Preparing for the unknown: developing a business continuity plan.In the wake of September 11, 2001, security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising"
security have taken on a new level of importance. Terrorism, combined with other threats such as bird flu bird flu: see influenza.
or avian influenza
viral respiratory disease, mainly of birds including poultry and waterbirds but also transmissible to humans. pandemic pandemic /pan·dem·ic/ (pan-dem´ik)
1. a widespread epidemic of a disease.
2. widely epidemic.
Epidemic over a wide geographic area.
n. , have given businesses a reason to consider their reaction to such events. Will business continue in the event of a disaster? How? Business continuity planning Business Continuity Planning (BCP) is an interdisciplinary peer mentoring methodology used to create and validate a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical function(s) within a predetermined is a strategic measure telcos can take to ensure their businesses continue to operate in the worst situations so that they might remain viable and profitable in the future.
Disaster recovery vs. continuity planning
Certified See certification. business continuity planner, Paul Striedl, chairman of the board and chief executive officer of the Association of Contingency Planners, asserts that many disaster recovery plans are developed based on the assumption that the facility and technology will be knocked out, but that staff will evacuate e·vac·u·ate
1. To empty or remove the contents of.
2. To excrete or discharge waste matter, especially of the bowels. safely.
"Recent events have challenged this assumption and have spurred the growth of business continuity planning," Striedl said. "Business continuity plans [BCPs] typically make preparations for one or more of four types of calamities--loss of facility or access to it, loss of IT [information technology], loss of people or loss of supply chain.
"While there's no universally agreed upon Adj. 1. agreed upon - constituted or contracted by stipulation or agreement; "stipulatory obligations"
noncontroversial, uncontroversial - not likely to arouse controversy definition of a BCP BCP Best Current Practice(s)
BCP Business Continuity Planning
BCP Business Continuity Plan
BCP Book of Common Prayer
BCP Banco Comercial Português
BCP Bureau of Consumer Protection (US Federal Trade Commission) , these plans address all the requirements essential to keeping the business running," he continued. "It sets out clear roles and responsibilities, provides contingency plans A plan involving suitable backups, immediate actions and longer term measures for responding to computer emergencies such as attacks or accidental disasters. Contingency plans are part of business resumption planning. to keep key business activities active in difficult situations and details procedures to keep employees safe while reinstating services."
New York New York, state, United States
New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of is leading the charge in helping telecommunications companies See telecom company. prepare to maintain operations in adverse conditions. Dennis Taratus, chief of network reliability in the Telecommunications Office of the New York Public Utility Commission (PUC (Public Utility Commission) A regulatory body in every state in the U.S. that governs public utilities within its jurisdiction such as electricity, gas, oil, sewer, water, transportation and telephone service. Some states call it the Public Service Commission (PSC). ) said, "Commission rules and regulation have required the state to provide an emergency plan. Since September 11, those requirements now include continuity of operations The degree or state of being continuous in the conduct of functions, tasks, or duties necessary to accomplish a military action or mission in carrying out the national military strategy. , or COOPS COOPS Center for Operational Oceanographic Products and Services .
"As part of COOPS, our focus is two-fold. First, the PUC wants to know businesses are prepared in advance for a disaster. The PUC wants to make sure telcos understand the role the PUC plays in the event of an emergency, so that telcos know how the PUC will support their organizations.
"Second is an emphasis on reporting outages," he continued. "In the past, it could take from five or six hours, or even up to 24 hours, for the PUC to receive news of services outages. The PUC now wants to know within one hour. The State Emergency Office is staffed 24/7 to support this and it's believed that their ability to gather timely information will play a critical role in allowing the government to spot potentially dangerous trends.
"The PUC also instituted a new function--the Office of Utility Security," Taratus added. "This office has the responsibility of dealing with in-depth questions utilities have about how to manage an emergency event, and it works with companies to help them establish a detailed plan for both physical plant and cyber (1) From "cybernetics," it is a prefix attached to everyday words to add a computer, electronic or online connotation. The term is similar to "virtual," but the latter is used more frequently. See virtual. vulnerability assessment A Department of Defense, command, or unit-level evaluation (assessment) to determine the vulnerability of a terrorist attack against an installation, unit, exercise, port, ship, residence, facility, or other site. ."
