Business Continuity Planning: Critical Element in Year 2000 Success
Unisphere recently had the opportunity to discuss current Year 2000 issues with Susan Thomas, who is the Director of the Unisys Worldwide TEAM2000 Program. She has more than 17 years of experience in the IT industry, providing clients with consulting and services in the application of technology to business problems. In this interview, she brings a broad industry perspective gained from working with clients and industry groups around the globe.
Unisphere:
There is little more than a year to go to the Year 2000 date change. Where should renovations project be at this time?
Thomas: Within the U.S., most company’s Year 2000 projects are at the tail end of the renovation stage, with many organizations well into or through testing. Those companies that are most advanced have also completed their assessments of non-IT areas, such as embedded systems, and are moving forward into Business Continuity Planning.
Unisphere:
If an organization is not there, what should be done?
Thomas: The size of the IT application portfolio will dictate how much resource and effort a company will have to expend in order to catch up to their peer group in the industry. The average Year 2000 project takes 24 months so, with less than 14 calendar months remaining, accelerated effort is required.
Unisphere:
We’re starting to hear a lot about Business Continuity Planning. What exactly is it?
Thomas: Business Continuity Planning is the planning process an organization undertakes to protect their critical business operations in the event of an unexpected failure or business disruption. Natural disasters, labor strikes, interrupted utility service are the most common types of disruptions that companies plan for. Within the context of Year 2000, organizations have to plan for a full range of threats that may disrupt normal operations.
Unisphere:
Business continuity planning is required in the financial services industry. Why should those outside that industry consider such planning?
Thomas: Although organizations throughout the world are racing to ensure Year 2000 compliance of its technology, all remain vulnerable to disruption due to Year 2000 problems. We must anticipate that some things will be overlooked, ignored, or not completed on time. The risk of failure is not limited to the organization’s internal information systems. Most organizations today depend on information, suppliers and services from external business partners. Because of this, there are many facets of Year 2000 beyond an organization’s control and it is most likely that a Year 2000 disruption will be caused by an external source rather than an internal one. If there is a single weak link in the chain of critical dependencies, even the most successful Year 2000 program will fail to protect against major disruption of business operations.
Unisphere:
What is the difference between Business Continuity Planning and disaster recovery?
Thomas: Business Continuity for Year 2000 is quite different than planning for a natural disaster, such as a tornado or fire. In a disaster scenario, the focus of the recovery is to move operations and IT services to an alternate location that "replicates" the environment. An example of this would be moving to an off-site or backup data center. With a Year 2000-caused impact, the recovery scenario requires some form of an alternate course of action or corrective measures. For example, if you have a Cisco network router that fails because of Year 2000, you don’t go to a backup Cisco router, as it too will be susceptible to the same error or malfunction. In this scenario, you need to find alternate hardware or some other means to work around the failure. It’s a different type of problem that requires a very different solution.
Unisphere:
What are the key steps to successful Business Continuity Planning?
Thomas: The process begins with a Business Impact Assessment that examines business processes and ranks their criticality to the business. The next step is to map the dependent technologies, suppliers, interfaces and functions that support the business processes. A risk assessment determines the likelihood of potential threats and calculates the financial, health and safety consequences in the event that a disruption occurs. This information is used to establish priorities and to set a course for risk mitigation and management. Contingency plans, response plans and recovery plans are then constructed for each critical area of identified risk.
Unisphere:
What needs to be done after the plan is made?
Thomas: A key element of the business continuity process is the testing or rehearsal of the plan. It is critical that designated personnel be properly trained on the procedures that they will be expected to perform in the event of an emergency.
Unisphere:
What are some of the lessons learned from those who have developed a Business Continuity Plan?
Thomas: Developing Business Continuity Plans involves key people from every department in the organization. It cannot be done effectively in isolation. One of the lessons that we have learned in conducting BCP projects is to keep the facilitated sessions with the business unit experts interesting, lively and motivational for them to stay involved and engaged in the session. Another tip is to build on existing business process information that may already exist in the organization. Frequently, this information is available in Disaster Recovery Plans. But be careful to not fall into the trap of just dusting off the Disaster Recovery Plan and calling it your Year 2000 BCP. These plans address two different problems and require different solutions.
Unisphere:
What are the advantages of having a Business Continuity Planning consultant?
Thomas: Consultants, can play a vital role by bringing an established Business Continuity Planning process that delivers predictable results. This helps organizations to get the BCP effort underway quickly and keeps them on track throughout the process. In certain situations regulators, like the Federal Reserve Bank, are encouraging banks to seek outside, independent help to review Business Continuity Plans and processes. Consultants can provide an unbiased, fresh perspective, which can be beneficial in determining priorities and courses of action.