Can your business survive the unexpected?Business continuity plans can help an enterprise stay afloat through any adversity--and bounce back more quickly after setbacks. Hurricane George ... an ice storm ... a strike ... a bomb ... Web site failure ... a network problem ... communication cables catch fire and disable your data center for days. An unsuspecting company could experience any of these. Many already have. As a result, "business continuity planning Business Continuity Planning (BCP) is an interdisciplinary peer mentoring methodology used to create and validate a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical function(s) within a predetermined " (BCP BCP Best Current Practice(s) BCP Business Continuity Planning BCP Business Continuity Plan BCP Book of Common Prayer BCP Banco Comercial Português BCP Bureau of Consumer Protection (US Federal Trade Commission) )--a high-profile, mission-critical task that attracts the attention of the CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. , the CFO See Chief Financial Officer. , and the board of directors--has supplanted what used to be called "disaster recovery planning" and fell under the umbrella of building security or human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. . BCP is, at heart, a form of risk management. CPAs have the skills to take it on and might do well to get involved with BCP projects within their companies or for their clients. CPAs and other financial executives involved in BCP from all parts of the country were interviewed for this article. "After the Oklahoma City bombing See Terrorism "The Oklahoma City Bombing" (Sidebar); Venue "Venue and the Oklahoma City Bombing Case" (Sidebar). , 40 square blocks were barricaded off for weeks," says Mary Carrido, president of Irvine, California-based continuity planning consultant MLC (MultiLevel Cell) A flash memory technology that stores more than one bit per cell. Traditional flash memory defines a 0 or 1 bit based on a single voltage threshold. & Associates and national chairwoman of the 1,800 member Association of Contingency Planners (ACP (Associate Computing Professional) The award for successful completion of an examination in computers offered by the ICCP. It is geared to newcomers in the computing field. For more information, visit www.iccp.org. ACP - Algebra of Communicating Processes ; www.acp-international.com). "This devastated dev·as·tate tr.v. dev·as·tat·ed, dev·as·tat·ing, dev·as·tates 1. To lay waste; destroy. 2. To overwhelm; confound; stun: was devastated by the rude remark. 4,000 businesses; 210 are not in existence anymore." Insurance industry statistics show the number of man-made and natural disasters has increased. With the news media flashing disaster reports, regulators demanding that companies take preventive measures against the millennium bug millennium bug: see Year 2000 problem. See Y2K Problem. millennium bug - Year 2000 and the reliability questions introduced by electric utility deregulation Deregulation The reduction or elimination of government power in a particular industry, usually enacted to create more competition within the industry. Notes: Traditional areas that have been deregulated are the telephone and airline industries. , more executives are realizing, "This could happen to me. And it could hurt." Gauging the damage that disasters or other disruptions may cause to plant and equipment is only one aspect of preparedness. Other costly problems could follow: Relocation, repairs, regenerating lost data and replacing lost business income all take time, money and other resources. Intangible assets may be impaired as well. A business interruption can cause a company to lose market share, image and credibility; reduce customer satisfaction or brand value; damage research data; or strain relationships with suppliers or alliance partners. One-time events may also divert management and employees from normal core business pursuits, altering routines in ways that reduce efficiency or allow less dramatic problems to fester fester /fes·ter/ (fes´ter) to suppurate superficially. fes·ter v. 1. To ulcerate. 2. To form pus; putrefy. n. An ulcer. . "Professional service companies are starting to appreciate and protect the intellectual capital of a business," explains Pat McAnally, director of marketing at SunGard Planning Solutions in Wayne, Pennsylvania Wayne is an unincorporated community and a U.S. Post Office located on the Main Line, centered in Delaware County, Pennsylvania, United States. While the center of Wayne is in Radnor Township, Wayne extends into both Tredyffrin Township in Chester County and Upper Merion Township . The year 2000 computer issue--a specialized kind of foreseeable disaster--has caused managers to think more about risk mitigation. Y2K See Y2K problem and Y2K compliant. Y2K - Year 2000 issues have raised contingency planning awareness by government agencies such as the SEC, too. Corporate responsibilities to stockholders, employees, customers and the communities the company operates in have been on managers' minds. The ever-present threat of expensive shareholder lawsuits has added weight to management concerns. A company without a continuity plan, or with an ineffective one, may not be meeting its