Preparing for the unknown: developing a business continuity plan.
Disaster recovery vs. continuity planning
Certified business continuity planner, Paul Striedl, chairman of the board and chief executive officer of the Association of Contingency Planners, asserts that many disaster recovery plans are developed based on the assumption that the facility and technology will be knocked out, but that staff will evacuate safely.
"Recent events have challenged this assumption and have spurred the growth of business continuity planning," Striedl said. "Business continuity plans [BCPs] typically make preparations for one or more of four types of calamities--loss of facility or access to it, loss of IT [information technology], loss of people or loss of supply chain.
"While there's no universally agreed upon definition of a BCP, these plans address all the requirements essential to keeping the business running," he continued. "It sets out clear roles and responsibilities, provides contingency plans to keep key business activities active in difficult situations and details procedures to keep employees safe while reinstating services."
New York is leading the charge in helping telecommunications companies prepare to maintain operations in adverse conditions. Dennis Taratus, chief of network reliability in the Telecommunications Office of the New York Public Utility Commission (PUC) said, "Commission rules and regulation have required the state to provide an emergency plan. Since September 11, those requirements now include continuity of operations, or COOPS.
"As part of COOPS, our focus is two-fold. First, the PUC wants to know businesses are prepared in advance for a disaster. The PUC wants to make sure telcos understand the role the PUC plays in the event of an emergency, so that telcos know how the PUC will support their organizations.
"Second is an emphasis on reporting outages," he continued. "In the past, it could take from five or six hours, or even up to 24 hours, for the PUC to receive news of services outages. The PUC now wants to know within one hour. The State Emergency Office is staffed 24/7 to support this and it's believed that their ability to gather timely information will play a critical role in allowing the government to spot potentially dangerous trends.
"The PUC also instituted a new function--the Office of Utility Security," Taratus added. "This office has the responsibility of dealing with in-depth questions utilities have about how to manage an emergency event, and it works with companies to help them establish a detailed plan for both physical plant and cyber vulnerability assessment."
Bruce Bohnsack, general manager of Germantown Telephone Co. (Germantown, N.Y) said, "Germantown's had a disaster recovery plan, but it was developed primarily to address natural disasters. The push by the New York PUC to become prepared for pandemic events has lead the organization to create a business continuity plan. Unlike the disaster recovery plan, the BCP looks at human resources.
"Over the last six months, Germantown has focused on documenting job tasks so that, with assistance from a manager, even a new hire could assume duties in a shorter period of time," he said. "The company is also looking at making sure people have the capability to work from home in case the office had to be shut down for a period. Since all 20 of the company's employees work out of the main office, the company is documenting what duties would be, how trouble reports would be picked up and how to respond to service outages in case remote working was instated."
Valley Telephone Cooperative (Raymondville, Texas) Human Resource Director Roy Shennenman helped his company develop both the business continuity and disaster recovery plans.
"The disaster recovery plan, which Valley Telephone calls an emergency operation plan, focuses on plant operations," he said. "It's used when hurricanes blow through and it details what to do, who's included, how to deal with service interruptions and how to evaluate for insurance.
"The business continuity plans focus more on the work force resiliency and how to keep the office running apart from physical plant issues. It identifies temporary succession plans, and the plans for taking care of employees in crisis situations. This includes how the company will provide employees time to take care of personal needs," Shennenman said.
For telcos that have yet to develop a BCP, Lisa Schweitzer, National Telecommunications Cooperative Association (NTCA) vice president of finance and internal operations shared, "When NTCA developed its BCP, we learned from our consultant that 80% of small businesses that had operated without a continuity plan and experienced a significant business interruption, went out of business within five years of the detrimental event. BCP enhances a company's ability to recover from financial losses, regulatory fines, loss of market share and damages to equipment or business interruptions."
Developing a business continuity plan
Though the content of a BCP varies by organization, developing a plan is generally a three-phased process that includes project development, business impact analysis and risk assessment, and contingency planning/testing/training.
Phase I: Project development
The project development phase identifies the primary person spearheading the plan's development and other key contributors. Senior management support and participation in the project is highly recommended.
The project leader may be someone internal to the operation who has the capacity to take on the job, or the company may elect to hire an outside specialist. According to Striedl, most small companies have a tough time financially justifying the use of a consultant for the project. Instead, these companies elect to become educated enough to tackle the project on their own. (See sidebar for tips on where to locate resources.)
Once the team is assembled, it is helpful if a general awareness memo is distributed to all staff. This memo can present an overview of the project and explain that each business area will be asked to contribute information.
The most time-intensive part of phase one typically is defining the purpose and scope of the plan, the stakeholders and the interests that will be addressed. These parameters often are defined by the amount of risk management businesses are willing to assume based on budgetary considerations.
