CIOs' Business Continuity Plans Seen Falling Short
That's one of the key findings of a recent poll of 230 CIOs and other IT executives concerning business continuity planning, conducted by Gartner Inc.'s Executive Programs and SIM, the Society for Information Management.
The report identifies several positive changes in the way CIOs are planning for emergencies. For instance, many have raised their assumptions of how badly their IT systems or business operations could be damaged. They're also putting the details of corporate disaster plans in the hands of more than just a limited number of executives in case some are trapped out of country, or worse.
Both are good tactics to help a company get up and running in the wake of a disaster, says Chuck Tucker, vice president and research director of Gartner's Executive Programs who oversaw the survey.
But mainly, he says the survey finds that companies are focusing on the inexpensive tactics of updating their business continuity plans and running through new scenarios, rather than more costly initiatives that could better hedge against a disaster, such as moving their corporate headquarters out of urban areas or relocating data centers.
(In a notable exception, Morgan Stanley last week said it would move its headquarters and some trading operations out of New York City to suburban Westchester County, 25 miles from Manhattan. The company lost more than a million square feet of office space, and many employees, in the World Trade Center disaster.)
Tucker says that for IT executives in charge of business continuity plans, now is the time to seek funding for more costly initiatives, while Sept. 11 is still in the minds of company executives.
"This is definitely top-of-mind for CEOs and CXOs, but six months from now that's not going to be the case," says Tucker. "It is much easier (now) for a CIO to get increased resources for business continuity. We're urging CIOs, if you're going to make a move, the time is right."
Business continuity planning, or BC, includes preparation for a range of activities that help a business get back on its feet after a major disruption. It includes preparedness for disaster recovery (for IT hardware, software, data, and networks), business resumption and recovery (giving workers a workplace where they can recover and rebuild systems and the business), as well as crisis management (how executives respond to and make decision during a crisis).
In 37% of the companies surveyed, -the largest group of all - the CIO oversees BC planning, followed by the chief operating officer (22%). Tucker notes how BC has often been something handed over to the IT department, with little input or attention from others in the organization. Now, CIOs are in a position to get far more cooperation across the enterprise to help craft an effective plan for business recovery.
"They used to say it's IT's responsibility. Now the realization is the IT people really can't do the business continuity part (alone), they need the business people to help," he says. "IT begged for this in the past, now they're being asked to get this rolling."
If anything, Sept. 11 has served as a reality check for IT execs charged with managing BC plans. Prior to that day, the biggest perceived threats (and those for which they were prepared) were power outages, server or host failure, operational error, application failure, and software viruses. Of minimal concern was a major loss of life, acts of war or terrorism, complete loss of physical assets and workspace, transportation delays, and loss of telecommunications.
Today, the highest priority among those polled is creating or revising contingency plans for major business disruption (about 75% are likely or somewhat likely to do this.) Other top priorities include working with business units on their plans, conducting risk assessments and testing plans more frequently.
Low on the list of priorities are costly steps such as spreading key executives across multiple locations, moving data centers or moving corporate headquarters.
There are some key trends emerging from the renewed call for business continuity planning post-Sept. 11, says Tucker, and they offer guidance for CIOs faced with boosting their company's BC strategy:
- Corporations are raising the bar in their assumptions. Smart execs are revisiting their planning scenarios to reflect the reality that "a lot more damage can happen at one time," Tucker says. This includes assumptions that companies can lose staffers in addition to IT infrastructure and other business assets. As a result, a smart strategy is to rotate the people involved in scenario testing, so more than a small group of execs and managers is familiar with the plan.
- More serious rehearsals In the past, testing of plans through rehearsals was a weak spot of business continuity planning, Tucker says. Now it's getting more serious attention, with companies testing more frequently and making immediate changes to their plans based on what they learn in the run-throughs.
- Better documentation. If policies and procedures for business continuity are well documented and distributed, it can avoid troubles that could arise when the handful of people who know the plan are stuck, for instance, in London for several days. Says Tucker: "Before Sept. 11, people would have laughed you out of the room" if you offered that suggestion, but that was the precise problem for many firms when air travel was grounded for several days.
- An emphasis on safety. Employers are realizing that "people do come first," Tucker says. The old assumption was that during an emergency, employees would be safe, that they could leave the office and drive to a pre-arranged recovery site. Now there's a new emphasis in plans on how to keep employees physically safe in the event of a disaster and get them out of harm's way.
- The insurance case. Another compelling reason to enhance a corporate business continuity plan is a change by insurers after 9/11. Increasingly, Tucker says, insurers are not offering businesses coverage for terrorist acts, while at the same time they're raising rates significantly. That means companies have to take extra steps to protect themselves if insurance will not compensate and assist them in the event of a major business disruption.
- Show me your plan. Many BC plans have an added component: They're requesting information on the BC plans of their major partners and suppliers to see if they're up to their standards. Even if your company does not experience a major disruption, a disruption at a supplier's business could adversely affect your company's ability to continue operations, so it's something worth considering.
David Aponovich is senior editor of CIN.Earthweb.com. His e-mail is firstname.lastname@example.org.