In late August, before Hurricane Katrina roared through the Gulf Coast, flooding 80% of New Orleans and causing one of the worst natural disasters in U.S. history, it landed in South Florida. In its path was AlphaStaff Inc., a midmarket provider of benefits and payroll services, whose Boca Raton headquarters were forced to close for 24 hours.
AlphaStaff had been through this upheaval before. Hurricanes shut down the Boca Raton office four times last year. Each storm knocked out the e-mail system customers used to send payroll and other critical information to AlphaStaff headquarters. While the company already had a business continuity plan in place, it didn't include "ancillary systems" such as e-mail. As a result, customers and users had to use alternate e-mail accounts or transfer files over the Web when a hurricane shut down headquarters. After the fourth hurricane, CTO Ralph Labarta and Director of IT Jack Rahner decided it was time for a more comprehensive approach.
With Katrina, AlphaStaff was ready. Last year, it developed a business continuity plan that for the first time included replicating critical data from its Exchange e-mail servers in Boca Raton to its data center in Atlanta. Using the OneSwitch for Exchange service from MessageOne Inc., a business continuity software and services vendor in Austin, Texas, AlphaStaff provided both failover and failback with the Atlanta servers for its headquarters Exchange e-mail system. As a result, customers and AlphaStaff employees in other offices were able to continue sending critical information over their regular e-mail accounts. (Failover occurs when a secondary server takes over after a primary server has failed; when the primary server comes back online, the failback capability kicks in, relieving the secondary server of its duties.)
Driven by the threat of everything from hurricanes to hackers -- not to mention terrorist attacks and waves of data protection regulations -- more midmarket companies are developing business continuity plans. Some develop plans themselves, while others use a wide range of applications known as business continuity planning software. Such applications provide everything from specialized algorithms for ranking an organization's critical assets to automated systems that redial every affected employee's phone until an emergency message gets through.
|Are you creating a plan for disaster recovery, business continuity or information availability? The level of planning you choose depends on your budget and how long your organization can survive a business interruption.
Disaster recovery typically refers to an organization's plans for protecting its IT infrastructure during a disaster and returning it quickly to operation afterward. In this case, infrastructure refers primarily to servers and databases. Protecting these components involves measures such as replicating databases, having remote backup sites and maintaining backup sites where the equipment can operate.
Business continuity goes further, including everything beyond IT needed to keep the business going. This may include telephones; alternate sites for employees; and procedures for keeping in touch with employees, customers and suppliers if regular lines of communication are cut. "We found out in 9/11 that you can have the data survive, but unless we look at maintaining the rest of the company around it, that can be pretty cold comfort," says Kristen Noakes-Fry, a research director at Gartner Inc.
SunGard Availability Services, a business unit of SunGard, a business continuity company based in Wayne, Pa., describes a third level called "information availability," which ensures that business can continue as effectively as possible even in the face of everyday problems such as storms, strikes or breaches of corporate data security.
From Disaster Recovery to Business Continuity
Business continuity software has its roots in the disaster recovery procedures developed by IT organizations since the earliest mainframe days. Back then, disaster recovery efforts were designed to ensure that critical data was backed up in case of a physical disaster and that the mainframe and its data could be quickly restored. In the years since, and especially since the Web made information systems a critical business asset, disaster recovery has evolved into business continuity planning to include all the systems and processes (such as phones and alternate work sites) needed to keep the business operating ("'Defining Recovery,'" see right).
Today, business continuity planning software ranges from low-end packages that provide little more than a checklist of IT assets and procedures for a few hundred dollars to top-of-the-line packages that start at $15,000 for a single-user license (and can cost $100,000 or more for an enterprise license). The latter might allow all users in the company to access a vendor-hosted copy of the business continuity plan from which they receive specific, task-based instructions and operational reports, for example.
Along with forms or an interface to enter information about an organization's resources, most packages provide a way to calculate the criticality of each asset for the enterprise. Software from ContingenZ Corp., a business continuity consultancy and software firm in Playa del Rey, Calif., for example, asks customers to numerically rank the importance of each employee, business system, customer or business process. It then compares the importance of these resources with the organization's current IT and business recovery infrastructure and produces a gap analysis detailing the steps the organization must take to put an effective continuity plan in place.
Such a plan might include everything from a call tree to alert employees, customers and suppliers in the event of an emergency to the names, addresses and locations of remote sites to which critical data has been mirrored. In addition, the plan might contain details about the procedures for making those backup sites operational. Indeed, one of the biggest benefits of such software is not that it offers any major new insight into what organizations need to do to keep running, but rather that it reminds CIOs of details they might overlook. In effect, the software can help CIOs organize continuity information in one place and update that information relatively easily.
The leaders in the business continuity planning software market are Strohl Systems Group Inc. in King of Prussia, Pa., and SunGard based in Wayne, Pa., which also runs disaster recovery sites, says Kristen Noakes-Fry, a research director at Gartner Inc., a research firm in Stamford, Conn. Another business continuity planning application is the Disaster Recovery System (DRS), which grew out of the planning process used by contingency planning consultants in the early 1980s. DRS is now a Web-based business continuity package sold by TAMP Computer Systems Inc. in Merrick, N.Y., which also provides consulting services.