To illustrate, Schweitzer shared that the purpose of NTCA's BCP is to plan for what has been predefined as the most dramatic interruption scenarios, and provide measures applicable to the level of resolution. Stakeholders in the plan include NTCA member companies and the NTCA staff and community. The association identified the key high-level needs for each of these groups. The plan's assumptions include needing access to backed-up software applications and data files, the availability of emergency work sites as established by vendor contracts and access to the BCP.
Phase II: Business impact analysis (BIA) and risk assessment
Input from each business unit is collected during this phase. This input identifies any standards or regulations that must be upheld in emergency situations. Each business unit describes and prioritizes its tasks, and identifies the resources needed to perform the highest priority tasks. To help determine priorities, tasks typically are evaluated based on the recovery time objective (RTO). The RTO is the time goal for the reestablishment and recovery of business functions or resources. Armed with each business unit's input, the planning team's next job is to compile the tasks into a global priority list.
"A common deficiency in BCPs is improper RTO prioritization," Striedl said. "To avoid this, it's important for the planning group to take into account inter-dependencies and economies of scale. For example, some call center functions might require an RTO of a few minutes, but many other intradepartmental functions can be delayed for a day, week or even a month. Planners need to evaluate if an entire department must be restored, or just a critical process within that department.
"Overly stringent RTOs can place an organization at risk by over-obligating resources, and that can result in unnecessary expense," he said. "Having senior management validate the priorities can help ensure recovery priorities versus the risk/benefit are acceptable."
Because most businesses rely on suppliers, third-party risk analysis should not be overlooked. At least once a year, critical suppliers should be contacted to determine how quickly goods or services can be provided in a disaster situation. Telcos should allow for situations in which local suppliers may be operating under emergency conditions, since there is a potential for both companies to be impacted by the same event.
Area-wide damage is something well known to Patricia Knapp, president of Crown Point Telephone Corp. (Crown Point, N.Y.). This spring, the telco was part of a declared disaster area due to flooding.
"While Crown Point is prepared for most conditions it might face, the local telephone association is part of the emergency call list," she said. "They have been great in helping us obtain necessary resources in emergency situations."
Phase III: Contingency planning, testing and training
The final phase of continuity planning involves developing recovery strategies, and testing and training plans. Striedl cautioned that there are several pitfalls to avoid.
"A common mistake at this stage is developing recovery strategies that are inconsistent with BIA findings," said Striedl. "For example, if there is a defined RTO of two hours for a critical IT system, and the recovery strategy is a drop-ship solution that requires 24 hours for delivery, it's not a viable recovery strategy. Planners must remember RTOs are the driver and should be used to validate that the recovery strategy is appropriate and suitable.
"It's also common for planners to identify the location for IT recovery, but fail to address alternate workspace for other business units and supporting functions," he said.
Teleworking or telecommuting programs can be established for emergency situations. Telcos may want to look to companies like SunGard Availability Services and TeleContinuity for help in establishing emergency resolutions. SunGard Availability Services, used by NTCA, provides end-to-end solutions and ready-to-use alternate work sites. While SunGard's support coverage is substantial, the company may not be able to provide service for some rural telcos.
TeleContinuity provides its customers with access to its Survivable Communication Network (patent pending). Founded in 2001, TeleContinuity's Survivable Communications Network went live in June 2004. According to the company's president, Roy Rinchot, TeleContinuity is working closely with Verizon and federal agencies to provide backup telecommunication services as part of the carrier's and government's continuity plans.
The TeleContinuity system moves calls freely between the public switched telephone network and the Internet. There are three ways to move a call: using a customer-unique toll free number, call-forwarding options provided by the carrier or using local number porting. In the event that operations are relocated in an emergency, regardless of the calling area to which the company has relocated, the fee per-line solution provides phone number portability. There is no equipment to buy, additional staff or on-premise equipment involved.
"As part of the service agreement, every number that's covered is allowed 10 activations per year to allow people to test their business continuity systems," Pinchot said.
Of course, testing is an important, though often overlooked, aspect to business continuity planning.
"The time to find flaws in your plan is during testing, not during an emergency," Striedl said. "If you're not finding something that can be improved, you're probably not testing hard enough." He added that testing loss of staff scenarios is especially useful.
Taratus echoes Striedl's call for plan testing. He shared that his major area of concern about emergency preparedness is at the business level. He referred to a June 2006 AT & T press release that summarized the results of a survey the carrier conducted on business continuity and disaster recovery. The study showed that of the companies with plans in place, 40% reported not having tested their plan in the past 12 months. Streidl offered two other general tips about BCPs. First, make sure the plan clearly defines an incident management team. This is the team that will manage the emergency from a strategic perspective, and provide direction for recovery teams. Second, ensure the BCP is user-friendly. He stated that documents used to develop the plan don't need to be included in the plan, because having to wade through them in an emergency can be a hindrance. Ideal plans contain brief, clear instructions; contact lists with current phone numbers; and checklists.