Bruce Bohnsack, general manager of Germantown Telephone Co. (Germantown, N.Y) said, "Germantown's had a disaster recovery plan, but it was developed primarily to address natural disasters. The push by the New York PUC to become prepared for pandemic events has lead the organization to create a business continuity plan. Unlike the disaster recovery plan, the BCP looks at human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. .
"Over the last six months, Germantown has focused on documenting job tasks so that, with assistance from a manager, even a new hire could assume duties in a shorter period of time," he said. "The company is also looking at making sure people have the capability to work from home in case the office had to be shut down for a period. Since all 20 of the company's employees work out of the main office, the company is documenting what duties would be, how trouble reports would be picked up and how to respond to service outages in case remote working was instated."
Valley Telephone Cooperative (Raymondville, Texas Raymondville is a city in Willacy County, Texas, United States. The population was 9,733 at the 2000 census. It is the county seat of Willacy CountyGR6. ) Human Resource Director Roy Shennenman helped his company develop both the business continuity and disaster recovery plans.
"The disaster recovery plan, which Valley Telephone calls an emergency operation plan, focuses on plant operations," he said. "It's used when hurricanes blow through and it details what to do, who's included, how to deal with service interruptions and how to evaluate for insurance.
"The business continuity plans focus more on the work force resiliency and how to keep the office running apart from physical plant issues. It identifies temporary succession plans, and the plans for taking care of employees in crisis situations. This includes how the company will provide employees time to take care of personal needs," Shennenman said.
For telcos that have yet to develop a BCP, Lisa Schweitzer, National Telecommunications Cooperative Association (NTCA NTCA National Telecommunications Cooperative Association
NTCA National Telephone Cooperative Association
NTCA National Tile Contractors Association
NTCA National Token Collectors Association
NTCA Northern Territory Cattlemen's Association ) vice president of finance and internal operations shared, "When NTCA developed its BCP, we learned from our consultant that 80% of small businesses that had operated without a continuity plan and experienced a significant business interruption, went out of business within five years of the detrimental event. BCP enhances a company's ability to recover from financial losses, regulatory fines, loss of market share and damages to equipment or business interruptions."
Developing a business continuity plan
Though the content of a BCP varies by organization, developing a plan is generally a three-phased process that includes project development, business impact analysis and risk assessment, and contingency planning/testing/training.
Phase I: Project development
The project development phase identifies the primary person spearheading the plan's development and other key contributors. Senior management support and participation in the project is highly recommended.
The project leader may be someone internal to the operation who has the capacity to take on the job, or the company may elect to hire an outside specialist. According to according to
1. As stated or indicated by; on the authority of: according to historians.
2. In keeping with: according to instructions.
3. Striedl, most small companies have a tough time financially justifying the use of a consultant for the project. Instead, these companies elect to become educated enough to tackle the project on their own. (See sidebar (1) A Windows Vista desktop panel that holds mini applications (gadgets) such as a calendar, calculator, stock ticker and Vonage phone dialer. It is the Windows counterpart to the Dashboard in the Mac. See Windows Vista and gadget. for tips on where to locate resources.)
Once the team is assembled, it is helpful if a general awareness memo is distributed to all staff. This memo can present an overview of the project and explain that each business area will be asked to contribute information.
The most time-intensive part of phase one typically is defining the purpose and scope of the plan, the stakeholders Stakeholders
All parties that have an interest, financial or otherwise, in a firm-stockholders, creditors, bondholders, employees, customers, management, the community, and the government. and the interests that will be addressed. These parameters often are defined by the amount of risk management businesses are willing to assume based on budgetary considerations.
To illustrate, Schweitzer shared that the purpose of NTCA's BCP is to plan for what has been predefined as the most dramatic interruption scenarios, and provide measures applicable to the level of resolution. Stakeholders in the plan include NTCA member companies and the NTCA staff and community. The association identified the key high-level needs for each of these groups. The plan's assumptions include needing access to backed-up software applications and data files, the availability of emergency work sites as established by vendor contracts and access to the BCP.
