The events of Sept. 11, 2001, resulted in CIOs scrambling to implement business continuity planning (BCP). Companies such as Snap-on Inc. and Commerzbank AG invested large sums of money in BCP after 9/11. However, today's numbers show that business continuity investments are 1% to 2% of total IT budgets, a fraction of the 2% to 8% they should be, according to various sources. Business continuity investments appear to have been only a spike after 9/11. Today, business continuity has slid down on the CIO's priority scale.
Several sources suggest that most organizations don't have working business continuity plans in place. In a survey it conducted during the winter of 2000, Dataquest Inc. found that over 60% of the businesses that responded didn't have a basic plan for BCP. Gartner Inc. analyst Roberta Witty estimated last July that even after the terrorist attacks on the U.S., less than 25% of large enterprises have comprehensive business continuity plans. Another survey, conducted by a consortium of 50 companies, found that two-thirds of the thousands of enterprises surveyed had no business continuity plans. Among the businesses that had such plans, four-fifths had never tested them, and among the companies that had tested their plans, only 17% of the plans had passed.
Results found in a recently completed 20-year study of Fortune 500 crisis readiness by the University of Southern California's Center for Crisis Management support the above studies. Therefore, although some companies did invest in BCP after 9/11, it can be derived from the studies mentioned above that business continuity has been forgotten by CIOs.
Virus attacks on servers and networks are becoming more commonplace, but even more catastrophic disruptions to business -- ranging from blackouts like the one that hit the U.S. in August 2003 to terrorist attacks like 9/11 -- occur with alarming frequency. Disasters can result in large monetary losses, legal ramifications, loss of customer confidence and, in some extreme cases, the company's existence. Organizations therefore need to have plans to recover their assets, which include people, facilities, business applications, processes and IT systems, so they'll be able to return to normal business operations as soon as possible. This requires BCP.
Business continuity (sometimes referred to as business continuance) describes an organization's procedures to ensure that essential functions can continue during and after a disaster. BCP seeks to prevent interruption of mission-critical services and to re-establish fully functioning plans as swiftly and smoothly as possible. Disasters can be caused by any of the following:
- Natural causes such as floods, fires and earthquakes
- Systems-related causes such as network problems and power or telecommunications failures
- Human and malicious causes such as hackers, viruses, terrorism, disaffected employees and theft
According to a September 2001 report by Gartner analyst Vic Wheatman, most people think of major disasters caused by weather or attacks when they think of risks to their business. In most cases, though, small events blow up into bigger ones, resulting in the interruption of normal business operations. In fact, less than 5% of downtime is the result of "real" disasters.
The question is why this 5% garners so much attention. According to the Fibre Channel Industry Association, losses due to one hour of downtime can be millions of dollars in some industries such as media and finance. Because hundreds of companies invoke their business continuity plans every year in response to severe or extremely severe disasters, being prepared with BCP is essential for all business organizations.
Historically and for well-understood reasons, BCP has resided in the IT department. For this reason, most companies have some disaster recovery alternatives for their IT systems. The most common disaster recovery alternative used is off-site data storage where data is backed up on a regular basis onto a tape or disk and kept at a location away from the business location. Although several other technology alternatives for IT recovery are available, such as hot and cold sites, electronic vaulting, shadowing, mirroring and disk-to-disk remote copy, they're not used by as many corporations.
Given the nature of today's enterprise and the need to manage a much broader set of risks, BCP needs to go beyond disaster recovery planning and recognize that IT is just one essential component in BCP. To effectively recover from a disaster requires planning and mitigation of all critical assets, including people, facilities, business applications, procedures and IT systems. Doing so requires the cooperation of the company's management at all levels as well as involvement of most, if not all, of its value-chain partners, including vendors and suppliers. It also requires business managers and IT managers to work together on business continuity. BCP needs to be considered as part of strategic planning, rather than as an afterthought. This is based on conversations with some CIOs at the recent WINMEC-Anderson CIO Forum held at the University of California, Los Angeles.
Although organizations are aware of the need and importance of BCP, and although disaster recovery/business continuity was ranked the second-highest priority by CIOs in a recent Forrester Research Inc. study, BCP continues to face several barriers to adoption. Cost is perhaps the most important as in a study conducted by UCLA's Business and Information Technologies team in a project funded by the AT&T Foundation at the Center for Management in the Information Economy. The cost of BCP is hard to justify, owing to the difficulty of conducting a cost-benefit analysis where the costs are in dollars but the benefits are not.
For this reason, BCP gets superseded by other applications that can be financially justified more easily. Time is another barrier to the adoption of BCP. Since BCP is never a high priority until a disaster occurs, other applications tend to get ranked higher on the priority list. In addition to the cost and time barriers, BCP adoption is difficult to conduct. Analysis and requirements definition isn't a trivial process. Testing of business continuity plans, which involves disruption of normal business, is yet another daunting task.
In this tough economic environment, it's tempting to cut resources for BCP. Many enterprises mistakenly view BCP as an insurance policy against which they will likely never have to place a claim. However, disasters can happen anytime, and thousands of enterprises have invoked their recovery plans over the past 10 years, according to Witty's report from last July.
It's recommended, therefore, that CIOs make BCP a high priority in their organizations. CIOs should implement business continuity plans, get buy-in from executive-level management and require business and IT managers to work together on BCP. They should look into implementing limited business continuity plans. In fact, although BCP is important for any business, it may not be practical for any but the largest organizations to maintain fully functioning plans in the event of a disaster. With the help of executive management buy-in, CIOs should allocate budget and time for BCP. With business heads and IT managers working together, business continuity in the organization can be ensured.
Vandana (Ann) Mangal is associate research director at UCLA's Anderson School of Management. She has worked at companies that include Intel Corp., Hitachi Data Systems Corp. and AE Business Solutions. She has also taught at the University of Wisconsin-Madison School of Business. She has a bachelor's degree in electrical engineering and a Ph.D. from Carnegie Mellon University.