The time is now
Recent world events have brought greater awareness of the breadth of risks that can threaten day-to-day business. Companies wisely are preparing for worst-case situations with BCPs by protecting their operations, employees, profits and future. They are extending beyond the traditional plans for disaster recovery, which typically focused on recovery from a natural disaster, and establishing plans to respond to the likes of terrorism, cyber-invasions and pandemics. With the aide of professional consultants, Internet resources and industry associations, telcos can develop robust plans to maintain business as usual.
Anna Henry is a freelance writer. She can be reached at email@example.com.
RELATED ARTICLE: Need Help Planning?
Those spearheading the development of a company continuity plan need not reinvent the wheel. Useful tools abound, such as those listed below. Because these sites provide a vast array of information on business continuity planning, directions to particularly useful information are provided also. (Editors' note: This is in no way a comprehensive list or an NTCA endorsement of services.)
Templates & Checklists
Having a model business continuity plan is often a helpful starting point, particularly for novice planners. Below are links to templates and useful checklists.
* Continuity Central -- www.continuitycentral.com
Promoted as a one-stop resource for business continuity information, the site provides a business continuity planning model located at www.drj.com/new2dr/model/bcmodel.htm.
* IBM Global Services
For telcos that need help assessing workforce needs for contingency planning, "In the spotlight: the human side of business continuity planning" is likely to help. For more direct access to this paper, visit www-l.ibm.com/services/us/imc/html/workforce-continuity.html?ca=cio2&re=bcrs and click on the link under the heading "Are you prepared?" Although registration is required to receive this free white paper, immediate access to the June 2006 publication is provided.
* READY Business -- www.ready.gov/business
A site published by the U.S. Department of Homeland Security, a sample business continuity plan is provided at www.ready.gov/business/_downloads/sampleplan.pdf.
Networking opportunities are always a great way to learn what to include and what to avoid when pulling together a business continuity plan. While NTCA and local trade associations can help, these associations are focused on addressing the needs of the planner. Even if the planner is not interested in membership, these sites offer helpful resources.
* Association of Contingency Planners -- www.acp-international.com
This site offers a 47-page document called "Open for Business[TM]. "Available at www.acpinternational.com/IBHS/OpenForBusiness-ACP.pdf, the document provides a disaster planning tool kit tailored to the small and mid-sized business owner.
* Business Continuity Institute (BCI) -- www.thebci.org
This BCI is a UK-based organization. This site contains information and resources for both the business continuity novice and expert.
* DRI International -- www.drii.org
Founded in 1988 as the Disaster Recovery Institute, DRI International's mission is to develop a base of knowledge in contingency planning and the management of risk, a rapidly growing profession. This organization offers classes for those interested in becoming a certified business continuity professional.
Trade magazines, Shows & Seminars
Since business continuity plans are never really done; they should be updated at least annually. Trade magazines offer a means of learning how plans can be improved. Most of the publications provide information about tradeshows and seminars, which can be a valuable source of education.
* Continuity Insights -- www.continuityinsights.com
Targeted at senior-level managers, this magazine addresses the corporate-wide priorities that mandate the need for continuity planning at the highest levels of the organization. Also, the magazine organizes an annual conference.
* Contingency Planning and Management Magazine -- www.contingencyplanning.com
A good resource for learning about technology, products, services, management strategies and upcoming seminars and tradeshows.
* Disaster Recovery Journal (DRJ) -- www.drj.com/
At the site of this trade journal, check out www.drj.com/new2dr/samples.htm for sample plans, outlines and other plan writing resources. DRJ sponsors the largest conference on business continuity planning.
RELATED ARTICLE: Six Key Elements of a Business Continuity Plan
Introduction -- a brief explanation of how to use document
Contact information -- explains how to pull the incident command team together and provides call trees and phone numbers for vendors, clients and other critical contacts
Recovery strategies -- critical task/activity checklists covering resources required for reestablishing operations, a human resource recovery strategy, information technology recovery, team communication plan and public relations plan
Resource requirements -- provides a checklist of what needs to be obtained, how many, by when and by whom
Vital records -- includes a listing of off-site storage items and their location addresses, floor plans, contracts, insurance policies, etc.
Exhibits -- useful documents such as directions to alternate sites, forms, cross-training matrix, and reference materials or location of operations manuals for each department (in the event that the workforce for a particular department has been impacted