Facing today's challenges

A dozen years ago, the struggle against unplanned downtime was like the Cold War-our enemies were formidable, but we knew exactly where to find them. Hurricanes, tornadoes, fires, floods and earthquakes were the evil empires. Today, not only is the threat of natural disaster still with us, but it

Reliance and Vulnerability

These new threats are the direct result of our increasing dependence on computers. Most of the U.S. economic gains in the last decade were made possible because of the increased productivity resulting from technology. The most obvious of these developments-the Internet-provides the unprecedented power to reach millions of people instantaneously, forever changing the face of business.

When employees and customers depend on uninterrupted access to mission-critical data, the consequences of downtime are magnified. So is the cost. Today, one hour of network downtime can cost, as one CFO puts it, "Eight million dollars of commerce that didn't happen."

The Internet has fundamentally changed customers' expectations about convenience, speed, comparability, price and service and increased business' dependence on information. Consider an online ticket broker. If concert tickets go on sale and its online service goes down, it could lose half a million dollars an hour in lost revenue. In the financial world a retail brokerage firm could lose hundreds of millions of dollars in an hour if it cannot execute trades. Less obvious but equally critical failure points are Web-based applications that drive supply chain communications and enterprise resource management applications. For many businesses, the competition is only a click away.

Not surprisingly, the recovery window has been contracting, reaching a point where it is effectively closed. And as the recovery time needs compress, the definition of disaster expands.

New Threats

What used to constitute a mere disruption now constitutes a disaster. The list of potential disasters is long: faulty software in routers and switches; increased bandwidth traffic that crashes servers; configuration problems; power failures; a dual failure in a redundant system; a network design flaw; quirky third-party software; major telecommunications outages; an improperly grounded data cabinet; a database corruption; telecommunications outages; and denial-of-service and other hacking-related outages. And then there is the human factor--computers do not make errors; people do, with dismaying regularity.

New Answers

Fortunately, companies are not defenseless. The variety of new problems is matched only by the variety of solutions. There are several areas to consider:

Planning

* Do you have applications and systems that cannot offord any downtime?

* Are you required by law to provide the highest, most secure levels of data availability?

* Do you need multiple layers of recovery built into your data-protection solution?

Co-location: When budgets do not allow you to build your own data center, use a vendor-provided secure facility to house critical-production Web servers and network and telecommunications switches.

Internet Connections: Unreliable Internet connections can cost millions of dollars each year due to local area network downtime. Companies can contract with a second Internet service provider, which in the event of an extended outage can be used to re-establish critical Web hosts, e-mail, customer support and other Internet-related functions.

Dedicated Network: The call that transmits your mission-critical data looks no different from the call that transmits someone else's grocery list. But businesses can bypass high traffic on local lines by buying a dedicated circuit or on-demand access to a private network.

Storage: Ensuring instant access to data is one of the keys to high availability. Mirroring creates a seamless, virtual extension of your enterprise.

Web Hosting: For companies without the resources to self-host, third-party web-hosting services present a complete and cost-effective Internet business solution.

100 Percent Uptime

Do we really need to close the recovery window? In today's world where information is power and access to information is critical for business survival, the answer is an emphatic yes. More people need more access to more information more quickly than ever before. Business today cannot lose ground due to a disaster, however disaster is defined. sooner than expected, what actions should our firm take?

* If demand for our product exceeds plans, what actions should our firm take to meet the higher demand?

* If certain disasters occur, such as loss of computer capabilities, a hostile takeover attempt, loss of patent protection or destruction of manufacturing facilities due to earthquakes, tornadoes or hurricanes, what actions should our firm take?

* If our sales objectives are not reached, what actions should our firm take to avoid profit losses?

* If a major competitor withdraws from a particular market, what actions should our firm take?

Whether they pose an opportunity or a threat for a company, addressing these issues allows an organization to react quickly and effectively.

Involved

The preparation of focused and practical contingency plans requires the help of all those involved in an organization. Managers as well as employees should take part in identifying the key processes and operations that are necessary to ensure long-term organizational survival.

When Martoza was developing the new safety awareness program for Amazon.com nine months ago, she involved the safety wardens. "A lot of them noticed improvements that needed to be made." She also learned from the earthquake the importance of taking stock of employee ability. She discovered that one employee was a former government worker who knew how to tag buildings; another was an ex-emergency medical technician. "People were coming forward who had skills that I was amazed with," she says. Martoza realized soon after the event how useful it would be to have a listing of which staff members possess such abilities.