statutory obligations; corporate managers or directors may be legally responsible for overseeing BCP. For example, the Foreign Corrupt Practices Act Foreign Corrupt Practices Act An amendment to the Securities Exchange Act created to sanction bribery of foreign officials by publicly held US companies. Foreign Corrupt Practices Act of 1977, while primarily directed at preventing bribery, also requires that company assets, including business records, be maintained and protected. "Lifeline" providers, such as hospitals, utilities, financial service firms, public works public works pl.n. Construction projects, such as highways or dams, financed by public funds and constructed by a government for the benefit or use of the general public. Noun 1. and airports, operate under regulatory mandates requiring BCP, as auditors know. Bankers are familiar with rules at the Federal Financial Institutions Examination Council The Federal Financial Institutions Examination Council, or FFIEC, is a formal interagency body of the United States government empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of and the Federal Deposit Insurance Corp. "Contingency plans are also a regular part of requirements by the office of the comptroller of the currency The Office of the Comptroller of the Currency (or OCC) was established by the National Currency Act of 1863 and serves to charter, regulate, and supervise all national banks and the federal branches and agencies of foreign banks in the United States. ," says SunGard's McAnally. CREATING A CONTINUITY PLAN Financial executives trained as CPAs and auditors--as well as CPAs in public practice consulting to business clients--have the skills and background to assist in or supervise the creation of a continuity plan. Corporate CPAs are likely to know who in the company to bring together to compile, test, and amend the plan. The goal of BCP is to preserve and protect the essential elements of an enterprise and maintain an acceptable level of operations throughout a crisis and afterward, as the company recovers. It's always easier to minimize risk than to recover from a setback. People with experience planning audits know how to identify an enterprise's areas of greatest financial vulnerability. Those who prepare financial statements know that failure to identify risks correctly can have financial consequences severe enough to put a company out of business. So it is only a small stretch--mostly common sense--to identify the people who can suggest measures to minimize those risks and to document those measures in the detail that is second nature to accountants. WORDS OF CAUTION Kenneth Brill, a computer disaster prevention consultant at ComputerSite Engineering in Santa Fe, New Mexico Santa Fe, more properly Santa Fé, (pronounced [ˈsænə feɪ] by natives, [ˌsænə ˈfeɪ] , says that people can also be the weakest link. To ensure effective continuity planning, top management must support the project. When the top execs of a company have "bought in" and championed the process, the continuity plan is far more likely to work. Common mistakes in designing the BC plans include not asking the tough questions or failing to give honest answers. "It's easy to gamble and play Russian roulette Russian roulette suicidal gamble involving a six-shooter, loaded with one bullet. [Folklore: Payton, 590] See : Chance ," quips Rick Roller, computing disaster preparedness manager for the Boeing Co. in Seattle and director of chapter services for the ACP. He recommends ample interaction between continuity planners and information technology (IT) people throughout the planning process. Bill McCoy, a Soddy Daisy, Tennessee-based consultant, also recommends auditor/IT discussion. Otherwise, auditors and accountants may have a tough time keeping up with the rapid pace of technological change, as "a great deal of specific knowledge is required to make judgment calls in the BCP process," he says. However, financial executives should be careful not to shift responsibility for continuity planning onto technical people, who can be more interested in saving devices than saving data or resurrecting processes, cautions Deloitte & Touche, LLP's New Canaan New Canaan (kā`nən), town (1990 pop. 17,864), Fairfield co., SW Conn.; settled c.1700, inc. 1801. It is mainly a residential town and suburb of nearby New York City. Silvermine Guild Arts Center is located there. , Connecticut-based BCP specialist William H. Murray, certified information systems security professional Certified Information Systems Security Professional (CISSP) is a vendor-neutral certification governed by the non-profit International Information Systems Security Certification Consortium (commonly known as (ISC)²). . "The techies don't always have enough perspective on what drives corporate profitability to know what to protect," he says. Financial people usually do. In fact, Murray says, accountants may be "the only ones who can do it." A NATURAL EVOLUTION BCP's precursor--disaster recovery planning--focused on tangible assets such as backing up data, securing copies and spare equipment off-site and other techniques relying on redundancy. Contemporary BCP takes a more organic view by focusing on the processes, networks, flows, procedures and affiliations