Business Continuity Management in Large Global Corporations

I.T. Business Continuity Management in Large Global Corporations: Insights, issues and recommendations

By Saahil Goel, Student, Katz Graduate School of Business Dr. Brian Butler, Head – MIS Department, Katz Graduate School of Business December 10, 2008

Executive Summary

Contents Executive Summary

2

The Issue, context and motivation3

The Position and Perspective

6

Recommendations

9

References

14

B

usiness Continuity Management is defined as “the complete set of activities and processes divided into various stages that are necessary to manage business continuity. Anticipating Incidents which may affect critical business functions and processes and ensuring that the organization is capable of responding to such incidents in a planned and rehearsed manner”i. Post terrorist strikes on September 11, 2001 most corporations have realized the importance of Business Continuity Planning and Disaster Recovery – both from operational and information systems perspectives. Many companies could not survive the terrorist attacks of 9/11 and ceased due to poor or no business continuity planning (BCP). Similarly, the difference between survival and extinction of companies post the Katrina Hurricane was also dependent on solid BCP and Disaster Recovery (DR) Management. In today’s corporate landscape, almost all companies have some form of BCP and DR activities going on – some to a greater or lesser extent. The complexity associated with BCDR planning increases with the size of a company, complexity of processes, geographical span, variety of information systems and corporate organizational structure. In general, the larger a company is (by turnover and employee strength), the more strenuous is the BCDR effort. Also, the longer a company has been in existence also affects the complexity associated

December 10, 2008

with BCDR planning as it can mean re-work: to first bulldoze the existing structure and then re-build the new structure. The matter being discussed in this paper tackles the issues that large corporations face with respect to business continuity and disaster recovery that are global in nature. Since being a global company brings along with it a host of considerations such as local law, cultural understanding, deployment of I.T. systems, and value to business, size of international market – there is no single way to manage BCDR for such a company. This paper describes some of these issues more in depth, discusses the current body of knowledge available and then makes recommendations.

The Issue, context and motivation

T

here is a drop in investment towards BCDR by companies to begin with as it is not considered a critical piece of the I.T. infrastructure by most CIO’sii. There is a lot of information available around the “nonacceptance of BCDR” as a core piece of a company’s IT and operational infrastructure. Several reasons related to general topics such as unjustifiable return on investment, not enough awareness amongst management and perceptual issues about alignment with business goals make this a difficult initiative to SUCCESSFULLY implement for any company. However, it is even harder to implement for 1) companies that are extremely large in size and 2) companies that are global in nature. These two criteria – large and global – make implementation of such an initiative difficult even when the need to do so is understood by top management, when perceptions are correct about the return on investments into BCDR activities. It is important for global companies to be prepared for disaster at any cost because of the myriad levels of risk that they are opened up to the moment they go global. While being in the United States alone, a company may be subject to risks such as hurricanes, tornados, IT infrastructure outage, fire, flood and power outages. But in the global arena, there are other risks such as terrorist attacks, bombings, sabotage, political instability, loss of connectivity, war, etc. These factors

Page 3 of 14

make it crucial for businesses to plan for operational continuity and technology continuity in case of emergencies. It is also important for global companies to be fully prepared with BCDR planning because local laws mandate this. For example, there are specific laws in place in Canada and United Kingdom that require certain kinds of companies to have business continuity plans. Global business continuity planning can also help a company map all of its IT processes and therefore gain a better understanding of their operations and eliminate unnecessary bottlenecks in the process. It also helps IT operations to function more smoothly by bringing about awareness of their entire IT infrastructure. In some cases, it may even enable huge cost savings by identifying redundancy of IT systems that is not required or might reveal over-allocation of resources on nonbusiness critical areas of a corporation. Another primary reason why all companies – global and domestic alike are scrambling to have BCDR planning under control is due to an announcement by S&P to incorporate Enterprise Risk Management (which includes Business Continuity Planning and Disaster Recovery) in their ratings of public companiesiii. What this means for organizations is that unless their BCDR planning is under-control, external assessment by S&P backed consultants could mean a poor public image, lower ratings and hence a lower stock price. Looking at it this way makes it