Employees and managers also know best which resources they need to perform their jobs and the possible steps they would take in order to replace these resources if a catastrophe were to occur. Involving them ahead of time in the planning stage could be a critical ingredient in keeping the organization operating if normal activities and facilities become unavailable or impaired during a disaster.

"When we put our disaster recovery plan together, we arranged to have secondary vendors," says Tom Cochran, president and owner of Cochran and Co., a managing general agent operating in the northwest United States. "Otherwise, if these vendors have had no contact with you, and now they're swamped [after a disaster hits the area], you're not going to get served."

"The misnomer is, `It's free until you use it,"' Martoza says regarding the prearrangement she made with BMS Catastrophe. "If we had any water or smoke, we needed to get it cleaned up immediately. We needed a company that specialized in doing that to come in quickly. Since we prenegotiated a contract, we were first on the list."

Depending on the number of contingent events that a firm chooses to identify, the necessary time required to successfully prepare and evaluate a contingency plan may vary. The process could require months and even years of ongoing planning. But if the planning process becomes too intensive, the plan itself may not work, according to Hulsebusch. "It actually restricts you a little bit," he says. "I've seen failures where somebody has responded to a disaster, and they've spent so much of their time putting together a response and recovery plan, and so much of their time administering that plan, that they actually fall short in getting things done."

The key, Hulsebusch says, is keeping things flexible so that the plan "gets things started." This requires continuous updating and evaluating, as conditions change, including personnel, technology or essential business operations. A coordinated team with members from different departments can address this by interacting with employees and keeping up with the changes that may need to be considered in a previously planned contingency.

The planning process can be frustrating, expensive and overwhelming. The low probability associated with certain events impedes the planning process. Determining where to draw the line on the likelihood of an event occurring is one of the most important and most difficult aspects of the process.

The Seven-Step Process

A straightforward approach to contingency planning was proposed by Robert Linneman and Rajan Chandran, who described a seven-step process in Managerial Planning.

1. Identify both beneficial and unfavorable events. Whether considering higher-than-forecasted interest rates or the death of a key executive in the organization, this is when the firm brainstorms about the worst-case scenarios, including events that may not be immediately obvious.

"Hurricanes get the major press," says Don DeMarco, global director for IBM Business Continuity and Recovery Services based in Sterling Forest, New York. "They cause people to sit back and wonder if their protection is there. But things like information security and performance issues in the e-business frame are far more important when compared to the probability of a lightening storm taking out your Web site."

Companies may also fail to realize the extent to which their liability extends. "Take the chemical industry," says Hulsebusch. "They understand their exposure where they have big manufacturing plants, but they don't look at where they have pipelines or where they are shipping product. For example, if they have a product at a railhead that they are liable for and they have a release somewhere, what happens? People tend to get complacent with thinking they've got the big pieces covered, and actually, the hardest part is responding to some of those unique, smaller needs."

2. Specify trigger points. Trigger points are the instances when a risk should be reviewed and when the contingent actions should be activated. Calculate when risk events are likely to occur, expanding the definition of disaster. *

"What's a disaster?" asks Hulsebusch. "To a small business owner, it's the person that's supposed to open up in the morning not showing up. To the conglomerate, it's having a great fire loss in a large complex. People tend to focus on the physical and not the incidental damages. They don't understand that when they can't make widgets, their customers are going to find someone else that can."

3. Assess the impact and estimate the potential benefit or harm. Consider the occurrence of the critical event and the actions that should follow in order to offset or deal with the present situation.

For example, during Hurricane Floyd in 1999, DeMarco was in Florida trying to get home. "When I got on 1-4 [heading to Tampa Bay] it was a logjam of people with pillows and dogs," he says. "These are companies' employees. Just because the businesses' systems have been reconstituted doesn't mean that the people you need to run them are there. They're boarding up the windows. Or in Canada [during the recent ice storms], they were stoking the fire because their families were cold and the power was out." There needs to be an understanding of how the technical aspects of the business link with its people, he says.

4. Develop contingency plans. Contingency plans should be compatible with the firm's current strategy and at the same time be economically feasible. Plans should be kept simple so they can be easily referred to and understood by anyone in the organization. Clear communication is vital in this step because the contingency plan is implemented during a time of distraction.