Phase II: Business impact analysis (BIA BIA
Bureau of Indian Affairs ) and risk assessment
Input from each business unit is collected during this phase. This input identifies any standards or regulations that must be upheld in emergency situations. Each business unit describes and prioritizes its tasks, and identifies the resources needed to perform the highest priority tasks. To help determine priorities, tasks typically are evaluated based on the recovery time objective (RTO (Recovery Time Objective) The amount of time a computer system or application can stop functioning before it is considered intolerable to the enterprise. It can be computed to be from seconds to days, depending on how critical the application is to the organization. ). The RTO is the time goal for the reestablishment and recovery of business functions or resources. Armed with each business unit's input, the planning team's next job is to compile the tasks into a global priority list.
"A common deficiency in BCPs is improper RTO prioritization," Striedl said. "To avoid this, it's important for the planning group to take into account inter-dependencies and economies of scale. For example, some call center functions might require an RTO of a few minutes, but many other intradepartmental functions can be delayed for a day, week or even a month. Planners need to evaluate if an entire department must be restored, or just a critical process within that department.
"Overly stringent RTOs can place an organization at risk by over-obligating resources, and that can result in unnecessary expense," he said. "Having senior management validate the priorities can help ensure recovery priorities versus the risk/benefit are acceptable."
Because most businesses rely on suppliers, third-party risk analysis should not be overlooked. At least once a year, critical suppliers should be contacted to determine how quickly goods or services can be provided in a disaster situation. Telcos should allow for situations in which local suppliers may be operating under emergency conditions, since there is a potential for both companies to be impacted by the same event.
Area-wide damage is something well known to Patricia Knapp, president of Crown Point Telephone Corp. (Crown Point, N.Y.). This spring, the telco was part of a declared disaster area due to flooding.
"While Crown Point is prepared for most conditions it might face, the local telephone association is part of the emergency call list," she said. "They have been great in helping us obtain necessary resources in emergency situations."
Phase III Noun 1. phase III - a large clinical trial of a treatment or drug that in phase I and phase II has been shown to be efficacious with tolerable side effects; after successful conclusion of these clinical trials it will receive formal approval from the FDA : Contingency planning, testing and training
The final phase of continuity planning involves developing recovery strategies, and testing and training plans. Striedl cautioned that there are several pitfalls to avoid.
"A common mistake at this stage is developing recovery strategies that are inconsistent with BIA findings," said Striedl. "For example, if there is a defined RTO of two hours for a critical IT system, and the recovery strategy is a drop-ship solution that requires 24 hours for delivery, it's not a viable recovery strategy. Planners must remember RTOs are the driver and should be used to validate that the recovery strategy is appropriate and suitable.
"It's also common for planners to identify the location for IT recovery, but fail to address alternate workspace for other business units and supporting functions," he said.
Teleworking or telecommuting telecommuting, an arrangement by which people work at home using a computer and telephone, transmitting work material to a business office by means of a modem and telephone lines; it is also known as telework. programs can be established for emergency situations. Telcos may want to look to companies like SunGard Availability Services and TeleContinuity for help in establishing emergency resolutions. SunGard Availability Services, used by NTCA, provides end-to-end solutions (jargon) end-to-end solution - (E2ES) A term that suggests that the supplier of an application program or system will provide all the hardware and/or software components and resouces to meet the customer's requirement and no other supplier need be involved.
Compare: turn-key solution. and ready-to-use alternate work sites. While SunGard's support coverage is substantial, the company may not be able to provide service for some rural telcos.
TeleContinuity provides its customers with access to its Survivable sur·viv·a·ble
1. Capable of surviving: survivable organisms in a hostile environment.
2. That can be survived: a survivable, but very serious, illness. Communication Network (patent pending). Founded in 2001, TeleContinuity's Survivable Communications Network The transmission channels interconnecting all client and server stations as well as all supporting hardware and software. went live in June 2004. According to the company's president, Roy Rinchot, TeleContinuity is working closely with Verizon and federal agencies to provide backup telecommunication services as part of the carrier's and government's continuity plans.
