If last month's terrorist attacks and security intrusions served
as a wake-up call to those charged with business continuity,
you wouldn't know it from the number of attendees at Gartner's
special town hall session on the topic. Only about 100 people
appeared; the other 6,000 Symposium/ITxpo 2001 attendees apparently
hit the snooze button.
This is a sad commentary on the impact that recent events have
had on our industry. Thousands of business and technical executives
travel hundreds or thousands of miles, each paying more than
$4,000 to attend, in order to receive strategic advice on how
to align their business and technology priorities. Yet most
of them ignored Gartner's emergency session addressing what
must now be considered any company's top priority: business
According to Gartner spokesperson Carol Wallace, the low attendance
wasn't due to lack of promotion (although the session was a
late addition to the conference schedule) or the quality of
its content. Wallace suspects that "clients were attending
sessions since eight in the morning and the sheer physical exhaustion
of the long day kept them away from the evening session."
I have to agree with Wallace's assessment. The ad-hoc town
hall meeting was indeed well-publicized, the content extremely
rich, and the topic was perhaps the most timely of all topics
covered at the event. Considering the low attendance, Wallace
said, "there was great dialogue." Indeed, there was
much practical advice from leading business continuity experts
across a variety of industries, including financial services,
government, and security.
The advice focused on four primary issues of business continuity:
outlining the various scenarios that could disrupt the business;
planning reasonable continuity measures to withstand those scenarios;
repeated scenario simulation to test those measures; and resumption
of business in the case of an actual emergency.
With respect to outlining scenarios, history has a lot to offer.
Over the past two decades, U.S. businesses have experienced
a number of extremely disruptive events, including floods in
the Midwest, riots in Los Angeles, earthquakes in California,
Hurricane Andrew in South Florida, offices destroyed by fire,
security intrusions courtesy of hackers and disgruntled employees,
and now war.
The list is by no means inclusive, and disaster does not discriminate
based on business size, type, or location. In other words, no
business can afford not to take at least some continuity measures.
In response to a question from a tech executive at the Public
Broadcasting System, the Gartner panel acknowledged that while
there's a probably a solution for each potential scenario, not
every company has the resources to deploy costly measures such
as redundant facilities.
According Gartner analysts, businesses typically spend between
two and six percent of their IT budgets on IT continuity. In
light of recent events, Bill Malik, the town hall's master of
ceremonies, expects disaster recovery expenditures to go up.
Research director Roberta Witty concurs, saying that "currently,
contracts with disaster recovery providers like IBM, Comdisco,
and Sunguard only allow for 30 days to 6 weeks of facility duplication.
In light of recent events, customers of DRPs may have to plan
for a longer time frame." Yes, the cost will most certainly
Addressing the issue of business size, Witty and fellow research
director Donna Scott were quick to point out that regardless
of business size, a continuity plan has to start somewhere,
even if it starts with something as simple as routine backups.
Many businesses already do routine backups, which include incremental
backups each day, and full backups each week. But what happens
to those backups next is a real problem, the panel noted. Most
companies don't store the tapes off-site in a location distant
enough to prevent the original systems and the backups from
being affected by the same incident.
Scott urged attendees to revisit the scenarios in order to
fully understand what the potential impact is, and then to test
existing continuity measures to see if they're adequate. Keeping
backup tapes on-site is a continuity measure that wouldn't survive
Witty talked about other low-cost and even no-cost measures
that all businesses can afford to take. To safeguard employees,
for example, Witty suggests "working with local fire marshals
to train employees on the different ways to escape the building,
equipping people with flashlights, and putting supplies like
water and blankets in place to deal with people who may be stuck
for an extended time period of time." Again, the panel
emphasized continuous scenario simulation and testing to find
the weak points in your plan.
The points resonated with me personally because Witty seemed
to be describing something that goes well beyond your basic
fire drill. I can barely remember the last time our offices
had a fire drill, let alone any more comprehensive procedure
for surviving a variety of scenarios that could impact the building
I work in.
Other no-cost measures, Witty said, include working with local
authorities to understand what your company's obligations are.
For example, in the earthquake-prone regions of California,
the state requires companies to have "earthquake kits"
available. She also discussed executive succession plans; where
possible, she suggested, executives should be succeeded by an
executive in another location. Again, scenario management reigns.
If an executive's successor is in the same location, that measure
won't survive most scenarios.
Sept. 11 is sending people back to the disaster-recovery drawing
board, however. Sue Landry, Gartner's financial services and
banking analyst, talked about how the day's events struck her
with particular poignancy. "The entire financial industry
was under attack," she said. "Because of regulations,
real-time systems such as ATMs, equity markets, and bond markets
have successful continuity plans. In each case, however, the
planning is all done within one institution. But now we have
learned that disaster can strike multiple institutions simultaneously,
a scenario that has its own ramifications."
In such a scenario, the plans of those closest to your business
-- your customers, suppliers, and even neighbors -- become relevant.
From an IT perspective, the more deeply integrated your systems
become with those of your partners -- an inevitable result of
the forthcoming Web services revolution -- the more important
it becomes for you to know what their business continuity plans
are. Landry has identified the ripple effect that a single event
can have throughout an entire industry, and the fact that few
measures are in place to accommodate such an event.
Analyst John Oborn suggested taking a closer look at service
contracts and providers. He asked, "How many companies
in your building have contracted with the same company as you,
potentially straining [the provider's] business continuity assets
[from a single event]?" Furthermore, Oborn warned that
most resumptions end up recovering less than 40 percent of a
company's critical systems. "Look at the disaster recovery
clauses and contracts, Oborn said, "and make sure they
go beyond just the operating systems and mainframe."
All that computing power ain't worth a hill-o-beans if you
have no software or data to put on it.
Speaking of software, this is one front where the whole idea
of disaster recovery and the role that software vendors play
needs to evolve. One attendee, who wants to maintain redundant
servers in a separate location on hot-standby, was upset by
the trend in licensing schemes that essentially force him to
pay for the standby copies of software.
The rules have changed, and will continue to change. Gartner
analyst French Caldwell made a recommendation that goes well
beyond preparing for a disaster. Companies, he said, need to
think about avoiding disaster altogether. Caldwell suggested
locating your business away from high-risk areas or high-risk
targets such as financial institutions and global brands. While
he didn't elaborate, I took that to mean you should locate your
company far away from Wall Street and other icons of freedom
and capitalism. Keep away from the headquarters of our biggest
brands: Coca-Cola in Atlanta, General Motors and Ford in Detroit,
Microsoft in Redmond. Or Silicon Valley. Or anywhere near a
Now that the unthinkable has been redefined, one town-hall
attendee asked about the next redefinition, and how he can prepare
for that. His chilling example? An event where an entire region
like the Northeast gets wiped out. Considering what has already
happened, the unthinkable is now thinkable.
Are you ready?