By: Lukman Susanto - 2003
Even though various events, disasters and
problems have kept system administrators awake, many of them are really just
following trend flows. They have always been a champ in keeping their company
up-to-date and really good in following procedures. However, IT is a far more
fragile compared to other systems in overall business processes. As more and more
businesses rely on computer systems (Savage,
2002), IT has become their only
backbone and its existence can be equalised to the business itself. Since no
one expected most of those “beyond control” disastrous events, keeping IT self
up-to-date is turned-out to be insufficient (Morganti,
2002). This paper is analysing how
Business Continuity Plan theory may differ from its implementation in the real
world and how IT issues are holding important roles in overall plan.
Meta Group research (2003) found only 20% of Global 2000 organisations have effective business continuity plans (BCP) which will help them in the case of disaster. The study shows this lack of preparation is due many of them still regard BCP as solo IT disaster recovery plans (DRP). In fact, an adequate BCP should include human resources, facilities, management as well as the executive board (Swartz, 2003). Meta Group (2003) also said that IT as one of the main business functions should be managed along with other components as an overall BCP.
Since the Sept 11, more enterprises have moved BCP from “complimentary” to “compulsory” item for the organisation (Savage, 2002). And yet many of them are still not able to correctly identify all the points should be considered. BCP is often regarded as IT DRP therefore they are assuming that business continuity can be simply guaranteed by having a good backup system for their computer systems (Savage, 2002). This assumption is not unreasonable, as more and more companies are relying heavily on their IT systems; they are ended-up paying less attention on their non-IT issues.
The following are issues related to BCP that should be considered as a whole concept (Savage, 2002):
When the disaster has destroyed/damaged the organisation premises, the first thing that the company manager has to do is to find an emergency place while the existing site being repaired and in the same time ensuring the business does not completely stopped. This requires a careful plan and minimum execution time in allocating temporary authority to initiate any recovery action (Savage, 2002). Geographic issues can sometimes cause uncertainty to the continuity of organisations. They often have to compromise between accessibility and safety. A close backup site means high accessible however it is less secure toward bigger disaster (McEachern, 2002).
Suggested solution: analysing business needs and open the possibilities to establish multiple backup sites or dedicate more resources towards data communication channels i.e. developing backup site in a fair distance however; it should be able to communicate as fast as the one next door.
The importance of IT issues has made many people associate BCP and IT recovery (DRP). Fortunately, many businesses are well prepared with this issue. Some of them even have allocated a certain amount within their budget specifically made for IT and its DRP system. The plan should also include details of communication method, network infrastructure, and third-party vendors (ASP); all should be carefully documented within BCP along with external storage/data.
An appropriate strategy determined by the significance of IT matter within the business can be chosen from the following: full replication, vendor parallel/semi-parallel or relocation. There are many third-party vendors out there who will provide ranges of protection, from the widely-used tape backup system to the state-of-the-art “high availability solutions” which will simultaneously backup every data in and out from the system (McEachern, 2002).
Suggested solution: business should choose the appropriate IT recovery plan; this is not always the expensive “top of the ranges” stuffs. By maximising all IT resources/capabilities, a well-suited recovery system will do as good and this plan should be reviewed and adjusted as the business grows.
It is important to keep customers informed about the disaster which may cause the delay of product/service, recovery progress and the most important thing is informing them as soon as the business back on stage. Keeping customers informed will build a trust in relationship.
Suggested solution: as customer is the most important entity in any businesses, provide them with honest information, immediate solution and keep them informed with business recovery progress.
When a major disaster happens, the ones who will immediately be affected are the employees and possibly their families. It is organisation’s responsibility to inform this event and organise all the handling process including emergency contact and keeping in touch with all the employees. Bigger organisations are now also concern with all their senior management located in the same floor or even in the same building (McEachern, 2002). For them, losing a little convenience will not be as unpleasant as losing the whole business structure. By splitting resources to more than one location, company structure will still exist even when one whole building is destroyed.
Suggested solution: depending on the size of the business, the solution may vary. Multiple-sites businesses should consider splitting company resources to different location or different parts of the building/office for the smaller ones.
BCP should also consider the existence of crucial documents including BCP itself, printed stationary, emergency contact details, location and document accessibility. These all are to ensure the inbound and outbound communication can be instantiated soon after the disaster to avoid worse cases.
