General Practice, Solo & Small Firm DivisionMagazine
Volume 17, Number 1
BUSINESS RESUMPTION PLANNING
BY MICHAEL POLELLE
Set hundreds of miles from the nearest ocean, fault line, or flood plain, the city of Chicago is not considered at high risk for a natural disaster that would debilitate a large number of businesses. The safest place in most buildings in Chicago is considered the basement, and many businesses store critical documents and computer information there.
We are warned to expect the unexpected, however, and in 1992 a construction crew drove a bridge piling through the bottom of the Chicago River and into an old tunnel system that crisscrossed the downtown area. Two hundred and fifty million gallons of water poured into the tunnels and flooded the basements of hundreds of downtown businesses.
The flooding not only damaged the information and records in storage, it disabled power and security systems, effectively shutting down buildings until the water receded. Virtually none of these businesses was prepared to operate under these conditions. These business closings indirectly affected other businesses that relied upon them as critical customers or vendors. The Chicago Board of Trade had to shut down for more than a day, and Marshall Field's department store was closed almost a week. The cost to these businesses was more than $1 billion in unrealized revenues, lost productivity, damage to assets and offices, and loss of critical information. Some smaller businesses were actually forced to close their doors for good. Much of this cost could have been substantially reduced had a proper plan been made to deal with unexpected events.
This is a dramatic example of how businesses can be affected by unexpected events; the events likely to disrupt most organizations are much smaller in scale. Computer failures, power outages, fires (or sprinkler systems' responding to a small fire), snowstorms, and employee sabotage are more common than people realize and can cause substantial hardship if the business does not plan for emergencies. Unfortunately, most businesses do not.
These same organizations would not question the idea of protecting their assets against theft, loss, or damage. However, creating safeguards to protect critical business information is typically not a priority. What is the state of your business's preparedness against an unexpected event? Although your physical assets may be covered by insurance, would you be able to retrieve critical information after a disaster? What would happen if a computer virus destroyed all of the files on one of your servers? Would your insurance policy cover losses due to these types of events?
A Business Resumption Plan (BRP) is much like an insurance policy. Its purpose is to protect against loss of revenues, liability to other businesses and employees, and loss of a business as a whole. The value of the plan (policy) is directly related to the effort expended to create and maintain it (premium). In some cases lack of a plan can be considered negligence; in addition to experiencing direct financial losses, the business (or even its officers or owners) could be responsible for losses to business partners or investors. The actual value of a BRP is hard to assess-the may cost seem high when developing it, but during a disaster the price seems insignificant.
Knowing that a plan is required and getting it done are two different things. A BRP does not have to be complicated (simpler is better), and it is not important to try to anticipate every potential tragedy. The important part of business resumption planning is not to anticipate specific events, but to plan resumption of the business should key systems fail or become unavailable.
Several phrases are more or less synonymous with business resumption planning: business contingency planning, disaster recovery planning, and others. Whatever the name, the components in a BRP are generally the same regardless of the size of the organization. The only difference may be in the size of the plan and the scale of the effort required to create and execute the plan. Small business owners will likely have to create their own plans.
The basic components of a BRP include the following:
- Contact information and responsibilities.
- Current business processes.
- Business interruption events.
- Risk mitigation strategies.
- Business continuance and recovery processes.
The first section of the plan is the most straightforward. This is a list of everyone who may need to be contacted in the event of an event that interrupts the business. It includes people responsible for executing the plan (such as your LAN administrator, if you have one), employees who need to be notified where to go or what to do, and clients and vendors who may need to be informed of a change of procedure.
This section should not take a lot of work; you probably have most of the information already in your firm's phone book. In addition to listing business numbers or extensions in the BRP, however, it is important also to list alternate contact means, such as a cell phone, pager, or home phone numbers.
Current Business Processes
Every company has a set of processes required for the long-term operation and support of the business. Documenting these business processes provides a framework for determining how valuable a process is, what measures should be taken to protect it, and the steps required to resume and recover the process.
The first step is to document major business processes, those that operate independent of one another, although they may be interrelated. For example, in a law firm, the major business processes might include performing research, taking depositions, preparing legal documents, preparing a case, and presenting a case.
Don' t forget support processes such as accounts payable, accounts receivable, making sales calls, and producing marketing materials. After identifying the individual processes, identify factors that will guide you in creating the rest of the plan.
Value of the process. What is the relative cost to the business when the process is interrupted or non-operational? Optimally, a dollar value should be assigned to each segment, but a relative ranking among processes often suffices. For example, the ability to produce billings is probably more valuable than making sales calls.
Time of no impact. How long can the process be interrupted before noticing an appreciable impact? You may be able to go several days without producing billings but function only a few hours before needing to produce a pleading.
Maximum downtime. How long can the process be interrupted before there is a significant impact to the business? Although billings can wait several days, several weeks may be too long.
Key systems. What systems, both hardware and software, are critical to performing the process?
Key supplies/vendors/facilities. What supplies (e.g., legal forms, paper files), vendors (e.g., courier services), or facilities (e.g., office, utilities, telephone systems) are required for the process?
Business Interruption Events
A business interruption event is any event that affects your ability to perform one of the business processes identified above. Again, an exhaustive list of every event that might occur is not needed. However, a little time spent brainstorming the types of events that can occur may be illuminating and will facilitate the next part of the planning process.