everybody’s business to engage in BCDR planning. Fundamentally, the issue with management of BCDR in large and global corporations is difficult because of the basic underlying organizational structure, politics and the sheer momentum required getting such an initiative going. Most companies that are fairly large in size (greater than $25B a year) have grown by inorganic growth – i.e. by acquisitions of companies both at home and abroad. This leads to a mix of several IT platforms, organizational cultures, suborganizational motivations, political postures and business priorities. To be able to run a BCDR project at a global level means being able to obtain “buyin” from all leaders in international markets and also being able to motivate and monitor BCDR planning in local countries. In addition to softer issues, there are implementation issues of actual identification of all global processes and IT infrastructure across the globe. For some large companies, the total number of processes could be as large as 5000, while IT infrastructure could span thousands of servers across different data centers! Different system dependencies also make it difficult to analyze which infrastructural and procedural components are the most critical for business. While “selling” the concept may be easy to some international markets, it may be equally hard to do so in other markets because of the different cultural perspectives that people bring with them. Also, there may be different

Page 4 of 14

remedial measures available in different countries, which is impossible for any ONE country to know – therefore without doubt there needs to be involvement from local counterparts in international markets, which means they need to share similar vision and the same kind of motivation being shared by the center driving the BCDR project. This is usually hard because of the physical distances between markets and lack of interaction between employees in large global organizations. Ownership and responsibility of maintenance also become pressing issues the larger and more globally spread and organization becomes. Repercussions of lack of BCDR may also be different for different countries – or perceptually different. This is because the more business a country or market brings in, the more it has to lose in case of a disaster. Therefore, a “graded” business continuity management system needs to be implemented. A one-sizefits-all approach cannot be used because different markets will have different requirements of preparedness. At the same time, however, there needs to be an interlinked and a SINGLE corporate business continuity plan (as a whole) for an organization for it to be exercisable and auditable.

by department, by processes, by business criticality, etc. It all depends on “what works for a company”. Therefore, there needs to be deep understanding of what drives a company and where the most revenue is generated. There also needs to be a keen understanding of which areas of a business would be most affected and the varying effect (or hit they would take) of different kinds of systems outages or natural disasters. Even if one is successful in bringing about awareness of Business Continuity Management in a global organization, there is also no simple way around the sustenance of this awareness. A business continuity plan that is out of date is as good as not having one. How can global companies exercise their business continuity plans to ensure that they are up to date and they work?

To make the problem worse, there are various ways of going about BCDR planning and no one approach is benchmarked as the industry standard. BCDR can be approached

Page 5 of 14

The Position and Perspective

W

hile there is a host of information available on how to go about implementing a robust business continuity plan in a company, very little information talks about the global perspective that this paper discusses. Also, there is not enough discussion about how to manage business continuity specifically in large organizations. In general business journals (such as WSJ) very high-level considerations are discussed such as the cost of a power-outage to companies and the sad current state of affairs with respect to preparednessiv. Even though WSJ’s main offices were destroyed in the 9/11 terrorist attack and they were left with makeshift offices and a somewhat half-baked business continuity plan. While WSJ takes a very macro approach to the problem, Business Week in an article still describes the “steps to effective business continuity planning”v. The article describes that companies should consider wider possible down-time scenarios (causes) and urges top management to understand the impact of an outage on the bottom line of the company. If one is able to make that correlation it is an easier sell within the company. It also describes in a nutshell what other factors a business continuity plan entails – for example, identification of personnel,

processes, IT infrastructure, planning and testing of the business continuity plan and investigation of advanced technologies. The article is geared more towards informing a layman (or top management executive, that are not well versed with the intricacies of BCDR management) about the advantages and the intricacies of a business continuity planning initiative and is not necessarily geared towards discussion of specific application of this topic. In more IT-specific publications, the value of Business Continuity to business is described and considered. For example, as described in the article “Business Continuity: To Err Is Human, To Plan Is Divine” in Information Week, Larry Greenemeier describes that 80% of IT outages are caused not by natural disasters but by human errors and the lack of well-prepared business continuity plansvi. The cause for downtime could range anywhere from simple changes (such as patch installations on servers) or more complicated changes (such as application code release deployments) on the production environments. If there is no business continuity plan on how to respond in case something goes wrong, there could be significant downtimes experienced by the IT organization and business users leading to loss of revenue and lower productivity for the company. The article also describes the added layer of complexity that is brought about in virtualized environments. In the author’s words, a virtual environment takes “you one step away from understanding how change will affect

