When it comes to business continuity planning, many organizations have a Utopian belief in the perfect functioning of their disaster recovery plans. Whether it’s the result of stress on the involved personnel, or the application of Murphy’s Law, the reality is that in the midst of crisis things do go wrong. Too often, the plan and the circumstances of its testing reflect ideal circumstances that, in real life, rarely exist.
Those with experience tell us that when disaster does strike, many of the required people — probably more than half — will be unavailable for many reasons, including: vacation, can’t get a baby sitter, the disaster has affected them personally, and many other reasons that you can imagine when you take the time to do so. Backup media can be mislabelled, damaged or hard to find and the means of communication on which the plan depends may be unavailable. It means planning for reality in the wake of whatever disaster the plan envisaged.
The recovery planning for a given business function should reflect the real business need — the business exposure to the organization — rather than the ‘desires’ of the line-of-business management. This is a disaster. They should expect some inconvenience. The cost differential between need (if the business function is not available in three weeks we could be sued), and want (I want to have the ability to resume billing within four hours or we’ll be stuck with overtime hours), can be significant and hard to justify.
For more information on the Council visit www.cioexecutivecouncil.ca
John Pickett, Executive Director, CIO Executive Council (Canada)
How to involve the business to create a solid continuity plan
Members of the CIO Executive Council recently identified business continuity as a topic for future Council activities and research. Twenty-seven members also participated in a June 2005 conference call on business-continuity planning. The following are some best practices from members who have made such planning an integral part of their organizations.
1] Attach a business owner as the main driver. Business continuity is not about IT; it’s about the business. Therefore, it only makes sense that someone from the business be the owner of this significant undertaking. By not identifying business continuity as an IT project, its importance to the company as a whole becomes clear and more widely accepted.
At Intelsat Global Services, a Washington, D.C.-based satellite and telecommunications company, CIO and Senior VP Joe Kraus sits on the crisis management team, made up of 20 senior representatives from business units such as HR, facilities, security, corporate communications and the medical unit. This team, led by Intelsat Global Service’s president, is responsible for managing communications in the event of a disaster. The team meets quarterly, providing a forum for senior business leaders. Given the strong infrastructure emphasis of the business-continuity planning process, IT is responsible for the program’s day-to-day operations. A business rep is responsible for guaranteeing business-side participation.
2] Encourage business members to understand and document core business processes. It’s hard to write a business-continuity plan if you don’t understand all the details of your business. Dave Swartz, VP and CIO at The George Washington University, was surprised by the large number of managers who lacked a solid understanding of the university’s business, and therefore had not accurately documented how they ran their functions. “The first exercise that the business units underwent was to examine the business processes, including people involved, relationships with different units and their specific reliance on technology systems,” says Swartz. “It was interesting to see the new points of risk that were identified that people hadn’t been aware of.”
3]Improving the process should be part of the plan. In 2002, Texas Children’s Hospital suffered through a virus scare for several days where faulty antivirus software made it appear that thousands of the hospital’s computers were infected with a virus. The hospital’s IT staff quarantined the affected computers, limiting access to critical patient data. Given the life-and-death importance of IT to a hospital, clinical staff moved to manual processes to keep patients safe. They found that the established downtime procedures worked well for the first couple of days, but the longer the trouble dragged on, the more time-consuming it became to recover. The clinical staff learned some valuable lessons during this incident. “It prompted them to review business-continuity procedures and develop new, manual processes as a result,” says David Finn, VP and CIO, privacy officer and information security officer. Schedules are now printed on hard copy for the current day and the next couple of days to reduce reliance on IT systems.
4] Coordination should stay with IT. IT should provide templates, review the plans and coordinate overall processes to ensure that each unit has done its due diligence. Eastman Chemical CIO Jerry Hale, Kraus and Swartz provide templates for each function that describe what components to include and how specific to be in the documentation.
In their own words
CIO at Lavalife, Toronto
“Our priorities are our customers, and all our services are provided by customer-facing technology applications; IVR, Web, and mobile phones. We call it our Business Recovery Plan for a reason. Whatever we do affects our customers, and all the prioritization and overall direction to our response considers them. All the senior business people here are aware of their roles and are ready to ensure we respond appropriately. We don’t really have a business/IT divide here like so many organizations. When we need something done, we just get the right people in the room and make it happen, regardless of organizational position or level.
“We’ve prioritized our recovery plans. Customer-facing functions are, of course, our first priority, ranked by number of customers. Our clients have come to rely on our very high availability to whatever device they choose to use to access our services. Next come those functions we must have to support customers, like call centre applications, payment processing, and so on. I have noted over the years that many people forget to prioritize email as critical. But when you think about it, in order for an organization with lots of people working from unusual locations to coordinate a rapid response, communication is critical, and email is the best form. So email is as important to our recovery as the call centre applications. Finally there are the business functions that can tolerate a longer recovery, like financial reporting, and our HR intranet.
“We’re continually reviewing the plan. For example, while it didn’t affect us, we certainly noticed what happened in Toronto with the SARS incident. While we have always believed in contingency planning at Lavalife, it did cause us to review what we had in place to make sure we would be OK if one of our buildings became quarantined for a period of time.”
Vice President of IT and CIO at CCL Industries in Toronto
“Disaster recovery plans should be under constant review. The wide spread power blackout of a few years ago highlighted some shortcomings in our contingency plans. Our primary and backup data centres are situated about 40 KM apart but in this instance both suffered power outage. There were also hiccups in voice communications. This incident forced us