"People tend to plan sometimes and lose sight of goals and objectives," says Hulsebusch. "They can set those when they write the plan, but they have to be adjusted the day a disaster occurs."

It is also important that organizations anticipate the likelihood of operational inefficiencies and associated added costs during this time. Although a firm may think that it has considered every aspect of the contingency, things rarely work out as expected. Harold Anderson, president of Kenneth I. Toby, a managing general agency in Seattle, calmly handled some unexpected needs during the recent earthquake. "You never know how anybody is going to take [a disaster]," he says. "I spent a good thirty minutes under a desk talking to two employees who were absolutely hysterical. The only thing you could do was get under the desk with them, and sit there and talk and try to get them calmed down."

5. Assess the counterimpact. Estimate how much each plan will capitalize on or reduce the associated situation. Doing so will help relate a quantifiable value to each contingency plan and will assist in strengthening the planning process. This will bring to the surface items that may have been left out in prior planning of contingencies.

A major cruise line, for example, contracted with IBM to provide scripts for its customer service line if the cruise line system was to go down. During a hurricane, customers were routed to an IBM location and IBM staff answered the calls. "So at least they didn't lose the sell," says DeMarco. "They calculated this to be anywhere from eight to ten million dollars worth of revenue protection because they know that when a client calls them, and they go on a cruise, they tend to come back."

6. Determine and monitor early warning signals. Develop advanced action plans to take advantage of the available lead time.

Of course, relying solely on specific measures does may not always lead you to make the right decision. For example, many companies in New York City went into disaster mode when the blizzard-that-was-not was strolling up the eastern seaboard this past March. Sometimes, though, being a little cautious cannot hurt. "If the storm goes around you, and nothing happens, it's an expense you've incurred and it's just a preventive measure," says Rogan. "But if you don't and the storm does hit . . ."

7. Communicate and rehearse. Once a contingency program has been developed, it is then important to inform all members of the organization of their roles and responsibilities in the plan. "A lot of the time you find risk management working within a vacuum," says Hulsebusch. "Does the plan actually get communicated out so the recovery effort extends throughout the organization?"

"[Also,] if you don't have a way to communicate," says Cochran, "you're cut off. [Although] with e-mail now, it becomes much easier. When the earthquake was going on, we couldn't call through [to Seattle] because everybody was calling. But we were able to e-mail back and forth."

Individual departments and operating units should also practice exercise drills dealing with the backup plans. This could assist in identifying any unknown shortcomings within the contingency program in time to make the necessary changes.

In the End

Too often, a good business contingency plan is not top-of-the-mind until after a problem occurs.

This common sentiment has lingered in the risk management field. "It wasn't an awful lot of years ago that this was an unheard of practice," says Hulsebusch. Although the year 2000 scare brought contingency planning its fifteen minutes of fame, the largely nonevent seems to have deflated the sudden corporate interest. And even with the attention it brought information technology departments, DeMarco insists that there are still contingency-bashful companies out there, led by executives with little understanding of information-based risks.

Of course, who would not drag their feet over the prospect of implementing a comprehensive analysis and response system? It is a daunting task.

The importance of contingency planning, according to David, however, is not limited to just resurrection from gloom. By utilizing contingency planning, he writes in Concepts of Strategic Management, organizations can minimize threats while at the same time capitalize on opportunities, thus improving their overall competitive position.

As part of the strategy evaluation procedure, contingency plans should be developed to assist the company in forecasting and attempting to predict the occurrence of future events, both good and bad, that could have profound effects on the organization. As business strategies are selected, and others are discarded, companies can use these alternatives as contingency plans in the event that the chosen strategy does not work.

The greatest challenge in contingency planning may be attaining the crucial support and initiative of top management. Many risk managers find this hard to come by until a disturbing event strikes. Perhaps these executives should take a lesson from some of their elite colleagues.

Bill Gates was at the Westin Hotel in Seattle on February 28, demonstrating Microsoft's new Windows XP system to a group of computer professionals when the earthquake struck. As the audience rushed in loud panic for the doors, beneath swaying chandeliers and falling ceiling tiles, the chief executive officer calmly walked off the stage. "Were you scared?" asked an audience member. "No," replied Gates, unperturbed for his own safety or any immediate peril to his technological empire. Every executive should feel this secure in his or her company's preparedness when disaster strikes.