Is your business ready for the worst?

If last month's terrorist attacks and security intrusions served as a wake-up call to those charged with business continuity, you wouldn't know it from the number of attendees at Gartner's special town hall session on the topic. Only about 100 people appeared; the other 6,000 Symposium/ITxpo 2001 attendees apparently hit the snooze button.

This is a sad commentary on the impact that recent events have had on our industry. Thousands of business and technical executives travel hundreds or thousands of miles, each paying more than $4,000 to attend, in order to receive strategic advice on how to align their business and technology priorities. Yet most of them ignored Gartner's emergency session addressing what must now be considered any company's top priority: business continuity.

According to Gartner spokesperson Carol Wallace, the low attendance wasn't due to lack of promotion (although the session was a late addition to the conference schedule) or the quality of its content. Wallace suspects that "clients were attending sessions since eight in the morning and the sheer physical exhaustion of the long day kept them away from the evening session."

I have to agree with Wallace's assessment. The ad-hoc town hall meeting was indeed well-publicized, the content extremely rich, and the topic was perhaps the most timely of all topics covered at the event. Considering the low attendance, Wallace said, "there was great dialogue." Indeed, there was much practical advice from leading business continuity experts across a variety of industries, including financial services, government, and security.

The advice focused on four primary issues of business continuity: outlining the various scenarios that could disrupt the business; planning reasonable continuity measures to withstand those scenarios; repeated scenario simulation to test those measures; and resumption of business in the case of an actual emergency.

With respect to outlining scenarios, history has a lot to offer. Over the past two decades, U.S. businesses have experienced a number of extremely disruptive events, including floods in the Midwest, riots in Los Angeles, earthquakes in California, Hurricane Andrew in South Florida, offices destroyed by fire, security intrusions courtesy of hackers and disgruntled employees, and now war.

The list is by no means inclusive, and disaster does not discriminate based on business size, type, or location. In other words, no business can afford not to take at least some continuity measures. In response to a question from a tech executive at the Public Broadcasting System, the Gartner panel acknowledged that while there's a probably a solution for each potential scenario, not every company has the resources to deploy costly measures such as redundant facilities.

According Gartner analysts, businesses typically spend between two and six percent of their IT budgets on IT continuity. In light of recent events, Bill Malik, the town hall's master of ceremonies, expects disaster recovery expenditures to go up. Research director Roberta Witty concurs, saying that "currently, contracts with disaster recovery providers like IBM, Comdisco, and Sunguard only allow for 30 days to 6 weeks of facility duplication. In light of recent events, customers of DRPs may have to plan for a longer time frame." Yes, the cost will most certainly go up.

Addressing the issue of business size, Witty and fellow research director Donna Scott were quick to point out that regardless of business size, a continuity plan has to start somewhere, even if it starts with something as simple as routine backups. Many businesses already do routine backups, which include incremental backups each day, and full backups each week. But what happens to those backups next is a real problem, the panel noted. Most companies don't store the tapes off-site in a location distant enough to prevent the original systems and the backups from being affected by the same incident.

Scott urged attendees to revisit the scenarios in order to fully understand what the potential impact is, and then to test existing continuity measures to see if they're adequate. Keeping backup tapes on-site is a continuity measure that wouldn't survive most scenarios.

Witty talked about other low-cost and even no-cost measures that all businesses can afford to take. To safeguard employees, for example, Witty suggests "working with local fire marshals to train employees on the different ways to escape the building, equipping people with flashlights, and putting supplies like water and blankets in place to deal with people who may be stuck for an extended time period of time." Again, the panel emphasized continuous scenario simulation and testing to find the weak points in your plan.

The points resonated with me personally because Witty seemed to be describing something that goes well beyond your basic fire drill. I can barely remember the last time our offices had a fire drill, let alone any more comprehensive procedure for surviving a variety of scenarios that could impact the building I work in.

Other no-cost measures, Witty said, include working with local authorities to understand what your company's obligations are. For example, in the earthquake-prone regions of California, the state requires companies to have "earthquake kits" available. She also discussed executive succession plans; where possible, she suggested, executives should be succeeded by an executive in another location. Again, scenario management reigns. If an executive's successor is in the same location, that measure won't survive most scenarios.

Sept. 11 is sending people back to the disaster-recovery drawing board, however. Sue Landry, Gartner's financial services and banking analyst, talked about how the day's events struck her with particular poignancy. "The entire financial industry was under attack," she said. "Because of regulations, real-time systems such as ATMs, equity markets, and bond markets have successful continuity plans. In each case, however, the planning is all done within one institution. But now we have learned that disaster can strike multiple institutions simultaneously, a scenario that has its own ramifications."

In such a scenario, the plans of those closest to your business -- your customers, suppliers, and even neighbors -- become relevant. From an IT perspective, the more deeply integrated your systems become with those of your partners -- an inevitable result of the forthcoming Web services revolution -- the more important it becomes for you to know what their business continuity plans are. Landry has identified the ripple effect that a single event can have throughout an entire industry, and the fact that few measures are in place to accommodate such an event.

Analyst John Oborn suggested taking a closer look at service contracts and providers. He asked, "How many companies in your building have contracted with the same company as you, potentially straining [the provider's] business continuity assets [from a single event]?" Furthermore, Oborn warned that most resumptions end up recovering less than 40 percent of a company's critical systems. "Look at the disaster recovery clauses and contracts, Oborn said, "and make sure they go beyond just the operating systems and mainframe."

All that computing power ain't worth a hill-o-beans if you have no software or data to put on it.

Speaking of software, this is one front where the whole idea of disaster recovery and the role that software vendors play needs to evolve. One attendee, who wants to maintain redundant servers in a separate location on hot-standby, was upset by the trend in licensing schemes that essentially force him to pay for the standby copies of software.

The rules have changed, and will continue to change. Gartner analyst French Caldwell made a recommendation that goes well beyond preparing for a disaster. Companies, he said, need to think about avoiding disaster altogether. Caldwell suggested locating your business away from high-risk areas or high-risk targets such as financial institutions and global brands. While he didn't elaborate, I took that to mean you should locate your company far away from Wall Street and other icons of freedom and capitalism. Keep away from the headquarters of our biggest brands: Coca-Cola in Atlanta, General Motors and Ford in Detroit, Microsoft in Redmond. Or Silicon Valley. Or anywhere near a faultline.

Now that the unthinkable has been redefined, one town-hall attendee asked about the next redefinition, and how he can prepare for that. His chilling example? An event where an entire region like the Northeast gets wiped out. Considering what has already happened, the unthinkable is now thinkable.

Are you ready?