In the past, large corporations planned for disasters by backing up their data, storing information off site and building redundancy into their processes. That was the early beginnings of disaster recovery/
business continuity.
Small businesses, on the other hand, relied on their own ingenuity and frequently had no contingency plans to address business disruptions.
Today, we define business continuity as: How an organization prepares for future incidents that could jeopardize its core mission and its long-term health. Incidents include local disruptions like building fires, regional incidents like hurricanes, or national incidents like pandemic illnesses.
Making the case for disaster preparedness is the simple part. According to the Information Security News Magazine (2000), an effective business-continuity plan and disaster recovery plan can reduce losses by 90 percent in the event of an incident. In the case of fires, 44 percent of businesses fail to re-open and 33 percent of those that did failed to survive beyond three years. Fifty percent of the businesses that suffer from a major disruption close their doors within two years.
Business continuity is linked to risk management, physical security, emergency management, public-sector agencies, telecommunications, supply chain and essentially every other critical operating function of their business. Its direct and indirect relationship with more traditional and established business functions is becoming more apparent, and as a result, it is becoming a mainstream issue.
In order to effectively plan, businesses must consider a vast array of potential devastating threats. For example, it is difficult to tell just how credible and imminent a threat like the avian flu poses. For that reason, it makes sense to plan a response to the pandemic threat.
The 9-11 Commission recognized the importance of business continuity and disaster-recovery planning in its final report.
Legislation was signed into law Aug. 3, 2007 that requires the U.S. Department of Homeland Security to provide for the development of a private sector-led voluntary certification program for private-sector preparedness. This program is to be developed in consultation with key stakeholders reflecting existing best practices and standards.
The goal is to provide a method to independently certify the emergency preparedness of private-sector organizations, including disaster/emergency management and business continuity programs. Its target is small-to mid-size businesses.
Much of the certification discussion has evolved around mapping the core element for improved preparedness, which involves a defined methodology, program, process and/or system to address critical core elements at risk.
For this strategy to work, there first needs to be management commitment, with accompanying program roles, responsibilities and resources defined.
Risk assessment and impact analysis is the next step.
Prevention and mitigation follow, which encompass evacuation planning, strategic planning, prioritization, objectives, targets, dependencies, and tactical plans for deterrence, readiness, response, continuity and recovery.
Document-information and data-control backup is also key. This mapping will then bring the business to recovery. Awareness and testing are to follow, with a maintenance program for future upgrades.
Five years ago, we did not know the importance of this mapping, nor did we understand the depth of the challenge of business continuity. But this new approach brings small and mid-sized businesses up to speed. And just in time.
If our large corporations fail to meet obligations due to lack of materials, services or intelligence from their smaller suppliers, critical business is lost. It is a true chain reaction. How many businesses, large and small, can fail before layoffs and business closings occur?
In fact, large companies have recognized their dependency on smaller companies. Discussions are taking place to see if a standard can be implemented by large companies in which they require their supply-chain vendors to have a continuity plan. It will be a price of doing business very soon.
The bottom line is creating a resilient organization. You do this by ensuring that your continuity programs are supported by a culture of continuous improvement, maintained by well-trained people who routinely exercise their skill and develop the ability to make good decisions under stress.
Developing partnerships to share information and pool resources is also important. Planners should seek and establish partnerships with their counterparts in government and industry.
We have come to know that government cannot work alone and needs the resources the private sector can provide at the time of a major disruption. At the same time, the private sector needs resources that only a first response by government can provide.
If you are asking yourself when you should get started, it should be apparent. Planning must begin today. For those business owners who say, “I have insurance” or “I can handle a disaster,” keep in mind that many businesses hit by Hurricane Katrina held that same philosophy.
Good continuity management can make the difference – and in the long run make a business more profitable. So be prepared to expect the
unexpected. •
Lori C. Adamo is president of Cranston’s Code Red Business Continuity Services, LLC.