Suggested solution: create an offsite office storage area where company can keep extra stationary i.e. letterhead, business cards, etc as well as keeping the BCP document for emergency
BCP is a complex plan and sometimes causes confusion in when, where and how to start developing it. David Smith (2003) from FBCI has developed a roadmap which is called BCM/BCP life cycle.
There are six points in BCM life cycle process:
Analysing business risks and risk management.
Different levels of BCM strategies for recovery.
Understanding all business entities, how to keep them informed and dealing with media as well as possible outsourcing non-core business functions including disaster recovery system.
Develop awareness throughout organisation of BCM by conducting training.
Simulating real disastrous events and auditing the capacity to handle
different cases as well as adjusting the system as required.
Executive board and senior management should support all the BCM points in order to make an adequate plan.
Most of theories on BCP were developed based on various experiences from the survival of businesses against small to medium disasters. None or only few of them have implemented comprehensive levels of plans which are made to all possibilities. Even though those theories are built based on the best business practice, these may not be the best for the continuity of the business itself. Financial adjustment value has changed and the current practice may diverse from those theories.
The event of Sept 11 has woken up most major companies in the world the importance of having an adequate procedure and plan to respond to any sorts of disasters and contingencies. Many observers argued that the needs of stronger commitment towards BCP among those companies were unavoidable (Rankine, 2002). For those major companies, financial justification has lesser value and can not be used as a decision factor toward BCP/DRP project. The formula has changed from “what is the cost of having it” to “what will be the cost of not having it”. This is a dramatic change since projects are no longer measured by their costs instead by the consequences of ignoring them.
All above are what many people now expecting and what many companies should implement however, the strategies being employed by those businesses are surprising many IT/business reviewers (Rankine, 2002). As Sept 11 attacks have also contributed to the worst economic recession in history this has caused many businesses changed their ways to respond BCP issues (Rankine, 2002):
Companies are now reducing the distance between different sites as they found that “excessive production/recovery site separation” increases recovery times and increases costs (Rankine, 2002). They realised that they have to move-on and not worrying too much about Sept 11 which may have happened only once in history. If they are always spending money that they do not have for something that may never happen again, the lost would be absolute and the influence will be worse than experiencing Sept 11 events.
Global economic downturn and Sept 11 have caused prices blast especially for “security-related” services such as insurance, commercial backup/recovery site and various outsourcing deals. Many companies found these services are no longer within their financial ability and yet they can not afford not to have the systems in place. Therefore, the trend is now toward in-sourcing which will provide immediate service, testing flexibility and the level of availability which are not offered by outsourced commercial recovery site (Rankine, 2002).
This does not mean they are less concern about IT issues, in fact they realise that the consequences of having a “less-than-perfect” IT security will be the worst case scenarios (Nicolett, 2002). However, they are now concentrating in their own/internal system by educating their own staff, developing IT security awareness and refining their IT policies to minimise exposures and costs.
Human is the most important factor in all sorts of industries and since Sept 11 many companies are more concern in losing their employees. Company HazMat in US has developed evacuation and redevelopment plan for 20,000 employees which of course may not be suitable for most others (Duffy, 2002). However, for those companies who rely heavily on human resources, preparing backup employees may be one of the best strategies. The employees they currently count on for the continuity of the company may not always exist (Duffy, 2002).
Emergency plans to handle human resources issues including preparing offsite crisis meeting places for top employees, practising crisis communication as well as investing in alternative ways of communication, partnership with local emergency response groups such as fire-fighters and police are in their top agenda to mitigate risks of HR issues (Duffy, 2002).
Similar as HR issues, since Sept 11 many companies realised that having superb backup system for their data-centres does not mean much when the system’s clients/workstations are disappeared/not active. This includes having a proper workspace with desk, workstation, network, internet access and telephone connection (Rankine, 2002). Some of them are making a good relationship with their “neighbour”, fellow businesses or local communities just in case they need immediate access to emergency work area before the proper ones being redeveloped.
As a favour in this fully-troubled world, war and crimes are also happening in shadow/online world which have forced major companies to spend more for IT security architecture and infrastructure. The problems are changing and increasing continuously which have enforced security vendors to keep inventing newer technology to solve these issues whereas other companies are imposed to update their security systems continuously. The major problem with this concept is “each wave of new technology renders existing security architecture obsolete” (Nicolett, 2002) and globalisation as well as the needs of enterprise network makes the whole issues of security become more complex.
