Disaster-Resource.com

Business Continuity Planning - Basics

By Norman L. Harris, CBCP, CRP and Ed Devlin

We often use the term "Business Continuity Planning" interchangeably with "Business Resumption Planning" and/or "Disaster Recovery Planning." Many people new to the industry think the three terms mean the same thing. That is not the case. "Continuity Planning" (as it was referred to in the 1960's) evolved over the last 40 years into what many of us today refer to as "Business Continuity Planning." Being two of the senior members of the industry, we are often asked how this change in terminology came about.

As in our BCP-101 workshop we teach at the bi-annual Disaster Recovery Journal (DRJ) Conference, the terminology has changed in order to keep up with the changes in the scope of the planning. BCP-101 is a joint presentation in which we both discuss the basics of Business Continuity Planning. It's scheduled the Sunday afternoon, as a workshop, featured at the last four DRJ Conferences in Orlando and San Diego. It is designed to provide novices attending the conference, an understanding of how the industry started and how it has grown into what it is today.

Ed started working in data processing in 1965 with the Service Bureau Corporation (SBC), a division of IBM. He trained for months on all areas of the computer operations area (as well as the unit record) of the Philadelphia office. He had months of training in systems design and programming. After 14 months of training, he was allowed to sell/market the computer services provided by SBC.

During his training, he was exposed to "Contingency Planning." It was a practice within SBC to take backups of master files and transactions and send them to the assigned SBC backup data center. (SBC had 72 data centers around the U.S. Each office was assigned a backup office in which it would process computer application if the primary center was experiencing an extended computer outage. The policy of SBC was that backups of applications processed that day would be sent to the backup data center late that evening.

The strategy was that if an outage occurred, the backup data center would process all applications for the effected office until it was back in operation.)

The scope of the Contingency Plan was built to respond to a computer failure, or a failure of a series of disk or tape drives, or a problem caused by human error. The scope did not consider the destruction of computer equipment or data.

However in 1972, the fire in the IBM Program Information Department in Hawthorne, NY changed the scope from a contingency plan to a disaster recovery plan.

As IBM's booklet entitled "After the Fire" showed, the scope had to be changed to include the replacement of computer equipment and the reconstruction of data. In addition, contingency plans had to be documented that identified "who" had "what" responsibilities and "how" they would carry them out. The fire led practioners in the industry to change the scope of the "Contingency Plan" to the term "Disaster Recovery Plan."

Then in 1982, the fire at the Norwest Bank building in Minneapolis, MN occurred, which damaged 10 floors of the 16 story-building. The bank's computer center was located four blocks away from the headquarters building.

This fire resulted in Norwest Bank sharing their story of the challenge they faced in resuming banking services for their customers, which they did very well by the way. The fire led practioners in the industry to change the scope of the Disaster Recovery Plan to a "Business Resumption Plan," which addressed business unit's plans for resuming operations.

Then in 1993, the first terrorist attack took place in the NYC World Trade Center. This was where a bomb in the back of a van exploded after the van was parked in the WTC garage. After the stories of the emergency response glitches and the questions of security weaknesses were openly discussed, the practioners in the industry worked to change the scope of the "Business Resumption Plan."

It was determined that there should be a merging of the Prevention Plans and the Emergency Response Plans with the Business Resumption Plans. When these plans were rolled together, they would represent the continuity of operations that most organizations strived for. The scope of the planning resulted in changing of the name to "Business Continuity Planning."

This name has continued to represent the policies and procedures that are used in the industry today. The term has survived the 1995 bombing of the Murrah Building in Oklahoma City, the Y2K crisis that we avoided with excellent "contingency planning" in 1998-1999, and the second terrorist attack on the World Trade Center in 2001.

While the name has not changed, the planning elements have. We have learned so much from Oklahoma City, Y2K and the destruction of the WTC in 2001, we believe our plans have been adjusted extensively in order to be able to respond to just such a crisis again. If an organization has BCP planners that have not learned lessons from these experiences, they are going to be doomed to repeat the difficulties in responding to the challenges should a similar crisis strike their organization.

Together we have given several thousand presentations at conferences, taught over a thousand seminars and classes, made many training CDs, Videos and Cassettes, written a number of books and articles always making sure that that the person and/or the audience understand that the job of the Recovery Coordinator is to coordinate. This is something we do all the time not just when we are teaching BCP-101.

When we take a look at the role of the Planning Coordinator we want to make sure that they understand that they must not try to develop the plan in a vacuum. We explain how important it is for the coordinator to relay on the expert knowledge of the staff members who perform their critical functions every day and know what needs to be done and how to do it.

We ask the audience to keep in mind "That people recover from disasters not computers" therefore they need to answer several key questions when they are developing plans or performing any other Disaster Recovery/Business Continuity Planning activities. These key questions are: 1. Q. What needs to be done?
    A. This information should be developed during the Business Impact Analysis from information gathered through questionnaires and interviews with business units and Information Technology than agreed to by senior management.

