Expert Opinion

It is virtually impossible to predict every likely disaster scenario. However, in this regard James Swann from the Community Banker journal cites [1] Steven Lewis the editor in chief of Edwards Disaster Recovery Directory who believed that some banks become too concerned at trying to predict specific disasters. Lewis believed that the best approach was found in examining the results of disasters i.e.:

• Loss of information

• Loss of access, and

• Loss of people

By considering the various possibilities and gauging a wide range of consequences, organisations can take appropriate measures to protect themselves. The construction of a matrix under each of the above categories can be used to document potential threats to business operations. By using the matrix, managers can ascertain the period of time that given areas might be permitted to remain non-operational. It was recognised that certain segments may not need to be brought back on line immediately, whilst others might be considered as essential services.

Jeff Morgan, chief operating officer of the Futures Industry Association, Inc., and Bob Mellinger, president of Attainium Corporation, a consulting company specialising in business continuity matters, outlined [2] the following key phases associated with BCP:

• Preparation for potential disasters;

• Prevention or mitigation of perceived threats;

• Response when crises occur; and

• Recovery from disasters.

Assessing potential risks is a significant challenge and business continuity audits form a useful tool to facilitate such work. The first element of any risk assessment involves considering the likely impact of a disaster upon the organisation's customer services. Mellinger outlines the following three elements used to identify potential risks, their likelihood, and probable impact on day-to-day operations:

• Service-Interruption Time Bands for identifying the time limits for which the organisation can survive without the availability of key business processes e.g. less than 2 hours, 2-24 hours, 24-48 hours, 2-5 days, more than 5 days. Using this process the critical time band for each key process is identified.

• Emergency Incident Assessments for determining which disruptive events are most likely to have the greatest affect upon business processes. This could be achieved by considering unique operational risks, examining each potential disruption, and developing a list of consequences for each threat. Determining the likelihood of each threat and ranking these from 1 to 5 (i.e. very low, low, medium, high, very high) and the possible impact from 1 to 5 (i.e. irritating, controllable, critical, devastating, terminal).

• Operational Impact by combining Service-Interruption Time Bands and the Emergency-Incident Assessment results. This will identify those areas that are likely to be the most adversely impacted. From this point it is possible to prioritise the various elements of an organisation's business continuity plan. [2]

Risk and Impact Analysis

Ted Udelson president of Integrity Computing [3] writes that business-impact analysis requires the identification of an organisation's critical assets and these may range from "hard assets" such as money and equipment, through to intellectual property and relationships. Impact analysis is used to identify all critical processes and to determine the "value" that the organisation could lose if a crisis interrupted operations. Qualitative analysis is a practical and accessible means of comparing and ranking various possible risks which might affect an organisation. Through understanding which risks could have the highest probability of occurring, and which could have the greatest impact upon operations, then resources can be intelligently allocated to prevent/recover from these eventualities. For high probability/high impact risks, preventative measures can be taken, for high probability/low impact risks a containment plan might be employed, for low probability/high impact risks insurance could be purchased, and for low probability/low impact events the potential consequences might be considered low enough to be accepted. The following matrix derived from Udelson [3] depicts how risks can be categorised in a qualitative manner.

Carl Kotheimer consultant for Consolidated Risk Management and Bill Coffin managing editor of Risk Management journal [4] describe a risk scoring system which may be used for comparing relative risks and as an aid to evaluation. Three factors are used to arrive at an overall risk score i.e.:

• the potential severity of earnings impairment

• the accountability of management systems, and

• the probability of a loss occurring

Each of these factors is first ranked from 1 to 4, the factors are then multiplied together to produce an overall risk score; the higher the score, the more severe the risk, and the greater the urgency to address issues highlighted. The following risk scoring table is adapted from Katheimer and Coffin [4].

Overall risk score = Factor A x B x C

Practical Emergency Management Plans

Organisations should prepare practical emergency management plans shaped to match their particular needs. Wendy Berliner, Christine Johnston, and Michael Ricciuti, lawyers in the Boston office of Kirkpatrick & Lockhart Nicholson Graham LLP [5] provided the following guidelines for formulating a disaster management plan:

• Establish a planning team to collect input from all functional areas of the organisation. The team should be given the authority/resources necessary to develop the plan.

