|
Source: Article Title. Contingency Planning & Management.
September, 2001: pp 14-17.
Reprinted with permission from Witter Publishing Corp.
Content contained on www.ContingencyPlanning.com.
by: Nicole Ross
Pages: 14-17; September, 2001
New threats to businesses have emerged, resulting in a heightened awareness of contingency planning. Business continuity managers should take this opportunity to revisit their existing plans, as well as consider some new provisions.
In a September 26 editorial in the Eastside Journal, Clayton Park notes that, according to the Associated Press, prior to the September 11 terrorist attacks, consumer spending was one of the last remaining supports of an economy headed into a recession; now, reports are circulating that consumer confidence has fallen to its lowest point in almost six years. Perhaps for the first time, corporations are realizing that terrorists may purposefully target businesses and financial institutions, creating a nasty ripple effect across the span of the nation's whole economy.
What does this mean for business continuity? While contingency planners could have never envisioned a scenario in which terrorists would use four commercial airplanes as veritable flying bombs, the September 11 attacks have sparked a fresh awareness of the need to continually revisit, revamp, and test corporate business continuity plans. Taking your organization's contingency plans off the back burner might very well be the most appropriate response to the threats that terrorism poses to business-critical assets—including personnel, facilities, networks, data, and reputation.
According to James Pinzari, business continuity practice leader for ArupRisk Consulting (Westborough, Mass.), the demand for business continuity planning services relative to crisis management, including emergency response, crisis communication, and business recovery, has dramatically increased. Many companies have realized that insurance on its own will not ensure business continuity in the event of a major loss.
"We've received an unusual number of calls since the terrorist attacks from companies showing great concern for the security of their people, and questioning their ability to respond to a catastrophic event," says Pinzari. "I believe the role of the business continuity planner will become a much more valued position within companies."
A New Worst-Case
The feeling of disbelief that an attack of such magnitude could seemingly come out of nowhere leaves businesses with their hands tied in a sense, as executives wonder how to bolster their corporate infrastructures to contend with both the current situation and other nebulous "what-ifs." Before the terrorists struck, the worst-case scenarios that senior management and contingency planners typically prepared for were periods of extensive downtime due to network failure or a power outage, or complete loss of functionality due to a natural disaster, like a hurricane or flood.
"In the last 15 to 20 years, corporations, largely as a result of the need to meet Wall Street's demands, have been under pressure to increase productivity and reduce costs, and the result is an incredible concentration of corporate assets," says Scott Ream, CPM Editorial Advisory Board member and president of Virtual Corporation (Flanders, N.J.). "In many instances, corporations end up with all of their eggs in a single basket, and that obviously makes them easy prey."
Business continuity planners should therefore raise the bar on their organizations' contingency plans by asking senior management to redefine what they consider to be the worst-case scenario they may have to face, suggests Ream. While no one would expect a business to have predicted such a scenario as that which befell the Twin Towers, the fact remains that many corporations would not have been prepared to deal with the ramifications produced by the attacks.
Ream cites the example of Virtual Corp.'s analysis of a large brokerage firm based in New York City, whose worst-case scenario before September 11 was the assumption that they might lose access to a single building on Wall Street. The firm's business continuity planners considered it an acceptable plan that, if the scenario occurred, operations would be temporarily moved to another building also located on Wall Street. Now, however, due to all of lower Manhattan having been shut down after the terrorist attacks, that plan would have been completely inadequate.
In a world that does seem irreversibly changed, and somehow so much more fragile, how do business continuity planners approach the planning process?
Raising the Bar
The basic planning process—gaining senior management buy-in, conducting a business impact analysis, writing and testing the plan, and maintaining it—will not change, but it likely will become a much more meticulous process, as planners revisit existing plans and redefine what risks their organizations face (see "Planning for the Worst").
Identifying a worst-case scenario based on sound risk assessment, conducting an impact analysis, formulating effective recovery strategies, and ensuring that your organization has good resources for security assessment, physical threats, and alternate business planning may receive more attention, states Ream. More important, though, is the fundamental method by which corporations choose to approach business continuity planning.
For example, John McCarthy, a senior manager for KPMG's Mid-Atlantic Information Risk Management practice (Washington, D.C.), explains that his company's methodology for determining an organization's vulnerabilities—locating corporate risks on four continuums (people, process, technology, and information)—helps planners to create a strong BCP framework to aid in the continuity or resumption of operations after any type of business interruption or disaster scenario.
"Every company can't plan for a hijacking and the crashing of planes into their building, but if we plan properly to put the enterprise risk management (ERM) model in place, we can create a framework for any context," McCarthy states. "Even if you suffer a complete disaster, you're still able to manage it and recover."
By prioritizing BCP, planners may be able to encourage senior management to endorse an enterprise-wide business continuity program that treats BCP as a business process or function, similar to budgeting or personnel, says Ream. Also, by reassessing an organization's vulnerabilities and points of risk, as well as their business impacts, planners can improve their organizations' day-to-day operational procedures.
Specifically, business continuity planners should seek upper-level management support for distributed personnel and operations, as well as for succession planning, if they haven't already done so.
