What are some of the new challenges companies face after 9/11?

Brian Turley, Strohl Systems: One of the biggest things that our clients faced was rethinking their relocation strategies. Many of our New York–based clients really had only imagined that [a disaster] could affect a one-block radius or one facility. They're all rethinking that obviously because they didn't really imagine a disaster would shut down all of lower Manhattan. They're looking at other facilities in New Jersey, Connecticut, New York, and even ones down in Philadelphia, as opposed to relocating within Manhattan.

Scott Ream, Virtual Corp.: Prior to 9/11, many New York–based companies considered that a wider-impact disaster affecting all of lower Manhattan would uniformly affect everyone, and therefore wasn't worth considering. I think this was a "convenient" limitation of what should have been a more rigorous recovery strategy. Today, many lower Manhattan firms are looking at their midtown and Jersey City locations as alternate sites.

My experience has been that while companies may be willing to devote time to having business continuity plans written, it is nearly impossible to get them to commit the resources and the time necessary to conduct truly meaningful workgroup recovery tests. Prior to 9/11, no one really believed that a catastrophic event of this magnitude would happen. It's the old "not on my watch" philosophy. It will be interesting to see over the next 12 months how robust workgroup recovery test exercises become at larger firms.

Turley: Some of the companies we've spoken to found that some of the folks they appointed to be crisis management team leaders didn't perform the way the companies had anticipated under the stress of that situation. They're trying to reevaluate the personalities of people who make good leaders in a crisis situation.

Bill Rider, Johns Hopkins: In the healthcare industry we're getting some additional pressure from the Health Insurance Portability and Accountability Act (HIPAA), which requires us to provide protection for patients' uniquely identifiable healthcare data. Some of the discussions that I've had recently have revolved around the privacy and security of patient information, and some of the comments I've made allude to the fact that we have to look at the potential of having to change the culture of the organization and how it views information. Something like privacy or security is not just something you impose a standard on — your culture and the way you look at protecting information is going to have to change. BCP is something that needs to be put into all business processes, not because there's a standard out there that says you have to, but because it's part of the business process. Is that a pipe dream?

Anne Marie Turner, Paychex Inc.: No, I don't think so. I think that's a reality today in a lot of organizations. They're building BCP right into the project lifecycle, so it becomes a component of every function.

Ream: This is what we preach. This is not a pipe dream — this is the new reality that must be achieved. There is no other practical solution. BC must become an inherent skill set that every manager in the organization knows and uses.

Rider: I tend to agree. I think there's a lot being done within our organization now, maybe called something different, but there's a lot being done right now in terms of things like emergency response (ER) procedures. At the hospital, the phrase "ER" has a completely different meaning than it does in IT, but those actions or activities that they would implement in an emergency are just as vital. I'm talking about things like bed counts in the ER; it's just a whole different range of issues, yet it's an emergency response plan (ERP), just like ours would be if the data center went down. I think there's a lot of valuable work being done in organizations right now, and in many cases it may just be a matter of refocusing or reorganizing those efforts.

Turley: It's funny that you mention ER; a lot of companies that we had spoken to after 9/11 had good BC programs already in place but didn't necessarily have good ERPs in place. That was the thing that stuck out the most for these companies — that they hadn't really taken the time to consider notification procedures for people's families. I think people are focusing on ER procedures a lot more than they used to. Whereas the BCPs and the IT plans were [already] in place, they didn't necessarily have solid ER plans or relocation procedures in place.

Rich Corcoran, Eastman Kodak: That's correct. The ER plan is extremely important because what you want to do is mitigate, control, and make sure that it doesn't get any worse than it is. The response processes are more or less the same regardless of what organization you put them in. If you have that template, then you modify the template to whatever the business is that you're conducting.

Rider: Right. I think there are a lot of organizations out there that are beginning to get the sense that they need to look for some of these templates to help them shortcut the process, because the whole time they're doing this work, the clock is still ticking.

How do you see the heightened awareness resulting from 9/11 impacting the BC industry?

Rider: I'd be interested in finding out, in the aftermath of 9/11, what kinds of additional pressures are being placed on the traditional disaster recovery (DR) planner. I think that the definition of a worst-case scenario has changed significantly, and organizations are starting to look beyond traditional disaster recovery planning to ER procedures, business contingency plans, and crisis management plans (CMP). As organizations look across the board at DRPs, business contingency plans, and CMPs, whether in a proactive or reactive way, they're at least looking at them. My sense is that in many, many cases, they're looking to the traditional DR planner and saying, "You've been the expert here for a few years now. Can you help us with this?" I'm curious to see if anyone is seeing any of this additional pressure placed on the DR planners.