Typically, when people think of business recovery or disaster recovery they think of fire, floods, and other natural disasters that can take out an entire facility. These are referred to as catastrophic events. Although catastrophic events are typically severe, they are relatively rare.
More important is to plan for those events that are shorter in duration or localized to certain processes within an organization (system interruption events). Examples include such things as power outages, contained fires, inadvertent activation of sprinkler systems, etc. The impact of these types of events can be just as costly as catastrophic events (see table 1).
Risk Mitigation Strategies
This part of the plan describes the procedures and strategies you will put in place to mitigate the risk and cost of an interruption event.
To start, look at current business processes and system interruption events to determine key failure points in your business. For example, to produce billings, you need a record of client activity. It doesn't matter whether the power fails, you get a computer virus, or the building burns down. The key failure point is loss of data.
In general, these critical failure points can be enumerated fairly easily (some may be redundant), especially for a small business:
- Inability to access data (identify critical data and where it is stored).
- Inability to access facilities.
- Inability to obtain key supplies or vendor services (list specific supplies/vendors).
- Loss of computer equipment (list specific equipment).
- Loss of computer data.
- Loss of physical data (e.g., paper copies).
- Telephone/communications outage.
- Utility outage.
- Loss of critical personnel.
After determining the critical failure points, you need to identify the mitigation strategies. The strategies will mitigate the risk of an occurrence or minimize the cost to the business. There may be several possible mitigation strategies; the appropriate one will be based on the value of the affected processes compared with the cost of implementing the strategy, and the risk tolerance of the business.
Mitigation strategies vary greatly, but a few general strategies should be considered by any business.
Backup and recovery. Almost all businesses have some type of computer network that includes a server on which data is stored and workstations (or laptops) that access the data. Make sure the server is backed up nightly, with an adequate off-site rotation schedule. For example, each night when leaving take the second-to-last backup tape to an off-site location (home, bank vault, or other location) and bring the previous day's tape back to work the next morning. Keep at least two weeks' worth of daily backups; at the end of the month pull a tape and store it off site indefinitely. From time to time verify that all critical data is included on the backup tape.
Hard copies. In addition to backups, it may make sense to print hard copies of certain information and store them off site. Even computer backup tapes can fail, or changes in versions of software can make it impossible to access data that has been backed up. If you have a hard copy, you can always get back to the information.
Data storage. Ensure that all critical data is stored on the server that is being backed up. If you store critical data on your laptop that is not backed up, you are in a particularly risky situation. Keep all data on the server; if you work on it at home, make sure to move a copy to the server as soon as possible.
Redundant computer hardware. Investigate "fault-tolerant" systems for your computer network. This can range from fault-tolerant computers (the computers have two sets of disks, power supplies, etc.; if one fails, the other instantly takes over), to clustered servers (two computers connected so that, if one fails, the other switches on). Also consider keeping critical spare parts for your computer on site.
Computer facilities. Put all computer resources in a secured room, to prevent others from intentionally or unintentionally causing damage. Make sure equipment cannot be easily damaged by water leaks, excessive dust/dirt, radical changes in temperature, and the like. Some organizations locate an alternate site (another business location or third-party provider) with similar systems where they can work should the original facilities suffer a major disaster.
Computer security. Make sure all systems have adequate security (e.g., passwords) to protect against intentional and unintentional damage.
Facilities. In addition to examining computer facilities, identify alternate facilities you can work from for an interim period should you not be able to access your primary facilities. For example, you may be able to operate out of a law library, your home office, or another firm with which you establish an alternate facility agreement.
Alternate vendors. Don't become dependent on any one vendor. Although you may typically use only one vendor (such as a courier), have alternates identified should you need them.
Alternate personnel. Likewise, don't become dependent on any one person. Make sure there is a backup person or written procedure for every task that needs to be performed.
Communications. Most businesses rely on phone systems, which can also be affected by disasters. (This is less of an issue today with the prevalence of cell phones.)
Business Continuance and Recovery Processes
Business continuance is the process of continuing business operations during a business interruption event. For example, if you cannot access your facilities, how will you continue to generate legal documents, depose clients, or generate billings?
For each of the business processes identified earlier, identify and document a set of steps and procedures for continuing the process during an interruption event. These steps and procedures should take into account the risk mitigation strategies you have in place.
In addition to planning for business continuance, create a procedure for business recovery, which means getting your business back to normal functioning after a business interruption event. For example, you may not have access to your timekeeping system for two days due to a hardware failure. The continuance process would have everyone record his or her time on paper during that period. The recovery process would identify someone to enter all of the time in the system once it is up.
Many of these procedures may seem extremely intuitive and not worth the time of writing them down. But taking the time to create written procedures can reduce confusion at the time of an unexpected event and save a lot of time, headaches, and money.
Once the Plan Is Complete
It is a Zen belief that the act of performing an action is often more valuable than the result of the action. That is certainly the case with business resumption planning. Creating a BRP will force you to think of your business in new and different ways and prepare you to deal with unexpected events that may occur.
Likewise, the longer you go without reviewing your plan, the less valuable it will become. Review the plan from time to time to ensure that it is up to date and reflects the changes in your business. And don't forget to expect the unexpected.
Michael Polelle is a senior manager and information technology consultant with Grant Thornton LLP. As Midwest practice leader for technology planning and selection, he has managed a number of projects related to the strategic use of technology, selecting appropriate technology solutions, and business resumption planning. He can be reached at email@example.com.