The TeleContinuity system moves calls freely between the public switched telephone network and the Internet. There are three ways to move a call: using a customer-unique toll free number, call-forwarding options provided by the carrier or using local number porting. In the event that operations are relocated re·lo·cate
v. re·lo·cat·ed, re·lo·cat·ing, re·lo·cates
To move to or establish in a new place: relocated the business.
v.intr. in an emergency, regardless of the calling area to which the company has relocated, the fee per-line solution provides phone number portability See NP. . There is no equipment to buy, additional staff or on-premise equipment involved.
"As part of the service agreement, every number that's covered is allowed 10 activations per year to allow people to test their business continuity systems," Pinchot said.
Of course, testing is an important, though often overlooked, aspect to business continuity planning.
"The time to find flaws in your plan is during testing, not during an emergency," Striedl said. "If you're not finding something that can be improved, you're probably not testing hard enough." He added that testing loss of staff scenarios is especially useful.
Taratus echoes Striedl's call for plan testing. He shared that his major area of concern about emergency preparedness pre·par·ed·ness
The state of being prepared, especially military readiness for combat.
Noun 1. preparedness - the state of having been made ready or prepared for use or action (especially military action); "putting them is at the business level. He referred to a June 2006 AT & T press release that summarized the results of a survey the carrier conducted on business continuity and disaster recovery. The study showed that of the companies with plans in place, 40% reported not having tested their plan in the past 12 months. Streidl offered two other general tips about BCPs. First, make sure the plan clearly defines an incident management team. This is the team that will manage the emergency from a strategic perspective, and provide direction for recovery teams. Second, ensure the BCP is user-friendly. He stated that documents used to develop the plan don't need to be included in the plan, because having to wade through them in an emergency can be a hindrance hin·drance
a. The act of hindering.
b. The condition of being hindered.
2. One that hinders; an impediment. See Synonyms at obstacle. . Ideal plans contain brief, clear instructions; contact lists with current phone numbers; and checklists.
The time is now
Recent world events have brought greater awareness of the breadth of risks that can threaten day-to-day business. Companies wisely are preparing for worst-case situations with BCPs by protecting their operations, employees, profits and future. They are extending beyond the traditional plans for disaster recovery, which typically focused on recovery from a natural disaster, and establishing plans to respond to the likes of terrorism, cyber-invasions and pandemics. With the aide of professional consultants, Internet resources and industry associations, telcos can develop robust plans to maintain business as usual.
Anna Henry is a freelance writer. She can be reached at firstname.lastname@example.org.
RELATED ARTICLE: Need Help Planning?
Those spearheading the development of a company continuity plan need not reinvent the wheel (jargon) reinvent the wheel - To design or implement a tool equivalent to an existing one or part of one, with the implication that doing so is silly or a waste of time. This is often a valid criticism. . Useful tools abound, such as those listed below. Because these sites provide a vast array of information on business continuity planning, directions to particularly useful information are provided also. (Editors' note: This is in no way a comprehensive list or an NTCA endorsement of services.)
Templates & Checklists
Having a model business continuity plan is often a helpful starting point Noun 1. starting point - earliest limiting point
terminus a quo
commencement, get-go, offset, outset, showtime, starting time, beginning, start, kickoff, first - the time at which something is supposed to begin; "they got an early start"; "she knew from the , particularly for novice planners. Below are links to templates and useful checklists.
* Continuity Central -- www.continuitycentral.com
Promoted as a one-stop resource for business continuity information, the site provides a business continuity planning model located at www.drj.com/new2dr/model/bcmodel.htm.
* IBM Global Services IBM Global Services is the world's largest business and technology services provider. It is the fastest growing part of IBM, with over 190,000 professionals serving customers in more than 160 countries.