essential for an organization's survival and ongoing prosperity. Now, planners are likely to report to chief information officers and/or controllers and CFOs and are charged with maintaining the viability of intangible assets--not just bricks and mortar A store (shop, supermarket, department store, etc.) in the real world. Contrast with clicks and mortar. . For instance, in 1993 the Federal Emergency Management Agency The Federal Emergency Management Agency (FEMA) is the federal agency responsible for coordinating emergency planning, preparedness, risk reduction, response, and recovery. The agency works closely with state and local governments by funding emergency programs and providing technical (FEMA FEMA, n.pr See Federal Emergency Management Agency. ; www.fema.org) began to pay more attention to protecting people and property rather than to cleaning up after the unthinkable had happened. "This culminated in the `disaster-resistant-community' concept," says FEMA's Atlanta regional director John Copenhaver. To reduce the scope of future catastrophes, FEMA recently launched a new nationwide initiative, Project Impact, based on broad scope commonsense planning and prevention. Copenhaver often sees companies that have compartmentalized com·part·men·tal·ize tr.v. com·part·men·tal·ized, com·part·men·tal·iz·ing, com·part·men·tal·iz·es To separate into distinct parts, categories, or compartments: "You learn . . . their plans and missed internal and external interdependencies. Organizations need to coordinate emergency planning with local authorities on such issues as traffic flow or which hospitals to take injured people to if necessary. THE WIDENING DEPENDENCY CIRCLE Close relationships between customers and suppliers are now common. Consequently the scope of continuity plans has widened to embrace relationships up and down the supply chain. Outsourcing also increases interdependencies. Just-in-time inventory brings hair-trigger reliance on uninterrupted delivery. A disruption anywhere in the supply chain can have repercussions repercussions npl → répercussions fpl repercussions npl → Auswirkungen pl at dozens of companies. When customers and vendors rely on their business associates and partners to this extent, they may even write into their contracts stiff penalties for failure to deliver on time. Intimately linked businesses should coordinate their BC plans with customers and suppliers. E-commerce introduces its own new vulnerabilities. Even companies that don't sell over the Internet are bound up and down the supply chain with intranets, extranets or other electronic ties to suppliers, customers and regulatory agencies. Add exposure to intrusions and potential leaks of sensitive data used in e-commerce, and it is clear why continuity plans must take these technologies into consideration. DESIGNING THE BC PLAN With proliferating exposure, every company needs to do some advance planning. The BCP process begins with identification and management of risk. A workable plan may be as short as a few pages, relying, of course, on multiple data sets as backup. A thorough plan often takes six months to two years to develop, depending on the size of the organization. The most critical question to ask about a BC plan is: "Does it really work under fire?" Because the selection of elements to include in a continuity plan is subjective, oversights are common. Better to test and find out about them before disaster strikes. Disturbingly, a recent study by KPMG KPMG Klynveld Peat Marwick Goerdeler (accounting firm) KPMG Kaiser Permanente Medical Group KPMG Keiner Prüft Mehr Genau (German) KPMG Kommen Prüfen Meckern Gehen , LLP LLP - Lower Layer Protocol , found nearly 40% of respondents either lacked business continuity plans or had not tested theirs within the last six months. Nearly three quarters of those with untested network plans said the loss of that network would cause "critical or very severe" business disruptions. Similar results emerged from an Information-Week/Ernst & Young survey. While a higher percentage of respondents in that survey had plans, more than half were either untested or were tested only every two years. The building blocks of a strong continuity plan include impact analysis, physical assessments, strategizing, plan development and training, testing, updating, maintenance and mitigation. (See "Glossary of BCP Building Blocks, page 30.) For some financial managers, these may be new ways of looking at top level issues--new "decision trees" that weigh and compare business needs and processes in novel ways. Like Sisyphus's work, BCP is never finished--continuity plans must be "living" documents. For large or complex companies, the plan should be updated constantly and requires a full-time BCP specialist. Smaller companies typically update annually. But the frequency with which a company's plan is reviewed depends on the rate of change within the organization. ComputerSite's Brill, a computer disaster prevention consultant at ComputerSite Engineering in Sante Fe, New Mexico New Mexico, state in the SW United States. At its northwestern corner are the so-called Four Corners, where Colorado, New Mexico, Arizona, and Utah meet at right angles; New Mexico is also bordered by Oklahoma (NE), Texas (E, S), and Mexico (S). , recommends quarterly validation of continuity plans for dedicated data processing data processing or information processing, operations (e.g., handling, merging, sorting, and computing) performed upon data in accordance with strictly defined procedures, such as recording and summarizing the financial transactions of a areas, where programs change frequently and data builds continuously. Although BCP is generally a full-time job at large organizations, responsibility for it often lands atop other primary job functions. In such cases consultants may be needed. "Vendors are used when a company lacks the expertise in-house or doesn't have the time available," explains Sam Lee at Chubb Services Consulting. This help is especially necessary if no one at headquarters is following up on continuity plans at branch locations. A general guideline for hiring consultants, says specialty publisher Phillip Jan Rothstein, is that the consulting arms of the larger accounting firms tend to do soup-to-nuts, multiday work, while smaller, more specialized consultants often deal with specific parts and special projects. BCP RESOURCES No one checklist does justice to the creative, analytical and forward thinking required for a successful BC plan. Yet it is still helpful for CPAs and planners to check others' lists, plans and guidelines. Templates are available from software vendors to help design plans from the simplest to the most complicated (See box, page 31, for some examples.). Industry associations are raising the level of professionalism with educational resources and accreditation. Rothstein, president of the largest BCP specialty book distributor, Rothstein Associates, in Brookfield, Connecticut Brookfield is a town located in northern Fairfield County, Connecticut, United States. The population was 15,664 at the 2000 census. First settled in 1754 with the establishment of the Newbury Parish, which incorporated parts of neighboring Newtown and Danbury, the town of (www.rothstein.com), says that in his customer base, accountants and auditors account for three times the number of book purchases they made only five years ago. He also notes growing BCP participation from business line managers, practitioners and senior management. REPORT CARD Just about all Fortune 500 companies have a dedicated continuity planning person, but midsize to small companies may not be devoting sufficient resources to continuity planning, BCP specialists say. As a whole, U.S. companies are levels ahead of their counterparts in Europe and Asia. Overseas subsidiaries of American companies often coattail on their U.S. parents' business continuity plan. "The U.S. public sector is standardizing planning processes and drilling that down to the local level; plus the Red Cross and FEMA provide tremendous education and materials," explains ACP's Carrido. According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. Rothstein, the financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. sector is on the leading edge in BCP. "They're more sophisticated and have a lot more at stake," he surmises. After all, their product is information. He also sees more substantial continuity planning on the east and west coasts, areas hit hard by recent natural disasters. He points to "manufacturing and distribution, and smaller governmental organizations," as economic sectors that may be behind the curve. WHAT'S A CONCERNED CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. TO DO? "Accountants and auditors who want to participate or even head up the BCP in their companies need to be well educated about just what a comprehensive business continuity plan is. One way to get that education is to study BCP as part of ongoing professional education," advises Carrido. Industry associations, including the ACP, encourage certification, additional courses and broader offerings at educational institutions. On-staff accountants might also help make a case at the board level for sufficient resources to proceed with BCP. The CPA/planner should focus on those things that are essential to the company's ability to resume business after a major disruption, instead of focusing on just having a plan for compliance. CPAs can add value to plans by improving assessments of the risk of potential losses and quantifying costs of business components or a professional service interruption or repair of a damaged database. Auditors need to zero in where value is added within a business and make sure those areas are fully covered by the continuity plan. The planning skills of a CPA can convert a perfunctory plan into a preeminent one. FOR FURTHER READING A list of books discussing issues presented in this story * Business Continuity Planning ... A Step-by-Step Guide, with Planning Forms. By Kenneth L. Fulmer. Rothstein Associates, Brookfield, Connecticut, 1996. * Business Continuity Planning Guide. By Strohl Systems, King of Prussia, Pennsylvania For Kings of Prussia, see List of rulers of Prussia King of Prussia is an unincorporated community in Upper Merion Township, Montgomery County, Pennsylvania, United States. As of the 2000 census, its population was 18,511. , 1995. * Business Resumption Planning. By Edward Devlin, Cole Emerson and Leo Leo, in