Turley: Yes, actually this is something we've seen a lot since 9/11. More and more of our clients are being asked to focus on enterprise continuity management (ECM) — not just IT, security, facilities, or risk management (RM), but all of those, rolling them into one enterprisewide continuity plan for their businesses. More and more, some IT and RM people are being asked about these things; it's just a matter of bringing them all together in a forum for the enterprise.

Ream: We're seeing the development of a new organization; let's call it the threat assessment function. Several of our clients, parallel to ECM, are implementing proactive teams to identify threats and respond to events falling in the three terrorism-threat categories of biologics, chemical, and nuclear. These teams are being directed by the BC professionals within the company, linked closely with the emergency planning disciplines already in place, but reaching out to new support functions across the enterprise to ensure rapid response and dissemination of information.

Corcoran: As boards of directors — some of which are popping up after 9/11 — meet for their quarterly meetings, corporate audit boards within those organizations are asking the CEO if he or she is prepared. This is something that might have been on the back burner, but now may be coming to the forefront. Boards are going to be asking those questions to make sure they're covered from a due diligence standpoint.

Turley: We have some customers that [make] DRP part of every single manager's yearly review. Their supervisors will sit down with the various managers and ask to see their DRPs or the BCP to determine when the most recent test was and to make sure it's really a valid plan. It's like the great motivator. It raises a lot of awareness.

Ream: We have numerous clients who have recognized this shift and are now committed to the initial investment required to design and launch an enterprise BCM program.

Turner: I think Rich had a good point in that it's in the boardrooms now. From our perspective, the board wants to ensure that there's a method to recover from a regional-type disaster situation. It's up to the BC planners to present the options and let the board members know what functions are critical to the business staying open, and it's up to the BC managers and the key staff to put those options together in order to meet RTOs: Do they change if you go outside of the region? And, if you want your RTOs to remain the same, what's it going to cost?

Corcoran: There is reduced funding. Boards know they have to do something, even if they put the rudiments of a basic structure together, appoint someone to at least identify areas of risk known to the organization, and tell whoever the decision-makers are what these risks are right now — for example, "You don't have a fully tested IT program that's not documented. You have a very weak vital records system. You're not actually sending the files outside. These are some things we can do that are not really cost-prohibitive and reduce risks." The risks rated second can be deferred for another year until things get better. There's a lot that can be done out there.

Turley: I think you're right. There's a lot you can do without spending any more money in the short term. Companies are taking a look at that right now. I think they know something needs to be done. They're trying to do BCP a little more efficiently and a little smarter than they used to.

Ream: Companies are always asked by their stockholders to do more with less, and boards of directors know this. The funding required for BCM is a blemish on the face of the financial statements. The challenge is raising senior management's awareness to the point where they see the viable solution — institutionalizing business continuity.

Rider: There's just so much more required than just the traditional DR, such as the human and operational elements. BC is evolving into so much more, [and] requiring so much more than just mirroring, protecting, and duplicating your data.

Ream: Certainly true. BC is not just planning. It's the development, implementation, and constant nurturing of a new enterprisewide business process, supported by a central BC function chartered to ensure its sustainability.

What is needed in order for BC to be viewed as an enterprisewide business process? For example, do more companies need to put in place a BC manager?

Corcoran: You absolutely have to have a BC director or manager in the organization. I'd say the primary element of the BC manager is to write policy, be an overall consultant to the business unit, provide guidance for the various programs within the company, and ensure that they're all cohesively coordinated. That means constantly dialoguing with corporate risk managers and auditors, as well as emergency management and IT infrastructure personnel, to make sure that you bring best practices and the model for that to the planning process. This keeps this process in front of the entire corporation, including senior management. There are a lot of companies that don't have the ability to devote one person to BCP. In the larger companies I see it as a necessity to have a BC coordinator or director. It's more imperative now than ever before to watch over the entire program for the corporation.

Ream: What's needed is commitment from senior management to recognize and treat business continuity management (BCM) not just as a practice performed by a few, but rather as an enterprisewide process, wherein each manager across the enterprise has specific, accountable responsibilities. To achieve this, more is needed than just a BC manager. For small companies, a single BC professional could drive and sustain an enterprise program — for a large organization, no way. We're working with a national healthcare provider with 30 medical centers and millions of members. For them, we've designed a central department headed by a director and staffed with seven full-time BC professionals, and three additional BC consultants for the two-year nationwide launch, during which BCPs for every department at every location will be developed.

Turley: I also think there's a comfort level in looking at the disaster recovery plan; it's something that's got some pretty finite parameters. You can put your hands around that data center. If you start getting into the BCP, you're starting to look at business processes. You're looking at the whole organization, and it's so much more complex to do. Because we've been doing information security and disaster planning for so long now, it's kind of a comfort level. I don't want to understate the DRP, but it's something that's more manageable.

