Author Biography
Professor Edward Moskal is a Professor in the Computer and Information Sciences Department at Saint Peter’s College located in Jersey City, New Jersey. Prior to becoming a Professor in 2001, Ed worked for 24 years at fortune 100 companies, developing and directing system implementation projects on mainframe, mid-range and client-server computing platforms. Systems included Manufacturing, Marketing, eCommerce, Customer Relationship Management, Supply Chain, Enterprise Resource Planning, Financial, Human Resource, Retail, and Shareholder. Professor Moskal earned a BS in Management and Information Systems from Saint Peter’s College, an MS in Administration from the University of Notre Dame, and an MS in Management Science from Stevens Institute of Technology.
Acknowledgements
This article was made possible through the 2005 New York University Summer Scholar-In-Residence program in which Professor Moskal was an active participant. Utilizing New York University resources (databases, journals, periodicals, text books and the internet), Professor Moskal conducted research and studied the subject of disaster recovery.
Introduction
There are many risks that threaten organizations by disrupting computer systems and business processes. These risks include traditional emergencies like fires, floods, earthquakes and hurricanes as well as risks from cyber-terrorism, cyber-crime, computer and telecommunications failures, theft, and employee sabotage. Any one of these risks can be very disruptive to a business. There are also new risks that have surfaced since 9/11. Communicable diseases have shown with the deadly SARS outbreak that they can threaten business too and terrorism is a threat worsened by a tendency of people to become complacent in the absence of immediate danger. In addition, post 9/11, there is a greater risk of a biological agent release (bioterrorism). The Gartner group indicated in a study performed in July 2004, that many enterprises have inadequate business continuity and disaster recovery programs. A severe incident, such as the September 11 disaster, would cause crippling damage to businesses, and some might never recover.
Disaster Recovery Methodologies
From an information technology and business recovery standpoint, there are a variety of good disaster recovery methodologies and products in the market place. The challenge facing organizations today, in the post 9/11 era, is to select the optimum blend of disaster recovery products and technologies. A common problem in the past has been a tendency to view the disaster recovery solution as individual product technologies and piece parts. Instead, disaster recovery solutions need to be viewed as a whole, integrated multi-product solution to deal with both the post 9/11 and the traditional business risks and emergencies.
Why Should We Care About Disaster Recovery
Recent research shows that one major barrier to disaster preparedness is lack of senior management support and funding. Senior management has a tendency to think that disaster recovery planning is a complex, time and resource consuming process with little obvious benefit. However, insurance statistics indicate that billions of dollars are lost through catastrophes and computer outages. For the 1990-99 period, the Federal Emergency Management Agency (FEMA) spent more than $25.4 billion for declared disasters and emergencies. FEMA is now part of the Department of Homeland Security. FEMA's mission is to lead America to prepare for, prevent, respond to and recover from disasters with a vision of "A Nation Prepared." At no time in its history has this vision been more important to the country than in the aftermath of September 11th. Business managers must realize that when a disaster strikes it will have an adverse impact on their businesses/customers. Following are reasons why businesses must plan for disasters:
In addition to planning for disasters, plans need to be in place to handle non-catastrophic events associated with computer hardware and
software malfunctions including lack of adequate security controls. Following is a list of real world events that resulted in risk to company
customers and the public associated with computer hardware, software malfunctions and lack of adequate security controls:
Although these events may not be catastrophic, they are significant and result in considerable costs, resources and computer down time.
Business Continuity Management Methodology
I am proposing a Business Continuity Management methodology (a new post 9/11 disaster recovery methodology) that can be used to sort,
summarize, and organize company business requirements in a methodical way. Business Continuity Management is regarded as the
integration of social and technical systems that together enable effective organizational protection (Source: Journal of Strategic Information
Systems, 1995).
Before I define the elements of the proposed Business Continuity Management methodology, I want to introduce you first to (1) disaster
recovery statistics and facts, (2) common threats, and (3) effects of a disaster.
Disaster Recovery Statistics and Facts
Research and statistics clearly highlight the importance of disaster recovery and business recovery planning. The following statistics and
facts illustrate this point:
Disaster recovery and business recovery planning should be addressed as a top priority in organizations. The consequences of not addressing
disaster recovery and business recovery planning are significant to the livelihood of an organization.
Common Threats
Since 9/11, we have lived through a number of catastrophic events (the Tsunami, Hurricane Ivan and the Eastern North America blackout).
