Aftermath: Business Continuity Planning

In the past 10 years, BCP has broadened its scope from disaster recovery to business recovery. The 11 September 2001 attacks on the United States dramatically emphasizes and heightens BCP’s necessity and importance.

History: 1990 – 2000

In the past 10 years, business continuity planning (BCP) has evolved into a major concern for corporate and IT decision makers, and the Internet and evolution of e-business have significantly increased its importance. The events of 11 September 2001, and the heightened awareness of enterprise vulnerabilities that will inevitably follow, present business continuity planners with enormous challenges — but also with an extraordinary opportunity to implement mission-critical changes. This special edition of our Security and Privacy Spotlight examines the issues of BCP, disaster recovery (see "Aftermath: Disaster Recovery," AV-14-5238), and the tools and services required for both (see "Aftermath: Technology Tools and Services," AV-14-5338).

In the early 1990s, business continuity was positioned mainly in terms of disaster recovery. In the event of a major disaster, technology assets (e.g., systems, networks, applications and data) were to be "recovered" in an alternate location. The typical recovery time objective (RTO) — i.e., the desired time to recover applications — was approximately three days; the typical recovery point objective (RPO) — i.e., the acceptable transaction loss — was 24 hours. Most of the enterprises that implemented disaster recovery plans did so because they were in highly regulated industries (e.g., banking and other financial services sectors). In most enterprises, however, business continuity and disaster recovery planners spent their time trying to raise awareness of the need to protect enterprise assets — often unsuccessfully — and fighting apathy toward recovery planning.

By the mid-1990s, business continuity initiatives had expanded to include the recovery of critical work processes. For example, many enterprises recognized that recovering their call center technology was pointless if they lacked personnel to staff the call center itself, or a workplace in which to locate it. BCP and disaster recovery scenarios remained largely unchanged, however, as did RTOs and RPOs.

The trend toward an expansion of BCP initiatives gathered momentum in the late 1990s, driven in part by preparations for potential year 2000 crises. One result of year 2000 remediation was massive enterprise investment in re-engineering business processes (e.g., implementing integrated enterprise resource planning systems). As they prepared their year 2000 contingency plans, many enterprises began to understand that if their critical systems and applications failed, their business processes would fail along with them — e.g., orders could not be taken and products could not be manufactured or shipped. The inevitable result would be a severe negative impact on the profitability and possibly the survival of the enterprise. Due to this new understanding of their vulnerabilities, enterprises invested heavily in BCP and disaster recovery between 1997 and 2000. RTOs for mission-critical business processes were reduced to less than 24 hours and sometimes much less; RPOs were often set as up to the point of disaster — i.e., no loss of work or transactions. Moreover, the growing interdependencies among internal processing systems and external service providers began to increase the complexity of recovery solutions. Nonetheless, scenario planning remained largely unchanged.

The Internet Changes Everything

The arrival of the Internet and e-business — which achieved critical mass in 1999 — caused fundamental changes in the way enterprises thought about BCP. Enterprises began re-engineering their business processes yet again, this time integrating them with those of customers, suppliers and business partners. As a result, RTOs and RPOs have been reduced still further, in some cases reaching zero. (A zero RTO means zero downtime, or 24x7 continuous business process availability.) Furthermore, scenario plans have broadened to take on new e-business-specific risks, including downtime caused by:

• Operational risk (e.g., the three-day Microsoft Web site outage in January 2001)
• Security risk (e.g., denial-of-service attacks against Web sites and networks)
• Lack of capacity (e.g., the spikes in business volumes caused by Victoria's Secret's Internet fashion show)
• Application failure (e.g., the full-day London Stock Exchange outage in April 2000)
• Partner/outsourcer unavailability (e.g., Internet service provider network failure or failed links between an enterprise's Web site and its partners' sites)
• Loss of physical structures (e.g., facilities lost to wildfires at the Los Alamos National Laboratory)

In the new e-business world, enterprises must be deeply concerned about any risk of downtime. Today, any downtime results in negative media coverage, which can severely impact the enterprise's image and reputation — and its continuing viability.

BCP Today: Enterprise Survival Depends on It

In a way, the terrorists attacks on 11 September 2001 complete this 10-year evolution in BCP — but they also change everything. The dramatically heightened recognition of the importance of business continuity means increased budgets for dedicated, nonshared recovery solutions for business applications and systems of all types. Planners will have the opportunity to integrate business continuity into the project life cycles of business processes and applications. Old and new risks can be addressed where they should be — in the business requirements phase of a project, not as an afterthought when production has been completed. Most important, there will be newfound business continuity planners. After 11 September 2001, enterprise decision makers understand why business continuity is important: The survival of the enterprise depends on it.

The task of implementing comprehensive BCP will certainly be easier now, in part because enterprises in general are much more organized for business continuity today than they were before 2000. Due to the growth of e-business, and now the heightened appreciation of BCP, by 2005, more than 70 percent of large enterprises will have invested in BCP, compared to fewer than 25 percent today (0.8 probability).

The BCP section of this special edition of Security Matters! further examines these issues and, particularly, the impact of e-business on BCP initiatives. The research in this section points to a fundamental truth: E-business is blurring the lines between those who are insiders to our business and those who are outsiders. It is also blurring the lines between the production environment and the recovery environment. They are now one in the same, and recovery requires collaborative continuity planning among all interdependent parties. This has been true for several years. The events of 11 September 2001 brings this truth, tragically, into sharper focus.

Features

"Business Continuity Planning and Management: Perspective" ( DPRO-100862). BCP fundamentals. By Kristen Noakes-Fry and Trude Diamond

"Enlightening the CEO on Business Continuity Planning" ( TU-07-7202). Tactics for getting boardroom attention for BCP. By Donna Scott

"How E-Business Is Changing Business Continuity Programs" (QA-13-8626). Insights into BCP trends and organizational issues drawn from a recent Gartner survey. By Fred Luevano

"Integrating BCP Into the IT Project Life Cycle" ( TU-13-8386). How to make BCP work with other mission-critical IT projects. By Roberta Witty

"Fault-Tolerant Networks: Is There Such a Thing?" ( TU-13-7964). How to enhance the reliability of enterprise communications networks. By David Neil and Bob Hafner