Today, threats that affect business continuity are ever-present. Catastrophic weather events appear with greater frequency and without warning. Hurricanes, tornados and floods are carrying more destructive force. And then there are earthquakes, ice storms and lightning strikes.
The terrorist threat continues, especially in the form of anthrax and other white powder attacks on the mailstream. Hoaxes can bring a business operation to a halt as effectively as the real thing. Other man-made disasters come from employee carelessness, civil disturbances, arson, bomb scares and employee sabotage.
Proximate events can be even more damaging. A fire or burst boiler in a neighboring building can stop your day-to-day operations. Businesses are also vulnerable to pandemic outbreaks, chemical/biological contaminations, asbestos release and truck and train accidents that release toxic cargos.
Four industries are at greater risk because maintaining a daily revenue stream and/or continuous service is key to their survival: financial services, utilities, service bureaus and insurance companies.
What Happens Without a Plan?
In an emergency, emotions flow and events can unfold completely outside anyone's control. If you don't have a disaster recovery plan and a staff trained to implement it, you won't know who to contact, when to contact them, how to protect employees or how to restore operations and maintain assets. Without a plan, the implications can be substantial.
the mailstream were delayed a few days while a suspicious powder is tested. Once authorities are contacted, how long a building must remain shut could be out of your control. If cash flow stopped, how long could you operate with the cash on hand? When that runs out, what will it cost to borrow?
How to Develop a DR Plan
Understand the risks and document them. Determine what's important to your business and what you're trying to protect. Weigh the cash flow requirements and costs and the regulatory compliance exposure. You can drive yourself to distraction with risk assessment. What's important is to do what's reasonable and customary. A lot of this is just common sense, but it does require forethought and planning.
Build a business impact analysis. Quantify as best you can the cost of business interruption and the cost to rebuild your business. Determine how damages would be calculated and assess the impact based on specific time periods. What if the business interruption went on for a week or a month? What's the cost of penalties and fees? How long would it take and what would it cost to replace infrastructure? What will insurance pay for?
Mitigate risks. Once you understand the risks and their impact, take a look at what you can do to minimize them. Should you move a warehouse, records storage facility, mail center or IT operation? Look to decentralize functions and build redundancies in hardware, software and staffing. Do a site safety and security audit to determine what can be done within buildings to protect employees and operations. For example, should you install filtrations systems? Understand IT backup capabilities as they relate to your print/mail operations and the revenue stream. Review alternative methods of document delivery including outsourcing and electronic transactions. Make sure employees who work in the mail center or in maintenance are adequately screened in the hiring process. Background checks and drug screening are important for these jobs, which are at the heart of critical operations and often have wide-ranging access to facilities.
Develop the DR Plan to cover the gap between the risks you can mitigate and those you can't. Identify your mission-critical applications and determine their hierarchy. Separate needs vs. wants by evaluating the financial or operational impact of each application. Most organizations define needs in terms of cash flow, regulatory requirements and the internal and external customer implications of service level agreements.
Build a disaster response process. Construct a scenario from the worst-case perspective. Determine who has the authority to declare an emergency. Plan your emergency evacuation procedures. Focus on crisis management: determine which information to share with customers, employees and the media. Plan to back up cash flow daily. Look at setting up a mirror image of your entire IT infrastructure at another location. Document all processes to "automate" the decision-making and minimize confusion.
Get top executive buy-in. CEO, CIO or CFO support is critical to a DR Plan. Have them appoint a dedicated DR project manager with access to the decision makers and the authority to manage cross-functional teams, such as IT, audit, marketing, finance, regulatory and procurement.
Consider your DR Plan a process that will continue to develop. I like to call the DR Plan your plan for "business as unusual." Since the unusual is often unpredictable, this is one plan that needs to stay flexible. Changes in technology, your scope of applications and corporate organization will continue to impact your plan, so change management is critical. Periodically validate how your plan functions and change processes as needed test, test, test.
I am amazed at how many companies do not have a full disaster recovery plan. Top management often underestimates the cost of a business interruption from a disaster. They also typically underestimate the likelihood of a disaster happening, not taking into account the possibility of proximate events over which they have no control. Costs must always be weighed against risks to design the plan that's right for your company. But putting a full DR Plan in place now could save your business huge amounts of money and even the business itself.
Nick Kopernik is Director, Pitney Bowes Business Recovery Services, at Pitney Bowes Management Services. Pitney Bowes develops and implements recovery programs for a wide variety of government agencies and Fortune 500 companies. For more information contact Kopernik via email at Nick.Kopernik@pb.com.