If satellite pictures of hurricanes don't get CIOs thinking about business continuity, reams of regulations enacted because of events such as the 9/11 terrorist attacks should. Government or private organizations in industries from health care to financial services require CIOs to have plans for safeguarding critical financial or customer information, making continuity planning even more important.
For example, the Governmental Accounting Standards Board requires a business continuity plan for all government entities that operate utilities "to ensure that agency mission continues in a time of crisis," says Noakes-Fry. The Federal Financial Institutions Examination Council holds directors and managers of financial firms accountable for contingency planning and, in the words of the council's mandates, "for timely resumption of operations in the event of a disaster." For health care providers, the Health Insurance Portability and Accountability Act of 1996 mandates data backup, disaster recovery and emergency mode operation plans.
Even when a regulation or a high threat level doesn't specifically require a company to have a data backup or business continuity plan, insurers or lenders may insist on such plans before extending coverage or credit to a company, says Noakes-Fry. "It's really part of due care" in running the business, she says.
While there's no decisive factor that determines whether or when a company should consider using software for its business continuity planning, companies in the midmarket have a newfound sense of urgency to use it.
Harris Nesbitt Corp., an investment banking firm with a 400-person New York office, which is part of the $265-billion BMO Financial Group based in Toronto, began looking for business continuity planning software over the past year in the face of "significant regulatory requirements for broker-dealers to come up with executable, robust recovery plans," says Tom Avansino, vice president of security and business planning. Regulations aside, Harris Nesbitt understands the effects of a disaster. From their offices, Avansino and other employees could see the South Tower under attack on 9/11.
For the American Trucking Association, a 225-person trade association with offices in Alexandria, Va., and on Capitol Hill, working near potential terrorist targets means the possibility of business interruption is "always on our minds," says John Charles Quinn, vice president and chief technology officer. He used business continuity planning software "as a mechanism for guiding and documenting" the development of his business continuity plan.
Everyone on Board
|Ask a business continuity planner what his biggest challenge is, and the answer won't be hardware or software, but people: Getting everyone in the organization to contribute time and knowledge to help develop the plan.
"This isn't just an IT effort," says John Dunbar, CIO at EMS Technologies Inc., a manufacturer of wireless and other communications hardware. The plan will affect, and needs input from, other departments such as human resources, public relations, financial and legal, he says, "so they need to make sure to understand it."
"One of the most important things I learned was to get as many people on board as possible and stay in constant communication with each head of each department," says Dan Bullock, IT information security officer at the Bank of Whitman, a community bank in Colfax, Wash., with 150 employees and total assets of $400 million. "No one person will know what are the important, mission-critical items the bank needs to function correctly."
Busy as they are with their existing jobs, "nobody wants to do the preliminary work" of creating a business continuity plan such as filling out questionnaires about assets and business processes, and ranking their importance to the company," says Gartner's Kristen Noakes-Fry. But requests to do so carry far more weight when the recipient knows the CEO is expecting the results, she says.
Software Is Just the Beginning
Organizations that invest in business continuity planning software won't get their money's worth if they don't get buy-in from the people who are supposed to use it. Many employees are too busy to give business continuity the attention it deserves. Getting input from users in every department within the business is crucial because employees are in the best position to know which information and systems are vital to keep the business up and running. But getting cooperation from employees is often the most difficult part of any business continuity project and typically requires senior-level involvement (see "Everyone On Board," at right).
Given that many of the planning packages have the same basic features, customers say ease of creating the plan, changing it as conditions warrant and even finding the plan when a problem arises are the most important factors to consider when choosing a software package. The resulting plans also need to be easy to read and understand "by somebody who is not operating at 100%" because he's reeling from the effects of a disaster, adds Noakes-Fry.
As with any plan, "it's not effective if people don't use it -- and use it easily," says John Dunbar, CIO at EMS Technologies Inc., a $300-million manufacturer of wireless, satellite and defense communications hardware based in Norcross, Ga. The company used TAMP's DRS software and TAMP consultants to create, test and update its continuity plan.
Some vendors have taken pains to make their systems easy to use. For example, TAMP's DRS allows business users to enter information such as lists of key systems and key business processes using everyday Windows office productivity applications, and even provides a wizard-type interface that guides users through the data-gathering process. One of the main reasons the American Trucking Association's Quinn chose DRS, he says, "was that it worked so nicely and integrated so beautifully with Microsoft Office, which everyone here knows how to use." At Harris Nesbitt, the templates within DRS helped the company organize recovery and business continuity information that had previously been scattered among earlier plans, and they allowed the company to develop a new plan in about three months, says Avansino.
Users and analysts say it's important to make a single person accountable for the process to ensure that business continuity efforts stay fresh. And to succeed, that person must have the full backing of the business owner or senior management. "This is one of those things that can drag on for months if you don't really focus on it," says Dunbar.
In a true emergency, everyone will realize it was time well spent.