Since 1953, there have been a total of 1,572 major disaster declarations made by FEMA. This averages out to be 31 major disasters per year
since 1953. Following is a list of some of the most common disaster threat (Source: Layton & Associates LLC):
Lack of proper disaster recovery planning can threaten company technology infrastructures and the survival of businesses that rely upon
them.
Effects of Disaster
The effects of a disaster have a tremendous impact on business. Following is a list of the business effects associated with disasters:
Companies can loose their market-share or entire business if disaster recovery is not properly addressed.
Business Continuity Management – Definitions and Model
Business continuity management should look at all critical information processing areas of a company, including but not limited to the
following:
A Business Continuity Management methodology should be followed that will provide an integrated framework for companies to implement a
proper level of disaster recovery protection for their organization. The Business Continuity Management methodology proposed provides this
integrated framework and consists of the following elements: risk assessment, business impact analysis, disaster recovery, business
recovery, business resumption, contingency planning, and crisis management. Following are the definitions:
Risk Assessment
Process of identifying the risks to an organization, assessing the critical functions necessary for an organization to continue business
operations, defining the controls in place to reduce organization exposure and evaluating the cost for such controls. Risk analysis often
involves an evaluation of the probabilities of a particular event.
Business Impact Analysis
The business Impact Analysis is a process designed to identify critical business functions and workflow, determine the qualitative and
quantitative impacts of a disruption, and to prioritize and establish recovery time objectives.
Disaster Recovery Plan
The management approved document that defines the resources, actions, tasks and data required to manage the recovery effort. Usually refers
to the technology recovery effort.
Business Recovery Plan
Process of developing advance arrangements and procedures that enable an organization to respond to an event in such a manner that critical
business functions continue with planned levels of interruption or essential change.
Business Resumption
Planning to ensure the continued availability of essential business processes, programs and operations. Business resumption planning
prepares organizations to recover from contingencies, defined as any event that may interrupt an operation or affect service or program
delivery. Business resumption planning includes facility and operations management, as well as information technology systems. The
resources that must be considered include information, assets, people and facilities.
Contingency Planning
A plan used by an organization or business unit to respond to a specific systems failure or disruption of operations. A contingency plan may
use any number of resources including workaround procedures, an alternate work area, a reciprocal agreement, or replacement resources.
Crisis Management
The overall coordination of an organization's response to a crisis, in an effective, timely manner, with the goal of avoiding or minimizing
damage to the organization's profitability, reputation, or ability to operate. Hopefully, organizations have time and resources to complete a
crisis management plan before they experience a crisis. Crisis management in the face of a current, real crisis includes identifying the real
nature of a current crisis, intervening to minimize damage and recovering from the crisis. Crisis management often includes strong focus on
public relations to recover any damage to public image and assure stakeholders that recovery is underway. An uncontrolled disaster or a
combination of mismanaged disasters could lead to a crisis. The magnitude of the crisis could be larger than a disaster in terms of loss
expectancy. A crisis usually happens because of accumulated unattended/unresolved disasters/issue(s).
Business Continuity Management implies ensuring the continuity or uninterrupted provision of computer operations, business processes and
services. Business Continuity Management is an on-going process with several different but complementary components. Risk Assessment
and Business Impact Analysis are the initial steps.
Every organization, no matter how small should have a Business Continuity Management program to help ensure that they are able to recovery
both information technology and business operations in a timely manner. The sponsors of the program should be company senior management
and the head of information technology.
Business Continuity Management Implementation
Senior management awareness is the initial and a very important step in creating a successful Business Continuity Management program. To
obtain necessary resources and time from required areas of the organization, senior management must understand and support the business
impacts and risks.
In today’s global business environment, having the correct computer systems, databases and information in a timely manner can be the
difference between profits and losses, maintaining pace with competition, and ensuring the viability of a company. Company’s that have 24 x 7
access to information allows them to achieve their objectives (Source: IDC June 2003). In addition, vendors, suppliers, customers and
employees must have access to information when they need it. Providing the necessary level of information under normal conditions as well as
unpredictable disruptions or catastrophic disasters is necessary for a company to survive. It is during the unpredictable disruptions or
catastrophic disasters that businesses risk losing competitive advantage by not having taken the appropriate measures to prevent loss of
information availability.
The costs associated with developing and implementing a Business Continuity Management program will be relative to the number of computer
systems and business processes identified in the risk assessment and business impact analysis that require risk mitigating safeguards. In
addition, costs associated with a vendor hot site, telecommunications, and resources need to be factored into the cost equation.
