Unexpected events can wreak havoc on business operations, but the difference between a minor disruption and a disaster can come down to the preparation and ability to deal with surprises.
The past decade has offered its share of unforeseen events - 9/11, the H1N1 flu pandemic, the Northeast blackout of 2003 in the United States, Hurricane Katrina in 2005 - all of which tested the resiliency of business operations. Smart companies used lessons from these events to build business continuity plans for use when emergencies strike. These plans focus on critical needs to return to as normal a business pace as possible. Proactive companies then review and test those plans to make sure they are operable when needed. The financial services industry is no exception.
"Testing and varying of testing scenarios is the number one lesson learned from past disasters," says John Rapa, president and chief executive officer of Tellefsen and Company, a financial services management consulting firm. "A significant business disruption or a crisis is a bad way to find out your plan does not work."
Rapa says not only has testing of primary and backup systems become standard, but potential business partners and regulators are doing more rigorous analysis that may be shared. Groups such as the Futures Industry Association (FIA), where Rapa serves as chairman of the business continuity committee, have offered common testing dates for the industry to test resiliency and preparedness. The FIA and Securities Industry and Financial Markets Association have common industry disaster recovery tests set for Oct. 23, 2010.
Rapa says "the core of business continuity planning" identifies what businesses, systems or processes are considered critical to the individual company. From there a business continuity strategy is formed that can cover everything from technology in the workplace to the death of the chief executive officer.
Kenneth Wolverton, vice president of data center operations at CyrusOne, which operates corporate co-location facilities in Houston, Dallas and Austin, says business continuity previously was focused on the technology side, but now "the people side" is receiving attention.
"It’s not just how can I back up data, but how can I take people to the new location, do they have places to shower, places to sleep if it’s an extended time," Wolverton says.
Wherever You Are
One growing trend is allowing and enabling employees to work from home in cases of emergency. Technology has allowed desktop virtualization - where employees can access their work computer from home or another remote location - to become a viable alternative. The H1N1 flu outbreak underscored the need to plan business operations when employees would be unable to enter buildings but access to systems was still possible.
The H1N1 flu pandemic also underscored how important communication is between businesses and the government. Groups like ChicagoFIRST and the Financial Services Sector Coordinating Council (FSSCC), are private-public partnerships that work on a regional and national level to help members with best practices. These partnerships are unique as they bring together firms and organizations that might normally be competitors.
Brian Tishuk, executive director for ChicagoFIRST, says one result of collaborations between firms and the local government is the Chicago Critical Infrastructure Resilience Task Force. Launched in April, the task force addresses evacuation plans, credentialing and information sharing between public and private, and private and private groups.
"It’s teaming up to know what the government’s plans are in an emergency and how firms can be part of the solution," Tishuk says.
Shawn Johnson, chair of FSSCC, says such private-public partnerships help coordinate resources during a crisis on some of the most practical matters such as simply identifying where citizens can withdraw cash. During the Texas hurricanes last year, FSSCC and the Financial Services Information Sharing and Analysis Center monitored ATM transactions to see what areas had power and which ATMs were able to dispense money to get funds distributed.
One concern about events like the H1N1 pandemic is that Internet access in areas outside a business district can be less than robust. There are generally fewer fiber optic lines in residential areas where someone telecommuting could be competing for bandwidth with a neighbor downloading a movie. That can slow down Internet access and become an issue if telecommuting workers have to share bandwidth with non-business users during an emergency.
"You can’t perform critical business operations if you’re not real time," Tishuk says.
ChicagoFIRST advocates priority business access for the Internet in cases of national crisis. There already are priorities for telephone and wireless access, but such priorities are needed for the Internet. Rules on the topic still need to be worked out between the Department of Homeland Security and the Federal Communications Commission. But that is yet to be reconciled with the current idea of "net neutrality" which provides everyone equal access to the Internet.
"Yes there should be net neutrality," Tishuk says. "In the case of cyber attacks, there’s a desire to have a ’kill switch’ to the Internet. We simply want a priority switch during emergencies."
Finding Security
Because the Internet has become such a part of everyday life, cyber security has become a greater part of resiliency programs, experts say. Whether it is as simple as a "phishing" scam to someone trying to shut down systems, cyber threats have become much more visible.
Johnson says FSSCC has looked at threats from cyber space and is working to improve intelligence sharing with the federal government. One FSSCC study highlighted the threat from undersea communication cables to the international financial system. The organization has also been asked for input on a bill sponsored by U.S. Senator Joe Lieberman called "Protecting Cyberspace as a National Asset Act of 2010," which focuses on how it would affect finance. This bill suggests establishing a director of cyber security and a private-public partnership to set national cyber security priorities and defenses.
The poor economy could cause some business to look warily at costs, Wolverton says, but so far that does not seem to be the case. The more proactive firms tell their investors that they have infrastructure in place to avoid a significant business disruption during a crisis or disaster.
"Yes, Godzilla might not rise from Lake Michigan, but who would have thought planes would fly into buildings?" Rapa says. "People may say it never will happen, but never is a long time."
Another intangible asset that is a part of business continuity plans: image and reputation. The BP oil spill is the most prominent recent example of not being properly prepared and is a cautionary tale for companies. "What’s the PR loss, especially if you’re a public company?" Wolverton asks. "The public is now asking, ’why didn’t you have that put in place?’"