Despite strong prediction on value degradation of financial constraints, companies can not ignore this essential issue in their BCP/DRP plan. Even though they may have better understand how danger this world has been, they do not want to be worried by plane hitting their building while they are struggling with their finance. As some third-world countries experienced, the intense feeling may have been part of them in everyday life.
IT has always been the most important issues of all, not only because being the foundation and backbone of the business but also can play important roles in strategies development and improving efficiency of the whole BCP plan.
Literature and current practice show only minor differences in term of system implementation, however this does not represent the principal concept of the BCP/DRP to provide a dependable system for recovery. Where some discrepancies are arising, they are mainly because of financial condition of the company or new invention of related technologies.
Many BCP observers predicted site diversification would become a trend and many company would have started to spread their offices in different area. Data centres would be replaced with a distributed storage system. Massive outsourcing in various non-core areas within the businesses is expected to take place and IT departments were expected to receive more funding for advancing their DRP system.
Those expectations are turned-out being rigorously scrutinised as companies are now struggling to survive in this economic downturn. Data centres are being maintained to keep the operating cost down and can be managed with ease (Hayes, 2003). Financial problem has forced many of them to “in-source” their IT systems including their backup/storage and DRP system as well as to keep the flexibility and internal control towards the whole business system. No extra funds are offered for IT department because of budget limitations and IT departments have been enforced to increase their efficiency to minimise cost and in the same time ensuring the quality.
Economic condition has been blamed for these hard times and many of these companies have to compromise between their profits, business continuity and security issues while every component does have consequences if not being fulfilled (Hayes, 2003). IT as main component of a business is expected to innovate itself and contribute towards BCP to ensure the stability of the business.
In this paper we analysed how Business Continuity Plan theory may differ from its implementation in the real world and how IT issues are holding important roles in overall plan.
Various events,
disasters and problems have woken up system administrators and business
executives to realise that IT is a far more fragile compared to other systems
in overall business processes and Business Continuity Plan should involve IT as
the main component. As more and more businesses rely on computer systems, IT
has become their only backbone and its existence can be equalised to the
business itself.
Business Continuity Plan has been described as an ideal strategy to safe business away from a complete disaster therefore as such requires high level of commitment (resources and fund) to develop an adequate system. However, financial downturn has rule out most of the luxury and the only thing left is human with its capability to accommodate the business needs with limited resources but without compromising the safety.
Latest innovation supported by good relationship between businesses and IT as system should allow many businesses to survive to the next blooming times.
Literature Review
Business continuity planning
Mick Savage.
Work Study.
A business continuity plan keeps you in
business
Michael
Morganti. Professional Safety.
Few organizations have effective continuity
plans
Nikki Swartz. Information Management Journal.
Is regulation right around the corner?
Cristina
McEachern. Wall Street & Technology.
A disaster plan in action: How a law firm
in the
Jean Barr.
Information Management Journal.
Has IT become more important in recent
months?
Anonymous.
Information Management Journal.
Current Practice
ITrends in Business Continuity Planning:
Not What Everyone Expected
Colin Rankine, Giga Information Group, 2002
http://www.csoonline.com/analyst/report484.html
Business Continuity Planning
Daintry Duffy, 2002
http://www.csoonline.com/read/110802/perfect_continuity_585.html
Managing IT Security Risk in a Dangerous
World
Mark Nicolett , Gartner, 2002
http://www.csoonline.com/analyst/report1332.html
Budgets limiting net security
Simon Hayes, 2003
http://www.australianit.com.au/articles/0,7204,6751704^15306^^nbv^,00.html
IT managers plan disaster recovery
strategies
Vivienne
Fisher, ZDNet
http://www.zdnet.com.au/itmanager/strategy/story/0,2000029582,20274255,00.htm
Business continuity: planning for a crisis?
Vivienne Fisher, ZDNet Australia, 2003
http://www.zdnet.com.au/itmanager/strategy/story/0,2000029582,20274232,00.htm
Lukman's WWW Groups
copyright © 2002 - 2003 Lukman Susanto
http://www.eastwoodfurniture.com.au
http://www.awesomefurniture.com
http://www.majawana.com.au