"Businesses have done a great deal in the past several years to be competitive, and efficiency in many cases has resulted in exposures such as single- or sole-source suppliers, single distribution centers, and site-specific production facilities," says Pinzari. "New consideration has to be given to the importance of redundancy to specific parts of their businesses. Also, succession planning, often overlooked in business continuity planning, should be looked at more closely."
Unfortunate though it may be, a disaster's aftermath is one of the best times for contingency planners to go to upper management to gain support for their business continuity programs. Corporate management likewise may round up their contingency planning teams to re-examine existing plans and to decide what other provisions should be added.
Ream points out that senior management support is essential because the level of capital and human investment to implement recovery strategies is directly proportional to the level of a corporation's worst-case scenario.
Pre-existing Relationships
Just as a good crisis communications plan calls for pre-existing working relationships with the public, be they employees or the media, a thorough business continuity plan should take into account the relationships an organization should already have in place with government organizations, law enforcement, emergency personnel, vendors, and industry peers.
In the case of a natural disaster or a terrorist attack, organizations expect to be involved with governmental agencies at the local, state, and national levels. Executives can form these relationships prior to potential disasters, and then can better anticipate how they need to interact with the government in various possible scenarios. Also, it's important to communicate and conduct emergency exercises with law enforcement, fire and medical personnel, and other agencies that will be called upon as part of the corporate crisis response.
In addition, Brian Turley, president of Strohl Systems (King of Prussia, Pa.), recommends that companies review their vendor contracts to ensure that the contract specifics reflect the company's current needs. Dialoguing with Internet service providers and other outsourcing services to see what mitigating factors they have in place can also aid planners. Similarly, if corporations use contingency planning software tools, checking that the maintenance agreement is up-to-date is beneficial.
"In the financial, IT, energy, and telecommunications industries, information-sharing and analysis centers have been put in place. For example, Fortune 100 banks in New York City have put together an information security guide in case they're all vulnerable to the same thing," says Ream. "We need to be able to share information quickly and without boundaries, and if we already have structures in place, we have the capability to reach our industry peers quickly. This can potentially help to avert a disaster, or to contain and mitigate it."
These types of preformed, functioning relationships will allow an organization's continuity plans to run more smoothly because the disaster site won't be the first time the plan's key players work together.
Clear Communication
In the midst of a disaster, man-made or natural, organizations don't have the time to delegate who will communicate what to whom; the lines of internal and external communication should already be clearly delineated in the crisis communications part of the corporate BCP. It's also important to remember that communicating with employees, customers, and business partners is essential in ensuring continuity of operations after the immediate crisis response comes to a close.
Even when not directly impacted by a disaster, organizations may find it difficult to keep the workplace atmosphere "business-as-usual," so proactive communications between upper management and employees can help to diffuse some of the uncertainty.
"During the first week after the attacks, several times a day, we received messages from KPMG's leadership when it was unknown whether there were any KPMG people involved," says McCarthy. "We also had a tremendous number of clients in the World Trade Center, so KPMG tried to carefully account for everybody. They gave us status reports on our colleagues and clients so we'd have some comfort level that either they were okay and they made it, or to possibly offer help because they didn't make it."
During a crisis situation, it can be tempting to focus first and foremost on recovering internal operations, but customers and shareholders need reassurance as well.
"We've seen many messages come out from companies that had offices in the World Trade Center, like, 'We've had a disaster, but we're recovering from it. We're still in business, and your resources are protected,'" McCarthy explains. "In this case, customers and shareholders might not want to be the ones calling in when people are still being recovered from the crash sites, but they still need reassurance about their accounts or assets."
Sensitivity on the part of corporations to victims and their families, as well as to their employees, customers, and business partners, is a fine line to walk. Grieving regrettably has to go hand in hand with the continuance of operations, and organizations that plan how to approach this awkward partnering beforehand can avoid public ill will.
What Matters Most
Ultimately, people are what make organizations function, and they must be made the top priority. In the coldest way possible, the events of September 11 brought to light the fact that contingency planning is not only necessary, but absolutely essential to business continuity, in its operational and human elements. After all, many companies in the World Trade Center managed to get their critical data back up and running shortly after the attack, but they still faced the unprecedented challenge of continuing their operations despite the loss of workers and workspace.
Planning for the Worst
BCP software and service provider Strohl Systems recommends the following list of questions that business continuity managers should consider when evaluating their companies' vulnerability to terrorism:
- Does your emergency plan include a section for responding to a terrorist incident?
- Have you included possible terrorist targets (facilities and personnel) in your hazard and vulnerability analysis?
- Have you conducted a counter-terrorism exercise, anti-terrorism exercise, or consequences-of-terrorism exercise, complete with law enforcement, fire, medical, and emergency management participation?
- How can you monitor and prepare for any potential danger posed by extremist political groups in your area?
- What should be your organization's policy on negotiating with a person threatening a terrorist act?
- Do you have an economic recovery plan for a terrorist act in your jurisdiction?
- Have you clearly defined the channels for close response coordination among civilian and military agencies and among local, state, and federal government agencies?
- Can you track and present, as part of litigation (which is sure to follow), a complete chronology of actions taken by the responders under your control?
- What concerns you most about protecting your company and its personnel, or your community and its appointed or elected officials, from terrorism?
- What is the chain of command and subsequent incident management plan within your organization in the event of a terrorist threat or attack to your organization?
|