According to an IDC study in June 2003, in which telephone interviews were conducted on 41 companies that integrate business continuity as
part of their information technology strategy, costs by companies varied dramatically. The companies studied were in the financial services,
manufacturing and healthcare industries. The finance industry spent far more proportionally than the manufacturing and healthcare
industries. The significance of these differences in business continuity budgets indicates, first, that each industry places a different level of
importance on the role of business continuity, and second, that the financial industry places a higher level of significance on incorporating
business continuity as part of its information technology strategy. Following are the breakdown of costs by industry:
The 41 companies surveyed were comprised of: 14 from financial, 15 from manufacturing, and 12 from healthcare. The average cost spent per
company on business continuity, for year 2003, was $4.5 million.
As part of the IDC study, company information was also collected on revenue lost per incident by business function. In measuring overall
revenues lost per incident, the losses incurred per disaster result in an average loss of approximately $3 million per incident. The largest
overall losses are incurred by back-office functions, led by finance, followed by manufacturing and human resources (Source: IDC, June
2003). Considering the study performed by Veritas in 2003, where 60 percent of 850 mid-to large-sized companies experienced from 1 hour to
24 hours of unplanned down time, the $3 million average cost per incident is significant.
A company needs to balance the cost of unavailability with the cost of recovery. Companies need to make decisions on what systems and
business processes should be part of their Business Continuity Management program and need to be recovered in the event of a system outage
or disaster. Companies need to have healthy discussions on business continuity management as part of their strategic, tactical, and operational
planning process and include appropriate funding in their information technology and business unit budgets.
It is critical that companies follow a robust Business Continuity Management methodology, when performing disaster recovery planning. The
plans implemented must be achievable, testable and cost-effective, in order for them to be effective.
All seven steps should be completed to help ensure adequate disaster recovery plans are in place. All seven steps also need to be updated on an
on-going basis. If they are not sustained, improved and when necessary changed, the investment in the Business Continuity Management
program will be wasted.
September 11, 2001, changed the way many people view the world. It expanded the meaning of "disaster", causing organizations to rethink
their business continuity plans. The Business Continuity Management methodology outlined, provides the road map that all companies (large,
medium and small) can follow to help ensure continued computer system and business operations in the event of a disaster, computer
emergency, or crisis in this post 9/11 era.
Bibliography and References
“Business Continuity and Disaster Recovery Plans – Things Overlooked, Steven
Lewis, EDPACS, Volume 33, June 2005.
“Business Continuity Needs: Ensuring Information Availability While Ensuring ROI”,
David Tapper, International Data Group (IDC), June 2003.
“Business Continuity Planning”, Martin Nemzow, John Wiley & Sons, July 1997.
“Disaster Recovery and Business Continuity, Step-by-Step”, Wall, Northcutt and
Edmead, SANS Institute, 2004.
“Disaster Prevention and Management”, David Alexander, Emerald Group Publishing,
Volume 14, Number 2, 2005.
“Disaster Recovery: Best Practices”, Cisco Systems, July 2003.
“Eight Best Practices for Disaster Recovery”, Martha Heller, CIO Magazine,
November 2004.
“Incident Handling: An Orderly Response to Unexpected Events”, Rickard L. Rollason –
Reese, ACM’s Special Interest Group for University and College Computing Services,
August 2003.
“Identifying Enterprise Network Vulnerabilities”, Judith M. Myerson, International
Journal of Network Management, August 2002.
“Network went wobbly hours before outage”, Thomas Fogarty, USA Today,
August 18, 2003.
“Ongoing Crisis Communications”, W. Timothy Coombs, Sage Publications, 1999.
“Plan for the Worst”, Kahan, Accounting Technology, Spring 2005.
“Risks to the Public in Computer and Related Systems”, Peter G. Neumann, ACM
Volume 29 Number 5, September 2004.
“The Economic Cost of the August 2003 Blackout”, Bansari Saha , ICF Consulting,
August 2003.
“The Limitations of Traditional Information Systems Planning”, Swartz, Elliot, and
Herbane, Journal of Strategic Information Systems, 1995.
World-Wide-Web Links
http://www.caci.com
http://www.davislogic.com
http://www.disasterrecoverysurvival.com
http://www.fema.gov
http://www.forrester.com
http://www.gartner.com
http://www.ibm.com
http://www.insolutionsinc.com
http://www.laytonllc.com
http://www.londonchamber.co.uk
http://www.mcgladrey.com
http://www.scdservices.com/data_backup
http://www.strohlsystems.com
http://www.sungard.com
http://www.veritas.com
Further Readings