Page 6 of 14

your apps and environment”. The article further goes on to highlight that not all companies see business continuity as a top initiative and that other issues take priority. However, there is no discussion on how to manage business continuity especially on a global scale. However, in another Information Week article, Eric Chabrow and Martin J. Garvey discuss why a company-wide approach at businesscontinuity and disaster-recovery are becoming crucial to some companiesvii. This article describes some steps necessary to achieve BCDR preparedness on a global level. Also is described that only 64% of companies extend efforts throughout the company owing to the costs involved and the complexity in doing so. Lack of collaboration between IT and business or political-blamegaming is also described as a prime reason for non-initiation or failure of business continuity planning. There are many companies that are serious about Global BCDR as well. For example, Merrill Lynch & Co. created a business post-director of global contingency planning to oversee business continuity across the globe for ML’s international markets. The way ML has approached the problem is by “implementing a strong technical program, a strong business program, and a strong crisismanagement program”. Also ML has achieved this because they have “a mix of technical, security, facilitymanagement, and business people, and everyone talks to one another”.

This is in consistence with information in the CIO article “ABC: An Introduction to Business Continuity and Disaster Recovery Planning”viii. In addition to concurrence with the information described by the Information Week article, this article describes a section of the business continuity plan for a global manufacturing organization. “For example, the plan at one global manufacturing company would restore critical mainframes with vital data at a backup site within four to six days of a disruptive event, obtain a mobile PBX unit with 3,000 telephones within two days, recover the company's 1,000-plus LANs in order of business need, and set up a temporary call center for 100 agents at a nearby training facility”. The important thing to note is that in the described circumstances, it is being assumed that perfect knowledge about what is needed to bring the company back on track (or at least to operate in “safe-mode”) is known – however, in most large global organizations that have NO experience with BCDR, the first step and one of the most difficult and complex steps is to actually identify what areas of the business need to be recovered the earliest (as per the “Recovery Time Objective” concept). In general, there is a lot of information available on BCDR frameworks by several vendors in the market explaining their approach to managing Business Continuity in an enterprise. Vendors also offer software systems to manage business continuity plans (for example: Strohl Systems offers a software called LDRPS – Living Disaster Recovery Planning System)

Page 7 of 14

that can considerably help improve global business continuity planning. But again, there are several vendors available with variations of such products. Also commonly available are “templates” which can be customized as per a particular company’s need to create business continuity plans. However, these may not suffice for companies of all sizes and of differing geographic spreads. In a whitepaper “Enterprise Continuity Management” Strohl Systems describes the What, How and Why of business continuity planningix. This paper revolves around the usage of LDRPS as a central repository for all of an organization’s business continuity plans – as a first step towards achieving BCDR on a global scale. Also, the access control features, customization facilities, interface options and robustness & scalability of the system make it ideal for global organizations. The vendor offers an ECM model (not described in white paper) that can help companies concentrate on high risk areas of their BCP.

committee composed of various business and IT leaders and buy-in from executive managers. It also brings out an important point about the creation of sub-projects to contribute to the overall BCDR management project that should be run as separate projects. The vendor then goes on to describe a phased approach to BCDR planning. By considering Business Impact Analysis activity in Phase I and Business Continuity Plan, Communications and Coordination Plan, Test Plans and Metrics in Phase II. Over all, this whitepaper does a good job of describing how to go about a BCDR planning effort within an organization. No special attention is paid to tackling the issue for especially large organizations or for organizations that are widely global in nature – which is the nature of the issue that my paper is attempting to explore.

In another whitepaper by Comprehensive Solutions, a certain description for management of a business continuity effort is x described . It urges companies to use sound project management methodologies as explained in the PMBOK (Project Management Book of Knowledge by Project Management Institute). It does mention the creation of a steering

Page 8 of 14

disaster situation. For example, if a tornado was to strike the headquarters of a company – what needs to be done to ensure minimum impact to the business. The second group should solely focus on Information Technology infrastructure and business systems. The reason for this segregation is because while Operational BCDR is more likely to be caused by natural disasters and are less frequent, IT outages are more frequent and are more likely to be caused by human error and therefore need a separate governance structure. The two groups also need to align well with each other so as to minimize redundant work and to maximize the synergistic potential by conducting common activities (such as business impact analysis, recovery time objective classifications, identification of business critical processes/departments) only once. The two groups can also leverage the use of software systems off each other to minimize licensing costs. However, for this to work successfully, there needs to be clear demarcation of roles and responsibilities, as well as ownership of “scope of work” at the very beginning of the project.