astronomy Leo [Lat.,=the lion], northern constellation lying S of Ursa Major and on the ecliptic (apparent path of the sun through the heavens) between Cancer and Virgo; it is one of the constellations of the zodiac. Wrobel. Auerbach Publishers/CRC Press, Boca Raton, Florida Boca Raton ("bōkə rə-tōn") is a city in Palm Beach County, Florida incorporated in May 1925. As of the 2000 census, the city had a total population of 74,764; the 2006 population recorded by the U.S. Census Bureau was 86,396. , 1999. * Call Center Continuity Planning. By Jim and Sharon Rowan. Averbach/CRC Press, Boca Raton, Florida, 1999. * The Definitive Guide To Business Resumption Planning. By Leo Wrobel. Artech House, Norwood, Massachusetts Norwood is a town and census-designated place in Norfolk County, Massachusetts, USA. As of the 2000 census, the population was 28,587. The community was named after Norwood, England. , 1997. * Disaster Planning disaster planning - disaster recovery & Recovery: A Guide for Facilities Professionals. By Alan M. Levitt. John Wiley John Wiley may refer to:
New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of , 1997. * Disaster Recovery Planning for Computers and Communications Resources. By Jon Toigo. John Wiley & Sons, New York, 1995. * Disaster Recovery Testing In software testing, recovery testing is the activity of testing how well the software is able to recover from crashes, hardware failures and other similar problems. , Exercising Your Contingency Plan. By Philip Jan Rothstein, editor. Rothstein Associates, Brookfield, Connecticut, 1995. * Disaster Survival Planning: Organizing the Project. By Judy Bell Judy Bell (born September 23, 1936) is an American amateur golfer and golf administrator. She was inducted into the World Golf Hall of Fame in 2001 in the Lifetime Achievement category, which honors people who have made an exceptional contribution to the sport in areas outside of . Disaster Survival Planning Inc., Port Hueneme, California Port Hueneme (IPA: [ˌpoɹt waɪˈnimi]) is a small harbor city in Ventura County, California surrounded by Oxnard. The name derives from the Spanish spelling of the Chumash wene me, meaning "resting-place". , 1993. * Exercise Planning and Evaluation. By the staff of the Emergency Response Institute. Emergency Response Institute, Olympia, Washington Olympia is the capital of the U.S. state of Washington. It was incorporated on January 28, 1859. As of the 2000 census, it had a population of 42,514. Olympia is the county seat of Thurston County and a major cultural center of the Puget Sound region. , 1990. * Fire in the Computer Room, What Now? Disaster Recovery Planning for Business Survival. By Gregor Neaga, Bruce Winters and Pat Laufman. Prentice Hall Prentice Hall is a leading educational publisher. It is an imprint of Pearson Education, Inc., based in Upper Saddle River, New Jersey, USA. Prentice Hall publishes print and digital content for the 6-12 and higher education market. History In 1913, law professor Dr. , Upper Saddle River, New Jersey Upper Saddle River is a Borough in Bergen County, New Jersey, United States. As of the United States 2000 Census, the borough population was 7,741. It is not to be confused with the neighboring borough of Saddle River. , 1997. * Normal Accidents: Living With High-Risk Technologies. By Charles Perrow Charles Perrow is a noted organizational theorist and sociologist for some time on the faculty of the University of Pittsburgh and recently at Yale University. Perhaps his most famous work is (ISBN 0-07-554799-6) first published in 1972 by Scott. . HarperCollins, New York, 1984. * Risk Handbook. By John C. Chicken. International Thompson, Boston, 1997. * Total Contingency Planning for Disasters. Managing Risk ... Minimizing Loss ... Ensuring Business Continuity. By Kenneth N. Myers. John Wiley & Sons, New York, 1995. These books are all available through distributor Rothstein Associates, Brookfield, Connecticut (www.rothstein.com). RELATED ARTICLE: EXECUTIVE SUMMARY * NATURAL DISASTERS, MAN-MADE DISASTERS, communications and data network disruptions or the like can put a company out of business. A business continuity plan can help it survive. * CPAs HAVE THE SKILLS TO ADD VALUE to business continuity plans. These skills come from experience with risk identification and management and require a big-picture financial perspective. * BUSINESS CONTINUITY PLANNING IS A HIGH-PROFILE task within an organization, of personal interest to the CFO, the CEO and the board of directors. Officers of companies without such plans or with ineffective plans may be vulnerable to legal action. * THE SCOPE OF PLANS HAS WIDENED to embrace relationships up and down the supply chain. Older business continuity plans focused on assets. Contemporary plans take a more organic view, concentrating on processes, networks, flows, procedures and affiliations. * PLANS MUST BE TESTED before disaster strikes. Otherwise, crucial information may get left out. The goal of a company's plan is to be able to resume business after a major disruption. RELATED ARTICLE: CASE STUDY Lights Out In Greater San Francisco San Francisco (săn frănsĭs`kō), city (1990 pop. 723,959), coextensive with San Francisco co., W Calif., on the tip of a peninsula between