In 2005, an American broadband and telecommunications company faced a major service outage in Los Angeles, California. A computer system’s problem led to the corruption of the company’s main software services environment. Over 150,000 customers lost land-line, Internet and some mobile phone and 911 services. To make matters worse, the company’s back-up systems failed to deploy - forcing government officials to issue emergency broadcasts over a local radio station informing constituents of the problem. This case emphasizes the need for contingency plans and for regular tests of back-up systems after they have been put in place.Download an Insight
Over the past few years, disasters and emergencies have attracted much attention. From the disaster that did not occur - Y2K, to the attacks on the World Trade Center, the blackouts in 2003, to the Tsunami in 2004 and the Icelandic volcanic ash this year, it seems like a steady drumbeat of bad headlines have caught the world’s attention. Because of the negative impact that an expected or unexpected disaster creates, businesses are paying close attention to the issue of emergency preparedness.
Organizations and businesses of all sizes are increasingly realizing the need to create and implement a comprehensive Business Continuity Plan (BCP) that addresses the ever-widening list of threats to government services and commercial entities. The vendors, facilities and modes of communication, are all extremely vulnerable to threat.
For instance, a building fire can result in loss of life, property and information, disrupting the normal operations of the business. What needs to be a priority for organizations operating during a crisis today is a plan that helps avoid business outages automates and enables the rapid restoration of business processes. The crisis could range from natural disasters, to hardware and software corruption, asset theft, security breaches and more.
The 2009-10 Survey of Preparedness, Security and Crisis Communications Threats by Honeywell and Varolii Corporation indicates that businesses focus on data security and telecom failure/power outage still ranks high. This again points to the fact that among the disasters that grab business attention, Information Technology (IT) related risks are still a great source of worry.
Today, every bit of information is stored on computer networks and digital storage media. Most of it is accessible through the World Wide Web. The risks range from loss of information on a single laptop to disruption of the entire business.
Risk management activities from the IT contingency planning perspective have two primary functions. First, risk management should identify threats and vulnerabilities so that appropriate controls can be put into place to either prevent incidents from happening or to limit the effects of an incident. These security controls protect an IT system against three classifications of threats.
- Natural - Examples include hurricane, tornado, flood, and fire
- Human3 - Examples include operator error, sabotage, implant of malicious code, and terrorist attacks
- Environmental - Examples include equipment failure, software error, telecommunications network outage, and electric power failure.
Second, risk management should identify residual risks for which contingency plans must be put into place.
Because risks can vary over time and new risks may replace old ones as a system evolves, the risk management process must by ongoing and dynamic.That explains the great emphasis given to IT related risk in every industry. Take for instance, the finance industry. The role of technology here is strategic, as it encompasses all areas of a bank from its core operations to new distribution channels to Customer Relationship Management. Equally important is the need to meet regulatory requirements. Online banking, swift transfers, payments, and all the latest innovations are due to the technological progress and changes that have taken place.
Integrating all of these changes into both the enterprise, as well as the IT infrastructure, is the challenge faced by all major banking institutions today. Addressing these challenges by adopting BCP solutions will deliver substantial cost and efficiency benefits to the industry. Not addressing them could mean failure to keep pace with the changing face of the market and inability to foresee and tackle expected or unexpected risks. Because of all this, there is an increasing emphasis on banks and financial institutions to adopt BCP.
Consider this example. A major European Bank with six million customers worldwide, implemented a solution for a complete link redundancy as a part of the BCP plan. . This was implemented to support its critical Virtual Private Network (VPN) in its North American locations. The plan proved to be a life-saver for the bank as it could continue its operations smoothly even after one of the two Digital Subscriber Lines (DSL) lines went offline. If not for the BCP plan, it would have led to major disruptions in its operations and also loss in data storage, leave alone a tarnished brand image.
IT contingency planning thus refers to a coordinated strategy involving plans, procedures, and technical measures that enable the recovery of IT systems, operations, and data after a disruption. Contingency planning generally includes one or more of the approaches to restore disrupted IT services:
- Restoring IT operations at an alternate location
- Recovering IT operations using alternate equipment
- Performing some or all of the affected business processes using non-IT (manual) means (typically acceptable for only short-term disruptions).
Clearly, to resume operations in a timely manner, every organization must have a BCP plan to not only restart information systems but also to recover the entire business process flow ecosystem. This includes:
- Creating an established process for communication between all parties.
- Identifying alternate sources of supply that can rapidly be located to keep an enterprise’s operations normal, if the routine sources are unavailable.
- Identifying alternate sites or alternate approaches, if people cannot return to their work venues.
- Lining up alternate carriers, if a distribution centre is crippled, so that one doesn’t have to wait days or weeks to negotiate new terms and conditions for distribution.
- Helping to ensure that key operations are never disrupted in the first place.