2. Q. When is it to be done?
    A. The information gathered should identify when it needs to be done as per the Recovery Time Objective (RTO). This must take into consideration any dependency that one process may have on another. This will also be dependent on the allocation of resources, such as facilities, computer capabilities, telephones, supplies, etc.

3. Q. Why is it to be done?
    A. Identify what consequences will this have on the organization if it isn't done or if it isn't done on time?

4. Q. Who is to do it?
    A. The teams members identified in the plan and/or staff members who normally perform these processes may not be available; therefore there must be sufficient detail documented in the plan that someone with similar skills could understand and conduct the required recovery activities.

5. Q. How is it to be done?
    A. Tasks must be documented in sufficient detail (script) that if someone else with similar skills would need to do it there are step-by-step procedures available.

6. Q. Where is it to be done?
    A. A predefined work location(s) must be documented in order for the staff to know where to report if they can't use their normal work location. This may be determined by the allocation of resources (20%, 40%, 60%, 80% of their normal resource requirements).

7. Q. What Resources are needed to do it?
    A. The inventory of items needed to be able to perform the tasks should be identified in each plan.

In summary if you understand and learn from the lessons of the past, you can use these experiences to do the right things and avoid making the same mistakes that someone else has made. Take advantage of the good and stay away from the bad. If you coordinate the planning activities by using your knowledge of Disaster Recovery/Business Continuity Planning and use the expertise of the staff than you will not be planning in a vacuum. If you answer the above mentioned 7 key questions you will have a plan that has a very good chance of meeting your organizations recovery planning requirements.

About the Authors

Norman L. Harris, CBCP, CRP

Norman L. Harris is President of Harris Recovery Solutions, Inc. He is recognized as a leader in Information Technology Management, and the founder of the Disaster Recovery Planning industry.

Mr. Harris co-founded CRISIS Magazine, one of the first disaster recovery publications and HSH, Inc., which became the largest disaster recovery consulting company in the US. Other positions held by Mr. Harris include Vice President and Director of Corporate Information Systems for BancOhio Corporation, Vice President of Information Systems for the Franklin Mint and Director of Information Systems for the United Telephone Company of Ohio.

For the last 25 years, Mr. Harris has consulted with thousands of business clients in every major industry including education, publishing, banking and finance, insurance and risk management, health care, federal, state, and local governments, manufacturing/distribution, wholesaling/retailing, utilities, and communications concerning their disaster recovery /business continuity planning requirements. He has worked with all of the major Disaster Recovery/Business Continuity Software Packages and assisted with the training of many in-house staffs in the use of the software.

Major corporations, national governments and higher educational institutions throughout the world have recognized the expertise of Mr. Harris, in the areas of information technology and disaster recovery/business continuity planning. A partial listing of Mr. Harris' career achievements includes such milestones as: the receipt of IBM's highest award for service to data processing and his selection by IBM as the "Data Processing Executive of the Year", development of the first disaster recovery plan, preparation and presentation of the first major address on disaster recovery planning at the Guide International Users Group meeting, founder of the Harris Recovery Institute; an organization dedicated to the testing and certification of recovery planners.

Recognized as a noted international speaker, Mr. Harris has made presentations on such diverse topics as Information Security Auditing and Cost/Risk/Benefit Analysis, Disaster Recovery/Business Continuity Planning, and developing Emergency Processing Procedures. He has addressed hundreds of audiences throughout North and South America, Europe, Asia, and Africa. He has participated in major symposia sponsored by IBM, Unisys, the Disaster Recovery Journal, DEC, and Honeywell/Bull. As a diligent author, Mr. Harris has contributed articles to Newsweek, Computer World, Computer Decisions, Info Systems, Bank Systems and Equipment, CRISIS Magazine, USA Today, The Wall Street Journal and many more. He appeared on "Good Morning South Africa", has had numerous television and radio interviews and has taught over 400 seminars, co-hosted 19 major conferences, and made several videos and CDs on the subject of Recovery Planning.

Mr. Harris has assisted many of the largest disaster recovery backup vendors with the establishment of their line of business plans and the definition of their product/service offerings. He coined many of the terms commonly used in the disaster recovery industry, including "hotsite", "coldsite", and "warmsite". Mr. Harris initialized "Disaster Recovery Planning" as the standard name for a new and rapidly growing industry. He can be reached at nlharris@harrisrecoverysolutions.com

Ed Devlin

Mr. Devlin has been involved in Business Continuity Planning since 1973. Mr. Devlin is a well-known consultant in the Business Continuity Planning industry. He has been a speaker at various seminars and conferences throughout the world; co-authored the book "Business Continuity Planning," published by Auerbach. In addition, Mr. Devlin has: been a contributing columnist for the Disaster Recovery Journal magazine for a number of years; presented in the four video tapes produced by the BCP Video company; and recently introduced a newsletter for BCP professionals. He can be reached at esjdevlin@aol.com