the Pacific Ocean and San Francisco Bay, which are connected by the strait known as the Golden Electric power failed for one million people within 49 square miles of San Francisco Peninsula The San Francisco Peninsula in California separates the San Francisco Bay from the Pacific Ocean. On its northern tip is the city of San Francisco. On its southern end is part of Santa Clara County, including the cities of Palo Alto, Los Altos, and Mountain View. at 8:17 A.M. on December 8, 1998. Human error was the culprit: A utility crew inadvertently mishandled a ground wire during substation repairs. The city coped reasonably well. Traffic moved haltingly through nonworking intersection lights. Tunnels were eventually cleared of traffic stopped in the confusion. Hospital backup power An additional power source that can be used in the event of power failure. See UPS and backup.  A Half Minute of Backup This roomful of lead acid batteries stands ready to drain itself entirely in less than a minute. worked. Kenneth G. Brill, a computer disaster prevention consultant who has done trouble-shooting at hundreds of sites, happened to be at an engineering company's offices. "The telephone PBX (Private Branch eXchange) An inhouse telephone switching system that interconnects telephone extensions to each other as well as to the outside telephone network (PSTN). system went out immediately," Brill said. "Backup batteries failed, perhaps because they were never serviced." Calls could not be made or received over public lines. Employees jumped to cellular phones. Wrong move. That network overloaded and gridlocked grid·lock n. 1. A traffic jam in which no vehicular movement is possible, especially one caused by the blockage of key intersections within a grid of streets. 2. and was out for the entire power loss. Several old-fashioned phones were finally unearthed Unearthed is the name of a Triple J project to find and "dig up" (hence the name) hidden talent in regional Australia. Unearthed has had three incarnations - they first visited each region of Australia where Triple J had a transmitter - 41 regions in all. and connected to the outside world via analog fax lines. "Virtually every BC plan I know depends on the cellular network as a backup" Brill remarked. "That's a fallacious assumption if the problem's regional, and peak carrier capacity is unconfirmed." The company's emergency generator failed to start. Hallways remained dark. Building occupants groped their way downstairs from upper floors. Says Brill, "We did have flashlights, but they were inadequate for the duration of the power failure." And there were not enough of them. People were trapped in elevators. After delays, the elevator doors were opened manually, but rescuers still had to cope with darkness and yawning elevator shafts. "I kept trying to calm one young woman stuck between floors, telling her we were there but couldn't get to her," said Brill. Bottom line: The company's 20 people were eventually "safe," but they were idled for the rest of the day. "No business" tales abounded in San Francisco that day. Merchants couldn't ring up purchases on computerized registers, which were locked shut. Pacific Stock Exchange computers failed, lacking an outside source of auxiliary power. One radio station was knocked off the air. Power was completely restored to the Bay area within 7 hours, thankfully, without major safety problems or emergencies. Answer honestly: How soon will you rethink and test your business continuity plan? This writer has seen the light: My number one priority is to use a long-idled disk backup system. RELATED ARTICLE: Glossary of BCP Building Blocks impact analysis Defines the scope and depth of what really happens within an organization when a business interruption or disaster occurs, with a focus on financial, business and operational systems. physical assessment Identifies and quantifies a company's real assets Real assets Identifiable assets, such as land and buildings, equipment, patents, and trademarks, as distinguished from a financial investment. (buildings, equipment, data, supporting utilities) and determines in what sequence and at what pace they are normally used. Looks at how these might be affected by a disaster and evaluates alternatives available to replace them in an emergency. strategizing Looking into the relationships between corporate functions and systems, ranking their importance and assessing the scope and effect of the company's business; allocating corporate resources and attention according to these priorities. plan development Creates an integrated plan for recovering from a disaster or business interruption affecting all or parts of an organization. training Fostering employee and management awareness of BCP, teaching personnel how to keep the plan current, how to test it and how to actually use it. testing or exercising "Running" parts or all of a plan in real time under simulated need, correcting any errors found and refining details to ensure smooth execution. updating Assessing ongoing needs, with review frequency ranging from almost constant for critical, rapidly changing parts of a business, to annual for simpler, more mature, steady-state businesses. maintenance Keeps up assets needed for a company