Recommendations

E

ven though there is no clear answer to approach business continuity management for large global corporations, by amalgamation of information available currently and knowledge in the field of organizational dynamics, a certain “methodology” can be developed. This methodology will be described further in this section. There are several factors to consider when implementing BCDR within a large and global organization. 1. Political alignment: There needs to be complete buy-in and understanding for the reason why the project is being initiated by Business and by IT. Executive championship and sponsorship is a must. Being a global project, sponsorship and ownership at an international level also need to be thought about upfront so as to avoid political power struggles later on in the project. 2. Project Ownership: It is useful to create two separate groups for managing enterprise BCDR. One group should be made responsible for operational business continuity – i.e. communications, personnel, etc. This will center more around a response to a natural

3. Project Organization: a steering committee should be formed

Page 9 of 14

that has representatives from both BCDR groups, from international business and IT groups and from business and IT groups in the home office. Membership to the steering committee can be limited to a few core members to drive the project forward and then temporary membership can be extended to non-core members as and when it is required by the project (depending on the phase it is in). In addition to a steering committee, the actual project needs to be run by the corporate Project Management Office with dedication of specific resources to the project to enable accurate tracking and to ensure that the project meets its timelines. 4. Frameworks: To ensure quality in the implementation phase, there are industrystandard frameworks (such as COBIT and BS25999) that are specifically designed for BCDR planning. These should be utilized at every step – right from the corporate BIA to the actual exercise and testing of the BCDR plan to ensure only the best quality work is being done. Engagement of outside consultants is also a good idea to leverage their expertise in their niche area. However, the primary project responsibility

should stay within the company – that too with joint ownership between IT and business – both at the headquarter-level and at an international level. 5. Project Implementation: The project implementation stage would be very similar to information available currently about BCDR. a. That is, start with an inventory of all processes and business systems within a company, identify dependencies between processes and systems, rate these processes and systems based upon business criticality and recovery time objectives, identify current support for business continuity and finally collate this information into a formal BIA. b. Next, would be actual implementation by breaking down BCDR planning into groups of most, somewhat and least critical applications and then running them as sub-projects. c. Each of these projects can then be tracked until implementation with reporting structures built into them. 6. Socialization: Being a project that spans the entire organization and even

Page 10 of 14

international boundaries, it is important that the concept of BCDR is well socialized within the organization. In most cases the project team will discover what needs to be as they go along. This makes it crucial to have buy-in from EVERYONE in an organization. This kind of buy-in cannot be achieved by a top-down approach alone. Though that is critical, an awareness and socialization campaign is also a must. This will ensure that every employee in the company understands why corporate business continuity planning and management is a priority for the company. Salient features of the project which have direct benefits for the company’s employees should be highlighted so that the project is accepted faster and so that employees are willing to extend any help that is in their power. For example, by explaining that a poor BCDR rating for a company can mean a lower stock price, employees would be motivated to help in any way they can since typically a majority of employees in large organizations have investments in company stock. Therefore, a well thought out marketing campaign along with the support from top management can help remove obstacles in the path of a BCDR planning team and

make the process flow much smoother. 7. Exercise and Testing: Detailed exercise and test plans need to be created as part of each of the sub-projects which seamlessly integrate with other such subproject plans. These plans should also extend to international systems (hosted on international soil, or hosted domestically by serving international markets). This is to ensure that when BCDR exercises are conducted all scenarios as considered and effective testing can be conducted. Testing is a crucially important part of BCDR for any organization. Unless plans are tested and results measured, a BCDR plan is useless. Since it is very difficult (and disruptive) to test each and every possible outage scenario in large organizations, it is extremely useful to have testing in mini-steps. The entire IT infrastructure can be divided (by application support teams, hardware support teams, IT infrastructure teams) and then specific test plans which are scheduled to run at a certain frequency should be executed to ensure that the mini-plans, which roll-up to the corporate business continuity plan, indeed work. Testing exercises can also be easily administered by ensuring inexperienced system administrators to conduct change management on the production environment using disaster recovery documentation. This will ensure that the document is up to date

Page 11 of 14

and is correct. This can be enforced by way injecting certain steps into the change management process at an organization. Since it may be difficult to initiate a BCDR project in a global company, a project methodology for enabling this interaction may be defined as follows: 1. Establish Framework a. Establish Project Scope and Objectives b. Create collaborative work spaces c. Setup an evaluation framework to roughly assess current global BCDR preparedness level 2. Human Resources a. Identify key international stakeholders by mass emailing any corporate IT infrastructure distribution list b. These resources will then be included on the “implementation” team for ensuring cooperation from international markets c. Maintain all information related to these personnel on a common shared workspace. The workspace should also serve the purpose of increasing interaction amongst these individuals.

