It’s a Sunday afternoon and you need a mobile bank branch. Where do you get it? It’s not something you’d find listed in the phone book. As a business continuity consultant for banks in the 1980s, finding the answer to ‘where can I get…?’ questions was a frequent quest for Steven Lewis, a certified information systems auditor and a certified computer programmer with a Ph.D. in systems and a couple of engineering degrees. Lewis developed more than 120 comprehensive business continuity plans for network-based organizations — many of them banks — attaching an ever-growing sourcing guide to the disaster plan. Eventually, a client suggested he make a product out of his guide. The 2005 version of the Edwards Information Disaster Recovery Yellow Pages is the fourteenth edition of that commercialized product, now published by Edwards Information, LLC. Lewis serves as editor-in-chief of the book spanning Canada and the U.S. with more than 3,000 listings in 355 categories. He recently spoke to Susan Maclean from his office in Brookline, Mass.
IT Focus: I see the directory is intended to help professional business continuity managers and general managers involved in disaster planning locate hard-to-find resources in the planning process and on-the-spot during emergencies. Do you have a major readership base in the financial services industry?
Steven Lewis: We have probably 35 per of our readers in some kind of financial services capacity, with about 15 to 20 per cent in banking, including credit unions, community banks as well as large banks; another five to 10 per cent in the brokerage business and another five to 10 per cent in the insurance companies. So, our biggest block of readers is in the financial services sector. The directory began in the banking business. If you go through it listing by listing you’d come across drying wet microfilm. That’s the kind of thing a bank rather than a manufacturer is interested in. Its heritage in the financial services industry is laced through it.
Banks have a lot of paper records. Banks travel on paper so they have to be sure to have the capability to process paper no matter how electronic they are. No matter how much you want to use optical disks, there comes a point with loan applications and other personal things that get signed that have to exist on paper. We find the general theme of records management laces through a lot of our buyers.
IT Focus: Is there a message financial services firms need to hear in terms of disaster recovery and information technology?
Lewis: In a way, it’s a two-part message. The first part is that bankers’ hours don’t count any more. They are a 24-hours-a-day operation. The financial sector has a broader range of institution sizes than almost any other, and it is often the smaller institutions that can get burned. In 2005 you can be a little credit union somewhere, buy a package from a service bureau and suddenly you’re in online banking. But that means you have to be running at three in the morning and you can’t afford to have your ISP suddenly go away so people can’t reach you. You have to have alternate ISP providers, alternate e-mails, and so on.
The second part of the message sounds simple but is really very complicated: quick recovery of what’s essential today.
A quick example: an insurance client years ago had 47 servers in a skyscraper. The sprinklers went off and they had to bring up 47 new servers. The way the world works is you go to a temporary operation for a week or two, you come back to a six-month’s site and then you finally get back to a permanent refurbished site. There was no way they were going to get 47 servers even delivered within a week, much less reloaded, tested and reconfigured before they’d be moving to another site. What they needed to do was take off the 47 servers just the really important drop dead stuff, put that onto one or two servers, run those couple of servers three shifts a day and people would come in and get their work done.
Particularly in financial institutions, you have regulatory reports due, tax returns due, all kinds of individual regulatory requirements that may be important tomorrow but not today. If they are due in February and the disaster happens in September, you can forget about it [in the context of] what’s essential today. IT people really need to know the ebb and flow of the business. IT managers may not always be exactly sure who they work for. They often don’t know or understand the business’ turnover. They just know they have to keep the computers going with the latest servers and all kinds of technology stuff and they often don’t pay attention to what’s crucial this moment to their user departments.
For example, one of the most important things for an insurance company is their cancellation notices. Come what may, those things have to go out. Here you are an IT person, but you have to provide a back-up for high-speed printing, insertion and mailing so that you can get those cancellation notices out. That often has very little to do with the work a systems programmer is normally concerned with, but that’s what people are going to be screaming for when that disaster happens.
IT Focus: Is not the financial services industry the best private sector in terms of business continuity and disaster preparedness?
Lewis: You could say it is the best, but that’s not saying much. The brokerage industry is onboard after 9/11. They had mirrored back-up sites, but no one was there to run them. They never thought they would lose their people. I gave a talk in 1995 based on the 1993 bombing of the World Trade Center. On the day of the conference, no one mentioned ‘what if we lose all the people?’ Brokerages are not up to the bank level. Insurance companies even less but they are coming along.
IT Focus: A recent document from your company lists 20 items often overlooked or wrongly assumed even by experienced disaster recovery planners. What of these apply to financial services companies the most?
Lewis: Employees’ personal-life situations. Often disaster plans require key employees to locate to a computer hot site in an emergency. Employees who are single parents and those who are caring for ill relatives may not be able to work emergency overtime or relocate. You can get into privacy issues if you ask employees personal questions. Instead, you can have employees sign a form on a yearly basis indicating that they understand the disaster plan as it pertains to them, and ask them to note any limitations they may have in carrying it out. You’ve protected their privacy and got the information out of them.
Another is the vulnerability of telephone and network terminators to falling water. Time and again we have found network servers right under sprinkler heads. One hundred per cent of the financial services buildings we have been in have an unprotected panel on the wall in the basement where the telephone wires enter the building. A toilet overflow could fry out the telephone connection. A South Carolina bank in hurricane Hugo had its roof lifted. There was no structural damage but water leaked in. The telephone connection in the basement was fried and they went one week with no outside connection.
A common assumption is made about your company’s priority to utility companies. Hospitals are first; emergency services second. Everyone else is altogether. Your company will be down in the weeds if you haven’t actually provided the back-up emergency generator your plan calls for. Another issue is with mergers and acquisitions. About 10 years ago, when an American insurance company bought a Canadian company, the Canadians were responsible for the facilities in the U.S. They didn’t even know whether the local police had the right information. Blueprints should be filed with the local emergency services de