For telcos that need help assessing workforce needs for contingency planning, "In the spotlight: the human side of business continuity planning" is likely to help. For more direct access to this paper, visit www-l.ibm (International Business Machines Corporation, Armonk, NY, www.ibm.com) The world's largest computer company. IBM's product lines include the S/390 mainframes (zSeries), AS/400 midrange business systems (iSeries), RS/6000 workstations and servers (pSeries), Intel-based servers (xSeries) .com/services/us/imc/html/workforce-continuity.html?ca=cio2&re=bcrs and click on the link under the heading "Are you prepared?" Although registration is required to receive this free white paper, immediate access to the June 2006 publication is provided.
* READY Business -- www.ready.gov/business
A site published by the U.S. Department of Homeland Security Noun 1. Department of Homeland Security - the federal department that administers all matters relating to homeland security
executive department - a federal department in the executive branch of the government of the United States , a sample business continuity plan is provided at www.ready.gov/business/_downloads/sampleplan.pdf.
Networking opportunities are always a great way to learn what to include and what to avoid when pulling together a business continuity plan. While NTCA and local trade associations can help, these associations are focused on addressing the needs of the planner. Even if the planner is not interested in membership, these sites offer helpful resources.
* Association of Contingency Planners -- www.acp-international.com
This site offers a 47-page document called "Open for Business[TM]. "Available at www.acpinternational.com/IBHS/OpenForBusiness-ACP.pdf, the document provides a disaster planning disaster planning - disaster recovery tool kit tailored to the small and mid-sized business owner.
* Business Continuity Institute (BCI BCI Bat Conservation International
BCI Brain-Computer Interface
BCI Business Continuity Institute
BCI Business Cycle Indicators
BCI Banco de Credito e Inversiones (Chilean bank)
BCI Bell Canada International ) -- www.thebci.org
This BCI is a UK-based organization. This site contains information and resources for both the business continuity novice and expert.
* DRI See Digital Research. International -- www.drii.org
Founded in 1988 as the Disaster Recovery Institute, DRI International's mission is to develop a base of knowledge in contingency planning and the management of risk, a rapidly growing profession. This organization offers classes for those interested in becoming a certified business continuity professional.
Trade magazines, Shows & Seminars
Since business continuity plans are never really done; they should be updated at least annually. Trade magazines offer a means of learning how plans can be improved. Most of the publications provide information about tradeshows and seminars, which can be a valuable source of education.
* Continuity Insights -- www.continuityinsights.com
Targeted at senior-level managers, this magazine addresses the corporate-wide priorities that mandate the need for continuity planning at the highest levels of the organization. Also, the magazine organizes an annual conference.
* Contingency Planning and Management Magazine -- www.contingencyplanning.com
A good resource for learning about technology, products, services, management strategies and upcoming seminars and tradeshows.
* Disaster Recovery Journal (DRJ) -- www.drj.com/
At the site of this trade journal, check out www.drj.com/new2dr/samples.htm for sample plans, outlines and other plan writing resources. DRJ sponsors the largest conference on business continuity planning.
RELATED ARTICLE: Six Key Elements of a Business Continuity Plan
Introduction -- a brief explanation of how to use document
Contact information -- explains how to pull the incident command team together and provides call trees and phone numbers for vendors, clients and other critical contacts
Recovery strategies -- critical task/activity checklists covering resources required for reestablishing operations, a human resource recovery strategy, information technology recovery, team communication plan and public relations public relations, activities and policies used to create public interest in a person, idea, product, institution, or business establishment. By its nature, public relations is devoted to serving particular interests by presenting them to the public in the most plan
Resource requirements The components of a system that are required by software or hardware. It refers to resources that have finite limits such as memory and disk. In a PC, it may also refer to the resources required to install a new peripheral device, namely IRQs, DMA channels, I/O addresses and memory -- provides a checklist of what needs to be obtained, how many, by when and by whom
Vital records -- includes a listing of off-site storage items and their location addresses, floor plans, contracts, insurance policies, etc.
Exhibits -- useful documents such as directions to alternate sites, forms, cross-training matrix, and reference materials or location of operations manuals for each department (in the event that the workforce for a particular department has been impacted