Business continuity not just IT’s problem

Disaster recovery planning (DRP) is no longer the sole responsibility of the IT department, an Ernst & Young LLP consultant told a room full of attendees during a seminar in Toronto on Thursday.

“[The task] used to be called DRP and only dealt with recovery of computer systems, but it’s changed dramatically from recovery to availability,” said David Johnson, manager, security and technology solutions, at Ernst & Young LLP in Toronto. “It must be a business driven approach, not technology driven.”

Johnson said not only is it crucial that networks are available 24×7 but any downtime or business interruptions must go unnoticed by clients.

Now, to reflect the wider scope of DRP, the term business continuity planning (BCP) has been applied, and Johnson explained it is a contingency plan that addresses an interruption in business operations, which could result in an unacceptable impact to an organization.

Whether it’s a natural disaster such as the Quebec and Ontario ice storm of 1998, a simple flood in a computer room, or as in 9/11 the destruction of entire branches of companies, businesses must be able to devise a plan whereby they could restart their company from scratch — or at least identify the minimum requirements for their business to run.

Johnson, who works in tandem with Telus Corp. to provide its Managed Workplace solutions, identified processes to develop a successful BCP. He said having such a plan should be mandatory, and added that for it to be successful, the process must be ongoing, permeate the entire organization and be endorsed by senior executives. However, he said commitment by upper management is lacking in most organizations, and many will complete the planning stage yet get no further.

Companies must perform risk assessment to determine what vulnerabilities exists such as the where a computer network would be vulnerable to hacking or for example, if a warehouse was destroyed if all the company’s inventory would be lost. Then a loss scenario analysis must be established to identify the impacts of each scenario on business operations and what is required for minimum levels of operation. Then a strategy must be developed in order to deal with each risk. This is the stage a lot of organizations never get past, Johnson said.

Next, a systems recovery plan must be established. This is a plan for recovering essential systems and data at alternate locations. Afterwards a guideline for how to get business to resume needs to be set-up.

“There’s a reluctance for business units to get involved here,” Johnson said. “But they have to get involved because they understand the process and will be the people executing the plan.”

The subsequent step involves identifying a crisis management plan to help deal with bad publicity, human resources such as cross-training employees and who would replace executives in case of widespread death.

Next, the plan must be validated and maintained — this includes testing, training and setting up agreements with service providers to obtain, for example, enough bandwidth to handle more traffic at a given location. But the process doesn’t end here.

“When you get to one end, you must go back to the beginning,” Johnson said. “You must continue to reassess risks and fine tune plans.”

Craig Richardson, AVP, Telus hosting and managed applications in Calgary said Telus offers a variety of BCP solutions range from full network hosting, to partial outsourcing solutions. Essentially, he said Telus works with clients to determine what solution is best for them. Consulting is provided by Ernst & Young and the hardware piece falls in from Hewlett Packard Co.

Telus runs three climate-controlled secure data centers throughout the country — two in Toronto, and one in Calgary. They are connected by OC-192 to the Telus backbone, there is redundant power right to the rack, and each box contains two network interface cards (NICs).

It also offers 24×7 support and physical security.

While BCP is a complicated process, the principle behind it is simple. Peter Pereira, CIO of Telus, based in Vancouver offered this BCP analogy, which he used when speaking with his nine-year-old. He said: “I will come and pick you up from school today, and if I can’t make then your mother will.”