Alf's Articles
Mitigate Business Disaster With A Recovery Plan
by Alf Nucifora
The recent destruction of the World Trade Center towers has brought
to the forefront the whole issue of business disaster and the unplanned-for
consequences of that disaster. While the majority of the Fortune
500 have developed business continuity and recovery plans, most
small businesses have given it little attention. Yet, it is small
business that needs recovery planning most of all. Data shows that
73% of businesses that suffer a disaster are out of business within
three years. 43% don't even survive the first year.
The most devastating disasters are associated with fire, hurricane,
flooding and earthquake. In most cases, it is not just the disaster
that hurts but the inability to gain physical access in a timely
manner
to literally get back into the building in rapid time
in order to maintain continuity of operations.
Nowadays, there are a number of professional organizations that
will help government agencies and businesses (of all sizes) design
and develop strategies for recovery from a disaster or ensuring
continuous functioning of critical business decisions. In fact,
the Disaster Recovery Institute International (DRII) has certified
2,500 active Certified Business Continuity Professionals (CBCP)
who consult in the business continuity and recovering planning practice.
The recovery plan itself deals primarily with recovery issues relating
to physical plant, information technology systems and business processes.
The planning process encompasses the following:
- Identifying risks and vulnerabilities
- Quantifying and qualifying business impact resulting from threat
occurrences
- Defining critical business processes
- Designing recovery strategies
- And detailing a plan specific to the client's business needs
In the risk assessment phase, all potential vulnerabilities are
investigated including susceptibility to fire, post-disaster accessibility,
computer virus vulnerability and categorization of information,
data and files (mission sensitive vs. critical). The planning process
also provides a recommendation on risk negation as well as a business
impact analysis outlining the potential cost impact of each risk.
Critical business processes are prioritized with scenarios designed
for getting each critical process up and running in the immediate
post-disaster stage. Some of these critical processes include replacement
of computer hardware, software and office equipment, availability
of duplicate files, reestablishment of computer intranets and urgent
staffing needs including backup staff for each function and up-to-date
contact information in order to track staff at short notice.
According to Virginia Miller, Director of Technical Solutions for
Virginia Beach-based Metro Information Services, "The key is
in defining those critical business processes that are essential
to keeping a company in business and then developing a recovery
system to keep the revenue coming in." As an example, in the
case of companies that derive much of their revenue from phone or
Internet customer ordering, the immediate reestablishment of phone
and computer communication networks is of the utmost urgency.
Miller, who has provided business recovery consulting services
to the US Department of Defense, US Department of Transportation,
New York City Transit Authority, as well as the states Virginia,
Florida and South Carolina, notes that the World Trade Center tragedy
taught the business community a number of valuable lessons. In addition
to the necessity of maintaining backup systems, the tragedy also
highlighted the importance of media relations, particularly for
publicly traded companies. Shareholders, investors, clients and
vendors must be informed immediately as to how the damaged company
will survive the disaster with reassurance provided that business
will be continued as normal. Note how the financial services firms
headquartered in the World Trade Center buildings were able to communicate
a business-as-usual scenario within 48 hours of the disaster. The
other learned lesson relates to the need to contact personnel quickly
not just to verify their safety but also to mobilize replacement
troops on an emergency basis. This calls for up-to-date staff contact
information at all times.
For certain business sectors such as financial services and healthcare,
a business recovery plan is mandatory. Banks and brokerages need
it to satisfy SEC requirements; hospitals need it for the maintenance
of emergency treatment. And, small businesses that are part of a
larger business's supply chain, e.g., a vendor/supplier to an automotive
manufacturer, must now have a recovery plan if they wish to maintain
their favored vendor status or link in the supply chain.
What should a recovery plan cost? Depending upon the size of organization
and type of business, most plans cost in the range of $25,000 -
$150,000. And, responsibility for plan development no longer lies
with the MIS department but where it should be
with the CFO
or COO. Ultimately, the operating success of the company rests at
their door. A business recovery plan will go a long way to guaranteeing
that success.
|