General Practice, Solo & Small Firm DivisionMagazine
Volume 17, Number 1
BUSINESS RESUMPTION PLANNINGBY MICHAEL POLELLESet hundreds of miles from the nearest ocean, fault line, or flood plain, the city of Chicago is not considered at high risk for a natural disaster that would debilitate a large number of businesses. The safest place in most buildings in Chicago is considered the basement, and many businesses store critical documents and computer information there.We are warned to expect the unexpected, however, and in 1992 a construction crew drove a bridge piling through the bottom of the Chicago River and into an old tunnel system that crisscrossed the downtown area. Two hundred and fifty million gallons of water poured into the tunnels and flooded the basements of hundreds of downtown businesses.The flooding not only damaged the information and records in storage, it disabled power and security systems, effectively shutting down buildings until the water receded. Virtually none of these businesses was prepared to operate under these conditions. These business closings indirectly affected other businesses that relied upon them as critical customers or vendors. The Chicago Board of Trade had to shut down for more than a day, and Marshall Field's department store was closed almost a week. The cost to these businesses was more than $1 billion in unrealized revenues, lost productivity, damage to assets and offices, and loss of critical information. Some smaller businesses were actually forced to close their doors for good. Much of this cost could have been substantially reduced had a proper plan been made to deal with unexpected events.This is a dramatic example of how businesses can be affected by unexpected events; the events likely to disrupt most organizations are much smaller in scale. Computer failures, power outages, fires (or sprinkler systems' responding to a small fire), snowstorms, and employee sabotage are more common than people realize and can cause substantial hardship if the business does not plan for emergencies. Unfortunately, most businesses do not.These same organizations would not question the idea of protecting their assets against theft, loss, or damage. However, creating safeguards to protect critical business information is typically not a priority. What is the state of your business's preparedness against an unexpected event? Although your physical assets may be covered by insurance, would you be able to retrieve critical information after a disaster? What would happen if a computer virus destroyed all of the files on one of your servers? Would your insurance policy cover losses due to these types of events?A Business Resumption Plan (BRP) is much like an insurance policy. Its purpose is to protect against loss of revenues, liability to other businesses and employees, and loss of a business as a whole. The value of the plan (policy) is directly related to the effort expended to create and maintain it (premium). In some cases lack of a plan can be considered negligence; in addition to experiencing direct financial losses, the business (or even its officers or owners) could be responsible for losses to business partners or investors. The actual value of a BRP is hard to assess-the may cost seem high when developing it, but during a disaster the price seems insignificant.Knowing that a plan is required and getting it done are two different things. A BRP does not have to be complicated (simpler is better), and it is not important to try to anticipate every potential tragedy. The important part of business resumption planning is not to anticipate specific events, but to plan resumption of the business should key systems fail or become unavailable.Several phrases are more or less synonymous with business resumption planning: business contingency planning, disaster recovery planning, and others. Whatever the name, the components in a BRP are generally the same regardless of the size of the organization. The only difference may be in the size of the plan and the scale of the effort required to create and execute the plan. Small business owners will likely have to create their own plans.The basic components of a BRP include the following:
- Contact information and responsibilities.
- Current business processes.
- Business interruption events.
- Risk mitigation strategies.
- Business continuance and recovery processes.
Current Business Processes
Value of the process.What is the relative cost to the business when the process is interrupted or non-operational? Optimally, a dollar value should be assigned to each segment, but a relative ranking among processes often suffices. For example, the ability to produce billings is probably more valuable than making sales calls.
Time of no impact.How long can the process be interrupted before noticing an appreciable impact? You may be able to go several days without producing billings but function only a few hours before needing to produce a pleading.
Maximum downtime.How long can the process be interrupted before there is a significant impact to the business? Although billings can wait several days, several weeks may be too long.
Key systems.What systems, both hardware and software, are critical to performing the process?
Key supplies/vendors/facilities.What supplies (e.g., legal forms, paper files), vendors (e.g., courier services), or facilities (e.g., office, utilities, telephone systems) are required for the process?
Business Interruption Events
Risk Mitigation Strategies
- Inability to access data (identify critical data and where it is stored).
- Inability to access facilities.
- Inability to obtain key supplies or vendor services (list specific supplies/vendors).
- Loss of computer equipment (list specific equipment).
- Loss of computer data.
- Loss of physical data (e.g., paper copies).
- Telephone/communications outage.
- Utility outage.
- Loss of critical personnel.
Backup and recovery.Almost all businesses have some type of computer network that includes a server on which data is stored and workstations (or laptops) that access the data. Make sure the server is backed up nightly, with an adequate off-site rotation schedule. For example, each night when leaving take the second-to-last backup tape to an off-site location (home, bank vault, or other location) and bring the previous day's tape back to work the next morning. Keep at least two weeks' worth of daily backups; at the end of the month pull a tape and store it off site indefinitely. From time to time verify that all critical data is included on the backup tape.
Hard copies.In addition to backups, it may make sense to print hard copies of certain information and store them off site. Even computer backup tapes can fail, or changes in versions of software can make it impossible to access data that has been backed up. If you have a hard copy, you can always get back to the information.
Data storage.Ensure that all critical data is stored on the server that is being backed up. If you store critical data on your laptop that is not backed up, you are in a particularly risky situation. Keep all data on the server; if you work on it at home, make sure to move a copy to the server as soon as possible.
Redundant computer hardware.Investigate "fault-tolerant" systems for your computer network. This can range from fault-tolerant computers (the computers have two sets of disks, power supplies, etc.; if one fails, the other instantly takes over), to clustered servers (two computers connected so that, if one fails, the other switches on). Also consider keeping critical spare parts for your computer on site.
Computer facilities.Put all computer resources in a secured room, to prevent others from intentionally or unintentionally causing damage. Make sure equipment cannot be easily damaged by water leaks, excessive dust/dirt, radical changes in temperature, and the like. Some organizations locate an alternate site (another business location or third-party provider) with similar systems where they can work should the original facilities suffer a major disaster.
Computer security.Make sure all systems have adequate security (e.g., passwords) to protect against intentional and unintentional damage.
Facilities.In addition to examining computer facilities, identify alternate facilities you can work from for an interim period should you not be able to access your primary facilities. For example, you may be able to operate out of a law library, your home office, or another firm with which you establish an alternate facility agreement.
Alternate vendors.Don't become dependent on any one vendor. Although you may typically use only one vendor (such as a courier), have alternates identified should you need them.
Alternate personnel.Likewise, don't become dependent on any one person. Make sure there is a backup person or written procedure for every task that needs to be performed.
Communications.Most businesses rely on phone systems, which can also be affected by disasters. (This is less of an issue today with the prevalence of cell phones.)
Business Continuance and Recovery Processes
Once the Plan Is Complete
Michael Polelle is a senior manager and information technology consultant with Grant Thornton LLP. As Midwest practice leader for technology planning and selection, he has managed a number of projects related to the strategic use of technology, selecting appropriate technology solutions, and business resumption planning. He can be reached at firstname.lastname@example.org.