Rider: Just over the past year there's been an increased focus on establishing the corporate privacy officer (CPO). If you draw a parallel between the two industries — privacy/security and DR/BCP, one would hope that we would follow that same pattern. Whether or not a CPO assumes responsibility for BCP or whether there are peer positions — a CPO and a contingency officer — remains to be seen. My hope is that we begin to see that kind of evolution on the BC side, similar to privacy/security.

Turley: Most of the Fortune 1000 companies that we see are appointing someone to be the BC coordinator. More often than ever before I'm seeing that these folks are part of the RM organization, rather than IT or anywhere else. They seem to be finding a very good fit within risk management.

Corcoran: If you look at the special blend of background for the person, he or she needs to know how the business flows and what risks there are to the business — not necessarily a technical guru, but someone who can tap the organization's resources and understand at a high level what it needs.

Turley: Most of the people from the RM side who are the BC coordinators would have a steering committee made up of someone from facilities, IT, and the various business processes or divisions of the company; this person would be more of a coordinator or policy maker than anything else.

Ream: An enterprisewide BC program can be effectively implemented by first forming a leadership "Governance Council" comprised of representatives across senior management with the charter to define and drive BCM for the enterprise. From there, a BCM program needs to be developed. The emphasis should be on designing a program that is appropriately scaled for the organization. This means that the staffing, budget, planning granularity, tools made available, timeline to first-plan completion, and a host of other criteria are properly scaled to the business case for this company — that is, the funding and staffing are justified on the basis of the potential threat and business impact from disruption derived from a properly executed enterprise BIA. And finally, senior management must understand that work to build an initial set of BCPs for all critical functions is an enormous undertaking that should be treated as a launch project, carefully orchestrated with an intentional ongoing process support strategy.

Rider: Is there a possibility of clarifying acronyms for the BC coordinator to educate senior management that there is a logical organization to BCP, whatever the industry defines that to be? For instance, we look at BCP as being the top box, and then underneath that there's a logical sequence of events: the ERP to respond to the event, the CMP to manage the event, the DRP to restore your infrastructure, and then the contingency plan, which is the business part of the process. There actually would start to form a logical organization of RM or information assurance capabilities. For our sake, as well as the rest of the industry's sake, I think that someone along the line needs to do that. I could be talking about a DRP, and the person on the other end of the line is interpreting that as something completely different. We've been struggling with this since the industry was founded; it's just that a lot of the issues are becoming a lot more visible, so people are talking a lot more about BCPs or CMPs than they were before. The need for clarification is much more severe right now.

What is your response to companies that downplay the events of 9/11, asserting that 'it can't happen to me'?

Corcoran: There are threats to every company, whether it be fire, water, flood, tornado, or a devastating earthquake. What companies should do is make sure they look at and understand what they have: their exposures, their BIA, and then take the lessons learned or follow the processes that they have prepared for to mitigate their risks.

Ream: Most companies are seeing the effects of terrorism, such as the continuing anthrax scares and talks of "dirty" nuclear bombs. Today, your company doesn't have to be the target. You may simply "get in the way."

Turley: It may not be [an event] that directly affects your organization. There may be a chemical spill in the city you're located in and everyone has to evacuate the building. There's nothing wrong with your building; it's not flooded, or on fire, or hit by a tornado, but the entire city block or city region has to evacuate, and therefore you need to enact your plan. This really could happen to anybody, beyond just terrorism.

Then it stands to reason that if companies, operating with a heightened awareness after 9/11, revamp their plans to deal with terrorist-type events, then that also means that they're preparing for a number of other vulnerabilities.

Turley: That's what we try to tell our clients. What you don't necessarily want to do is spend every waking moment of your day thinking about all the different catastrophes that could potentially affect your organization, and then about the probabilities of those catastrophes affecting your organization. Focus on BC planning and don't spend a lot of time focusing on where the disruptions could come from, whether it's a fire, flood, tornado, chemical spill, terrorist attack, you name it. The fact is that one day you might come to work and not be able to get in your office, or you may not be able to do business for whatever reason. You need to be prepared for that fact.

Rider: I agree. If you start focusing on the event you're going to wind up creating plans for different events, and what you want is a more holistic plan to address any event.

Ream: But at the ER level, you must get specific. How an organization deals with a chemical spill is very different than how it deals with a bomb scare. You don't want to invent your response plan at the time of the event. Your recovery plans can be more generalized — that is, based on a set of generalized scenarios varying from a worst-case scenario down through grades of loss of facility access to a limited number of critical service interruptions. But even here, a department that depends on telecom services needs a plan for what to do if that service is lost.