|
by John A. Jackson
Interdependencies between
an organization and other
business partners and
public agencies have always
been an overlooked or at
least under-served aspect
of Disaster Recovery
and Business Continuity
plans. This article serves
to raise the awareness of
this important issue to the
executive suite, so that
executives can ensure it is
being properly addressed.
Most organizations have long been aware
of the business impact of an unplanned
interruption to business operations, most
probably including an outage to computer
and communications based systems.
The events of the past several years,
including 9/11 and Hurricane Katrina
have raised those concerns to a fever
pitch, and have highlighted a number
of previously
under-considered aspects of
contingency
planning, including:
- The impact of a loss of personnel
- The potential to have operations disrupted
due to a geographic impact
which eliminates building access even
though no direct impact occurred
- The potential for a loss of paper
records and the need to rely solely
on the inventory of an offsite storage
facility, most probably only containing
electronic data backups
- The realization that the company’s
primary workplace could be permanently
destroyed, requiring the
acquisition of, and outfitting of a
new base of operations before
recovery can occur
In addition to the above, many organizations
now realize that most disasters
require that companies not only focus
on their own individual recovery plans,
but they must also consider how the
recovery efforts of other companies in
their industry,
as well as customers,
suppliers or supporting industries must
be coordinated so that normal, or near
normal operations could resume. They
also now realize the impact that outages
of the public infrastructure or the
actions of public agencies or officials
could have on their individual or collective
abilities to recover.
The past history of the business continuity
industry is one where the
recovery facility vendors (those who
provide facilities and equipment to
facilitate recovery) focus on discrete
contracts for individual companies.
These contracts are not synchronized,
in almost any way, with those of other
firms that could be required in order
for an industry segment or geography to
recover. Essentially, the recovery industry
vendors offer services that provide
recovery facilities, network connectivity
and equipment for individual companies
to use, assuming no conflict with
another customer that prohibits
access and use. While that strategy has served
well over the years, a more comprehensive
strategy might now be required due
to the potential for disasters to impact
more than one organization at a time.
Any organization that approaches
the topic of business continuity typically
goes through approximately four
sets of activities. While methodologies
vary among vendors and companies, the
following overall process is typically
undertaken.
- Business Impact and Recoverability
Assessment: Determining the Risk
- Recoverability Strategy Development:
Setting the Course
- Strategy Implementation:
Putting the Solution In Place
- Plan Maintenance and Testing:
Making Sure it Works
This four-step process starts with the
first step, the business impact analysis.
This process, often carried out by
experienced continuity consultants or
internal company resources, is designed
to understand the financial, contractual,
regulatory and legal impacts to
an organization,
of an unanticipated
interruption to their business (offices or
computer systems) operations.
The BIA effort, which helps to determine
the organizations recovery time
(time to recover) and recovery point
(protection of critical information),
focuses on an individual company’s
needs but generally disregards the
impact on other organization’s. Two
or more organizations, in the same or
reliant industries, might have totally
different recovery times and points,
and not know it until they both would
go through the recovery process. This
occurred in New York during Sept.
11, 2001, when many organizations
found that their plans were either short
sighted or more comprehensive
than
others, and their recovery efforts were
delayed until the organization with the
lesser plan (generally a longer planned
recovery time) was ready. Essentially
what occurred was that the “weakest
link” scenario was played out.
The issue of interdependencies has
highlighted that the current BIA process
does not go far enough, either
for an individual company, or now, as
important, for the authorities to gauge
a complete picture of how an industry
or business district would be affected.
Essentially, what individual organizations
need to ensure is that the BIA
process focuses on geographic (building
or metropolitan area) or industry recovery,
not just their individual business.
Given the issue of interdependencies and
the inherent shortcomings of the BIA
process, some forward thinking experts
are now suggesting that organizations
conduct an “Interdependencies Workshop”
to ensure that both private industry
and public agency interdependencies are
considered in the planning process.
The interdependencies workshop
is intended to understand the interdependencies
of business to business
interactions and reliance’s, as well as
local physical infrastructure components
and the effect of an outage on
firms in a given geographic area, should
a terrorist or other crippling disaster
scenario occur. It is vital that private
organizations consider this issue during
this initial phase of recovery strategy
development. Organizations that must
be considered for their interdependence
include
other major businesses, communications,
electric power, oil/gas,
water, and transportation
providers, as
well as government services, hospitals,
and any other major service suppliers.
The above graphic illustrates the
interactions which must be considered
during an Interdependencies Workshop
exercise.
The interdependencies workshop is an
important first step leading to a focus
on the recoverability of companies and
governmental
agencies outside of an
individual companies’ purview, from
an information protection and business
infrastructure (offices, computers,
phones, personnel) point of view.
The results of an interdependencies
exercise would include:
- A high level understanding of critical
resources which might impact an
organization’s ability to recover in
a timely manner
- Organizational awareness of weaknesses
in business recovery strategies
- Development of a matrix listing
identified weaknesses, so those weaknesses
can be addressed
- A clear understanding of the high
level contingencies currently in place
Currently, there are a number of organizations
bringing focus to this important
issue. In the Chicago area, ChicagoFirst
(www.ChicagoFirst.org) has been formed
to bring together members of the financial
industry to promote awareness of
interdependencies and each organization’s
interface with public agencies.
The ChicagoFirst model has been so successful that it has spawned similar
groups in other cities. A national organization
focused on this issue is the
FBI-sponsored InfraGard (www.infragard.
net). They have national chapters
which promote meetings between private
companies and public agencies, aimed at
developing a better understanding of
each other’s needs and capabilities.
ChicagoFirst and InfraGard are but
two of many organizations focused on
this issue. Private and Public Businesses
Inc. (www.ppbi.org) promotes
focus through classes on related topics
and the recently formed Lake Cook
Critical Infrastructure Partnership in
Northern Illinois has made great strides
in pulling private industry, local fire,
police and emergency management
and national organizations like DHS
together to focus on this topic.
The concepts outlined in this article
present an approach to dealing with the
fact that most, if not all recovery plans,
are stand-alone islands. Most plans do
not address the inter-relationship of the
recovery
times and the recovery points
of organizations
a company or agency
relies upon and interfaces with. Most
plans also do not take into account the
regional effects on public infrastructure
and how that might affect the ability to
recover in a timely manner. Company
executives should ask if their recovery
plans and strategies address interdependencies
and require that this aspect of
recovery be addressed.
About the Author
John Jackson has 30 years of IT Risk Management
experience and is a well known leader
in the Business Continuity industry. John is
currently Executive VP of Fusion Risk Management.
Previously, he was General Manager of
IBM BCRS, an SVP at SunGard and President
of Comdisco Continuity Services. John is also
the Chicago Chapter President for InfraGard,
focused on Private and Public partnerships. |