• Analyse the potential hazards and the available resources for combating these hazards. Review current plans and policies along with all applicable laws and regulations. Determine which products, services and operations are vital, and evaluate backups for each of these. Assess the available internal resources (e.g., fire protection equipment, alternative information management systems) and assess the available external resources.

• Perform an insurance audit to ensure that the appropriate coverage is in place

• Conduct a vulnerability analysis; by examining the hazards within the organisation and in the local community, considering past crises related to the geographic location, technological weaknesses/threats, or human error.

• Develop a plan consisting of the following core elements:
• Direction and control;
• Communication;
• Safety human life;
• Property protection;
• Community involvement;
• Recovery and restoration;
• Administration and logistics.

• Implement the plan and strive to create a culture of compliance through routine training to keep the plan viable and relevant.

• Evaluate and modify the plan to ensure that it does not become a static document. Conduct periodic audits to ensure that the plan remains an accurate, realistic and lawful process for the organisation to follow in the event of an emergency. Ideally the disaster management plan should become second-nature to maximise its benefits during an emergency.

Business Continuity Planning should ideally be an enterprise wide exercise for identifying and assessing an organisation's most critical functions. BCP analysis should also take into account the impact of unexpected interruptions upon customers and suppliers along with the ensuing response processes required to restore all critical functions within a prudent amount of time. Eric Krell [6], freelance writer and risk management specialist, provides an overview of BCP processes as depicted in the following diagram:

Testing the Plan

Jonathan Clark head of business solutions and Mark Harman regional managing director, of Crawford and Company International write [7] that effective crisis management planning rests on two principles:

• Flexible Decision Making: Essentially crisis management planning is not about researching and planning for every possible emergency that could occur, but rather about developing the capability to react flexibly and make sensible snap decisions in the event of a crisis.

• Practicing: Rehearsing the type of teamwork that will be required during crises forms a critical component in the development of successful emergency plans.

IT Disaster Recovery

IT Disaster Recovery (DR) plans need to be tested at least once a year or whenever significant changes have been made to hardware or systems. Scheier a writer for Computerworld [8] outlines two basic forms of DR testing:

• Desktop walk-through testing; which involves running through a checklist of responsibilities and actions taken in the event of a disaster. This type of testing is a necessary first step that can help to detect events that could trigger the need for changes to the DR plan.

• Live testing; the most common of which is parallel testing which recovers a separate set of critical applications at a disaster recovery site without interrupting the flow of regular business. The most realistic test of course is a full live changeover of critical systems during working hours to standby equipment. This costly form of testing is rarely used, except for the most critical of applications. Deciding how realistic testing should be involves a balance between the amount of protection desired versus financial costs, staff time, and tolerance to service disruptions.

Scheier advises that it should never be assumed that:

• All will happen as planned; he suggests that communication problems need to be uncovered by having personnel contact everyone on their contact list in a drill/exercise, and that staff need to be provided with appropriate provisions for potential after-hours work.

• Data on backup storage devices is current, or that recovery hardware will in fact cope with production databases

Benefits of Business Continuity Planning (BCP)

As well as smoothing the recovery process in the aftermath of a disaster, BCP can add value to organisations through the following benefits outlined by Wayne Clifton [9] director of Risk Control Services for ACE USA Risk Control Services i.e. by:

• Minimising financial loss and embarrassment;

• Retaining customers following an emergency rather than having to find new ones;

• Helping to maintain, or perhaps gain, a competitive edge by offering uninterrupted services;

• Meeting ethical and legal obligations;

• Identifying process inefficiencies and providing an opportunity to assess the effectiveness of the organisations operations and processes and thereby to make improvements;

• Identifying single points of failure and vulnerabilities;

• Helping to maintain confidence among shareholders and customers;

• Protecting jobs and the long term viability of the organisation;

• Providing duplicated resources and back up functions which may also improve the efficiency of daily operations.