to conduct business in an emergency and plans for that maintenance as well as ongoing upkeep of the BC plan itself. mitigation Preventing or moderating disruptions by improving safety, applying common sense and designing and planning in advance of emergencies. RELATED ARTICLE: "Live" From the Web A huge number of domestic and international Web sites contain information on disaster planning and business continuity. A few searches will generate many useful pages of vendors, consultants, advice, backup facilities, articles and explanations. Major accounting firms' and consultants' sites generally maintain helpful, and sometimes extensive, material. For the past three years, the Massachusetts Institute of Technology Massachusetts Institute of Technology, at Cambridge; coeducational; chartered 1861, opened 1865 in Boston, moved 1916. It has long been recognized as an outstanding technological institute and its Sloan School of Management has notable programs in business, (MIT MIT - Massachusetts Institute of Technology ) has posted 40+ pages of its BC plan (web.mit.edu/security/www/pubplan.htm). Why? Jerry Isaacson, data security manager at MIT and the plan's author, explains, "We're an educational institution and thought it should be available as a resource." Disaster specialist Factory Mutual, which supports insurance companies and provides BCP consulting services in property loss prevention to policyholders of three insurance company parents, also posts a fairly extensive continuity plan outline at www.factorymutual.com/disaster.htm. RELATED ARTICLE: Insurance Is Not Enough Insurance coverage, while an essential part of risk mitigation, is really incidental to a recovery plan. A payment received a year after a company has gone out of business is small consolation; it is the supply lines, information flow and speed with which processes are rerouted that keep a business going after a disaster. Primary underwritten coverage is available for "business interruption" and "extra expenses." The former reimburses for lost revenue streams, while the latter handles extraordinary expenses incurred restoring a company's business. In either case, the deductibles are usually high. Kurt Edfast, associate manager at Great West Life Assurance in Englewood, Colorado, sees policies with deductibles as high as tens of millions of dollars. Insurers reward companies that reduce the probability and severity of losses with solid contingency plans and risk mitigation procedures. "I've seen savings up to 20%" says Michael C. Redmond, senior manager at Deloitte & Touche's enterprise risk services in New York. However, discounts depend on a plan's perceived and tested quality, relationships with insurers and how well the plan is communicated. If an insurer doesn't ask to see a company's continuity plan, the person purchasing the policy should bring the subject up. It can't hurt, and it could lower premiums significantly. To get credit for a solid plan, Redmond adds, "It helps if the insurance company has its own BC plan." It's also prudent to pick such insurers for their higher likelihood of "being there" after some dread event of their own. If a company falters after a disaster, directors and officers can be sued for negligence. A weak continuity plan can leave them very vulnerable. Even with a good plan, most corporate fiduciaries insist on indemnification. But "D&O [directors' and officers'] liability insurance has been harder to get, and rates are up," reports lawyer Peter Vogel of Gardere & Wynne in Dallas. As a computer transaction specialist, he finds that most disputes involving computers are litigated on fraud and negligence rather than breach of contract. That leaves fiduciaries with oversight responsibilities at risk. RELATED ARTICLE: BCP Questions That Auditors Should Ask Data recovery veteran Bill McCoy, a consultant based in Soddy Daisy, Tennessee, advises on common BCP mistakes, some catchable in the audit process. These questions build on his mainframe experience at Chubb Corp. as the corporate disaster recovery coordinator who wrote the firm's original strategy for disaster recovery. They reflect real-life processes. [] Are observations of company processes and functions taken over an extended time? [] Are backups taken regularly and stored safely, offsite? [] Are recoveries tested against those normal backups? [] Is there sufficient documentation to direct any restoration, even if key executives are not available? [] Do multiple sites for distributed computer networks each have their own plans and safe storage? Are those plans locatable and executable? Are they tested? [] After data is recovered, can the company's critical applications actually run and deliver correct results? [] Are existing procedures able to handle growing amounts of data and increasing numbers of interconnects? SUSAN RODETIS is a freelance journalist based in New York City New York City: see New York, city. New York City City (pop., 2000: 8,008,278), southeastern New York, at the mouth of the Hudson River. The largest city in the U.S. . Her stories have appeared in Mutual Funds, International Global Risk Manager, Financial Trader and EQUITIES. Her e-mail address is susanr@ziplink.com. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion