It's normal for a bank to make sure its automated teller machines are safe and secure. But the 1997 flood of Manitoba's Red River Valley had officials scrambling to cover the unexpected: one institution even had to move entire units to higher ground with a forklift.
Many a business has been laid low by far less dramatic circumstances. Forget tsunamis and terrorists. The mouse that chews on your wiring and the Internet service provider that's gone down for the count can just as effectively put the brakes to your profitability. Not to mention broken water mains, transit shutdowns, blizzards, flu outbreaks, electrical blackouts and the construction project next door that severs your telephone connections.
Such events should all be covered in the process of business continuity planning, which Robert Parker, a partner in Enterprise Risk at Deloitte in Toronto, describes as “the overarching ability of the organization to continue in business after a disruption.” A subset of business continuity planning is disaster recovery planning.
Parker classifies a service disruption as an event that lasts anywhere from 15 seconds to a few hours–like a computer glitch. “Then you have disasters: that's when you lose part or all of your infrastructure,” he says. “A lot of organizations have some form of disaster recovery planning to address their computer operations. However, many organizations do not have a well-thought-out business continuity plan.”
Are you covered? In case you're not sure, here are 10 questions you should ask about your company's state of readiness.
1. Do we have a plan?
“Less than half of Canadian organizations have continuity capability in place,” says Jayne Howe, managing partner of the Howe Partnership, a Toronto-based consulting firm that specializes in business continuity and disaster recovery. Industries that tend to be better prepared–in part because they are under public scrutiny–are banking, financial services, insurance and utilities. But companies in other fields are increasingly aware of the need to plan ahead.
“One of the main drivers is that U.S. insurance companies are saying, 'Enough is enough. If you can't demonstrate some comprehensive disaster recovery, we won't cover you or we'll increase your premium,'” Howe says. “And we've all heard about Sarbanes-Oxley. Regulatory and government bodies are saying that if you want to be viable, you have to put that in place. Shareholders are insisting. It's more than goodwill or best business practice. Goodwill hasn't worked in the past, because people don't have good plans in place.”
2. Is our plan tailor-made or off-the-rack?
Companies that purchase what might be described as a one-size-fits-all plan may be in for unpleasant surprises when they try to put it into action. “A lot of people who buy templates off the shelf think they're covered, but that doesn't work,” says Howe. “It has to be customized to the company.”
Beware half measures. “Frankly, there's been a lot of faking about this, aimed at fooling the auditors,” says Graeme Jannaway, managing director of Jannaway & Associates, a Toronto-based consulting and education firm working in risk management, business continuity and recovery. “An old game that is still played is when someone talks to the business and subscribes them to a hot site. When the auditors come, it looks fine.” But a plan on paper must be tested, and employees must be trained to apply it. “If there hasn't been a corporate-wide program to build a continuity capability, it's possible that you've wasted your time and money,” says Jannaway.
3. Is our plan based on an accurate list of our most critical functions?
Know what is crucial. “What are the priority business applications?” asks Parker. “There's a whole range of activities that may be able to operate on a day-to-day state for a long time, like some of the marketing and HR activities.” Parker suggests an analysis that takes your personnel into consideration first, then your supply chain, financing, crisis communications and physical property and facilities.
“When you start a program, you ask: 'What do we do, and how soon after a disaster do we have to be able to do it?'” says Jannaway. “The fingers of one hand should be able to list what is really important to this company. A lot of businesses think they need to go back much faster than they really do, but once you get past life safety, a whole lot of things, frankly, can wait. One of the discouraging things for executives is, if they are doing their job properly, the company can hum along for a few weeks without them, so they are not on the primary list for recovery.”
4. Are we backing up some records unnecessarily?
“Look for what I refer to as natural backup,” advises Jannaway. By that he means records that are already kept in at least two extra copies in different locations in the natural course of doing business. Jannaway recounts the story of a major insurance company located in Toronto that lost a lot of their policy files in a fire. “They realized that all their agents across Canada would have original copies with signatures, so they wrote all their agents and rebuilt their files,” he says. (The caveat: insurance is a relatively slow-moving industry; other kinds of businesses might not be able to reconstruct their records at such a leisurely pace without losing clients.)
5. Are we continually documenting the knowledge stored in our employees' heads?
It's good to know which individuals possess unique knowledge and skills; but it's even better to document the information.”The group or individual who provides the good or service daily is responsible for the recovery of that good or service,” says Jannaway. That should include keeping detailed written records documenting all aspects of the function and its recovery. “The author is the person who does the job every single day,” adds Jannaway. “The editors of the plan are the people who've been cross-trained on that particular function. They will read it critically and comment.” The third level of the documentation team is normally the manager or supervisor–“and God help you if neither the primary nor the secondary is available to do the job,” Jannaway cautions.
6. Do we regularly test and maintain our plan?
Be prepared. “A common problem that we see is a plan that is developed but not adequately maintained,” says Parker. “Also, disaster recovery and business continuity plans need testing. We find out many of them are not tested or not tested regularly.”
System or application software, for instance, may have changed; it's better, Parker says, to find that out before an event occurs than during an event. “Often, people are not trained how to recover the system, or the person who usually does that job is not available,” he says.
7. Are any systems slipping through the cracks?
Be thorough. “Quite often, organizations will be very rigorous about backing up their data, but not nearly as rigorous about application programs,” says Parker. “And if some of the systems software has been modified, and it is unavailable, new software from the vendor will not contain the required modifications.” Problems also arise when organizations permit business units to construct their own systems that the IT department is not aware of, he adds. Parker also notes that electronic backups do not always reproduce the level of detail normally required for statistical analysis and archival purposes, which may cause difficulties later on.
8. Do we have round-the-clock access to recovery tools?
Parker says that some companies regularly send computer backup files and recovery programs home with an employee for safekeeping. “When they're on holidays or not at home, the material's not available.”
In urban areas, most problems generally occur when staff are unable to get to their workplaces or tools, which Howe refers to as “access denial.” She adds: “There are really only two flavours of access denial: one is where you still have power, and the other is without power.” In either case, recovery tools must be available offsite, ideally at a location with a different power source.
9. What assumptions are we making in our plan?
“People make assumptions,” says Howe. “People assume that land lines will be working, that all of their staff are going to be available, so their plans don't accommodate fatalities and they don't accommodate situations like the Quebec ice storm, where people were willing, but they couldn't get anywhere. A good plan will list these assumptions.” (Howe suggests you get used to the YOYO concept, something she first encountered through a conference of the Disaster Recovery Information Exchange, a not-for-profit organization that shares emergency planning knowledge. In the case of a grand-scale problem like the 2003 eastern-seaboard power blackout, it means, “For the first 24 hours, You're On Your Own.”)
10. Are our suppliers prepared?
Your factory may be up and running, but if suppliers of parts and raw materials are out of commission, you're at a standstill, too. This is especially true in these days of minimal warehousing. “What we have is a just-in-time environment,” says Jannaway. “We've lost our just-in-case capacity. More companies are looking at their partners up and down the supply chain and saying: 'I'm sorry, you don't have a provable business continuity capability.' People are becoming much more hard-nosed about this.”
There's no such thing as a sure bet, even for the experts. One of Jannaway's clients spent several years working in a building adjacent to a subway construction project. “We all watched with a sigh of relief as they laid the last tile in the landscaping,” he recalls. “They decided it wasn't straight, and when a backhoe went to straighten it, it nicked a natural gas line. We were all evacuated.”
However, the odds are good that time and money spent upfront will reduce every kind of cost associated with business disruptions. Soon we may all be asking not only: what is it, how much does it cost, and how does it work, but: is it recoverable?