
continuity: outlining the various scenarios that could
disrupt the business; planning reasonable continuity measures
to withstand those scenarios; repeated scenario simulation
to test those measures; and resumption of business in
the case of an actual emergency.
With respect to outlining scenarios, history has a lot
to offer. Over the past two decades, U.S. businesses have
experienced a number of extremely disruptive events, including
floods in the Midwest, riots in Los Angeles, earthquakes
in California, Hurricane Andrew in South Florida, offices
destroyed by fire, security intrusions courtesy of hackers
and disgruntled employees, and now war.
The list is by no means inclusive, and disaster does not
discriminate based on business size, type, or location.
In other words, no business can afford not to take at
least some continuity measures. In response to a question
from a tech executive at the Public Broadcasting System,
the Gartner panel acknowledged that while there's a probably
a solution for each potential scenario, not every company
has the resources to deploy costly measures such as redundant
facilities.
According Gartner analysts, businesses typically spend
between two and six percent of their IT budgets on IT
continuity. In light of recent events, Bill Malik, the
town hall's master of ceremonies, expects disaster recovery
expenditures to go up. Research director Roberta Witty
concurs, saying that "currently, contracts with disaster
recovery providers like IBM, Comdisco, and Sunguard only
allow for 30 days to 6 weeks of facility duplication.
In light of recent events, customers of DRPs may have
to plan for a longer time frame." Yes, the cost will most
certainly go up.
Addressing the issue of business size, Witty and fellow
research director Donna Scott were quick to point out
that regardless of business size, a continuity plan has
to start somewhere, even if it starts with something as
simple as routine backups. Many businesses already do
routine backups, which include incremental backups each
day, and full backups each week. But what happens to those
backups next is a real problem, the panel noted. Most
companies don't store the tapes off-site in a location
distant enough to prevent the original systems and the
backups from being affected by the same incident.
Scott urged attendees to revisit the scenarios in order
to fully understand what the potential impact is, and
then to test existing continuity measures to see if they're
adequate. Keeping backup tapes on-site is a continuity
measure that wouldn't survive most scenarios.
Witty talked about other low-cost and even no-cost measures
that all businesses can afford to take. To safeguard employees,
for example, Witty suggests "working with local fire marshals
to train employees on the different ways to escape the
building, equipping people with flashlights, and putting
supplies like water and blankets in place to deal with
people who may be stuck for an extended time period of
time." Again, the panel emphasized continuous scenario
simulation and testing to find the weak points in your
plan.
The points resonated with me personally because Witty
seemed to be describing something that goes well beyond
your basic fire drill. I can barely remember the last
time our offices had a fire drill, let alone any more
comprehensive procedure for surviving a variety of scenarios
that could impact the building I work in.
Other no-cost measures, Witty said, include working with
local authorities to understand what your company's obligations
are. For example, in the earthquake-prone regions of California,
the state requires companies to have "earthquake kits"
available. She also discussed executive succession plans;
where possible, she suggested, executives should be succeeded
by an executive in another location. Again, scenario management
reigns. If an executive's successor is in the same location,
that measure won't survive most scenarios.
Sept. 11 is sending people back to the disaster-recovery
drawing board, however. Sue Landry, Gartner's financial
services and banking analyst, talked about how the day's
events struck her with particular poignancy. "The entire
financial industry was under attack," she said. "Because
of regulations, real-time systems such as ATMs, equity
markets, and bond markets have successful continuity plans.
In each case, however, the planning is all done within
one institution. But now we have learned that disaster
can strike multiple institutions simultaneously, a scenario
that has its own ramifications."
In such a scenario, the plans of those closest to your
business -- your customers, suppliers, and even neighbors
-- become relevant. From an IT perspective, the more deeply
integrated your systems become with those of your partners
-- an inevitable result of the forthcoming Web services
revolution -- the more important it becomes for you to
know what their business continuity plans are. Landry
has identified the ripple effect that a single event can
have throughout an entire industry, and the fact that
few measures are in place to accommodate such an event.
Analyst John Oborn suggested taking a closer look at service
contracts and providers. He asked, "How many companies
in your building have contracted with the same company
as you, potentially straining [the provider's] business
continuity assets [from a single event]?" Furthermore,
Oborn warned that most resumptions end up recovering less
than 40 percent of a company's critical systems. "Look
at the disaster recovery clauses and contracts, Oborn
said, "and make sure they go beyond just the operating
systems and mainframe."
All that computing power ain't worth a hill-o-beans if
you have no software or data to put on it.
Speaking of software, this is one front where the whole
idea of disaster recovery and the role that software vendors
play needs to evolve. One attendee, who wants to maintain
redundant servers in a separate location on hot-standby,
was upset by the trend in licensing schemes that essentially
force him to pay for the standby copies of software.
The rules have changed, and will continue to change. Gartner
analyst French Caldwell made a recommendation that goes
well beyond preparing for a disaster. Companies, he said,
need to think about avoiding disaster altogether. Caldwell
suggested locating your business away from high-risk areas
or high-risk targets such as financial institutions and
global brands. While he didn't elaborate, I took that
to mean you should locate your company far away from Wall
Street and other icons of freedom and capitalism. Keep
away from the headquarters of our biggest brands: Coca-Cola
in Atlanta, General Motors and Ford in Detroit, Microsoft
in Redmond. Or Silicon Valley. Or anywhere near a faultline.
Now that the unthinkable has been redefined, one town-hall
attendee asked about the next redefinition, and how he
can prepare for that. His chilling example? An event where
an entire region like the Northeast gets wiped out. Considering
what has already happened, the unthinkable is now thinkable.
Are you ready? |