3. Informational Resources a. Hold conference calls with individuals in international locations and build relationships b. Obtain all relevant information – current state of affairs, existing BCDR plans if available, information about relationships with external vendors, key findings, other relevant documentation c. Share these resources within the company and with other BCDR teams across the company’s global workforce d. Analyze documented information and prepare evaluation report based on framework created to increase awareness within the company and also to identify the current starting point for the BCDR project on a global scale 4. Sustenance of relationship a. Establish a good working relationship with international teams to ensure on-going support from them despite physical distances and cultural differences b. Hold monthly conference calls to report updates on the project and also discuss project roadblocks and breakthroughs

Page 12 of 14

c. Create best practices across the world d. Help leverage maturity of a certain market by enabling knowledge transfer to countries that may not be as mature An evaluation framework to assess international markets on their BCDR preparedness can be created which consider the following parameters: 1) Awareness of BCDR Information 2) Availability of BCDR Plans for review 3) Conductance of a formal Business Impact Analysis 4) Existence of dedicated personnel/department for BCDR 5) Deployment of software for BCDR plan distribution and maintenance 6) Deployment of critical system components in highly available mode 7) Existence of a disaster recovery site 8) IT BCDR plans are exercised 9) All critical application data is backed up 10)External/internal auditing and assessment is performed

Page 13 of 14

References

considered a layman in terms of understanding the specific of BCDR management.

i

http://staff.uow.edu.au/audit/termsandconcepts/i ndex.html “Key Terms” by University of Wollongong, Internal Audit Contains definitions and key terms related to Business Continuity Planning and Management ii

http://www.computerworld.com/managementto pics/management/story/0,10801,91998,00.html “Business Continuity Planning Is a Challenge for CIOs” by Vandana Mangal This article quotes stats and describes the need for enterprises to adapt BCDR measures and also explains why they don’t. iii

http://www.financialweek.com/apps/pbcs.dll/art icle?AID=/20071022/REG/71019027/1005/TO C “S&P wants to bring enterprise risk into its ratings” by Marine Cole The article describes S&P’s move towards integration of Enterprise Risk Management assessment of companies in their ratings and what this could mean for companies. iv

http://blogs.wsj.com/biztech/2008/08/13/celebra ting-the-anniversary-of-the-big-blackout/ “Celebrating the Anniversary of the Big Blackout” The blog entry describes the dismal preparedness rate of businesses in case of an emergency power failure. It also describes the effects on businesses of such outages. v

http://www.businessweek.com/smallbiz/tips/arc hives/2008/12/steps_to_effect.html?campaign_i d=rss_blog_todaystip “Steps to Effective Business Continuity Planning” This article describes in a nutshell why it makes business sense to engage in business continuity planning effort and what the steps entailed in doing so are. It is aimed at raising awareness of a top management executive, who can be

vi

http://www.informationweek.com/news/security/s howArticle.jhtml?articleID=201311255 “Business Continuity: To Err Is Human, To Plan Is Divine” by Larry Greenemeier This article describes the “realities” of BCDR in companies – that most “disasters” are not caused by flooding, fires or earthquakes but by human errors. It also describes that companies that have adequate planning efforts in place will be able to respond to these human errors. vii

http://www.informationweek.com/news/managem ent/showArticle.jhtml?articleID=6507804 “Playing for keeps” by Eric Chabrow and Martin J. Garvey Describes how companies reacted after 9/11 and that cites several facts and figures related to continuity and DR efforts. There is also some evidence of companies moving towards robust global business continuity planning. viii

http://www.cio.com/article/40287/ABC_An_Intro duction_to_Business_Continuity_and_Disaster_R ecovery_Planning “ABC: An Introduction to Business Continuity and Disaster Recovery Planning” This is a primer document by CIO that describes the process of business continuity management in depth and also discusses some examples of BCDR management by global adopters. ix

http://www.strohlsystems.com/Consulting/_files/ ConsultingECM.pdf “Enterprise Continuity Planning” by Strohl Systems This whitepaper describes Strohl’s LDRPS product and how it be beneficial for large organizations in establishing business continuity planning effectively. x

http://comp-soln.com/BCP_whitepaper.pdf “Business Continuity Planning Description and Framework” by Comprehensive Solutions This white paper contains detailed steps on enabling a BCDR planning project within a company.

Page 14 of 14