M A N A G E M E N T

S T R A T E G Y

M E A S U R E M E N T

Business ContinuityManagement

By

Eric Krell

Published by:

MANAGEMENT ACCOUNTING GUIDELINE

NOTICE TO READERS

The material contained in the Management Accounting Guideline Business Continuity Management is designed to provideillustrative information with respect to the subject matter covered. It does not establish standards or preferred practices.This material has not been considered or acted upon by any senior technical committees or the board of directors of either the AICPA or the Society of Management Accountants of Canada and does not represent an official opinion or position of either the AICPA or the Society of Management Accountants of Canada.

M A N A G E M E N T

S T R A T E G Y

M E A S U R E M E N T

Business ContinuityManagement

By

Eric Krell

MANAGEMENT ACCOUNTING GUIDELINE

Published by The Society of Management Accountants of Canadaand The American Institute of Certified Public Accountants

Copyright © 2006 by the Society of Management Accountants of Canada (CMA-Canada).All rights reserved.Reproduced by arrangement with CMA-Canada.

For information about the procedure for requesting permission to make copies of any part of this work, please visitwww.aicpa.org.A Permissions Request Form for e-mailing requests and information on fees are available there by clicking on thecopyright notice at the foot of the AICPA homepage.

1 2 3 4 5 6 7 8 9 0 PP 0 9 8 7 6

ISBN 0-87051-622-1

INTRODUCTION

Ten months elapsed between theconception of this Management Accounting Guideline (MAG) and itscompletion.During that time, the crucialimportance of business continuitymanagement (BCM) capabilities has beendriven home, repeatedly and painfully, ona global scale

The terrorist attacks of Sept. 11, 2001,served as a gruesome wakeup call toNorth American corporate managersresponsible for preparing theirorganizations to respond to disasters.TheDecember 2004 Indian Ocean tsunami,the July 7, 2005, terrorist attacks on

London’s subway system and HurricaneKatrina’s and Hurricane Rita’s disastrouseffects on large swaths of the U.S.GulfCoast in August and September 2005offer proof that both public and privateBCM capabilities have a long way to go.

The frequency of man-made and naturaldisasters has increased in recent years.The nature of disasters has also changed:who could have imagined five years agothat civilian passenger airplanes would beused as a weapon of war? Moreimportant, the impacts of disasters oncompanies have greatly increased andintensified thanks to technological

BUSINESS CONTINUITYMANAGEMENT

CONTENTS EXECUTIVE SUMMARY

In the 21st Century, organizations that fail to define and implement effectiveresponses to disasters will be defined by their ineffective responses to disasters.Among leading companies, an IT-centricapproach to disaster recovery is giving way to business continuity management(BCM). BCM capabilities enableorganizations to restore their businessesto normal operations following businessinterruptions,which range from a simplepower outage to a Category 4 hurricane.The finance and accounting managers —along with the senior-level executives,functional and operational managers andcorporate directors — who read thisguideline will learn how to define BCM and its essentials and processes; identifythe BCM-related roles of corporatemanagers and directors;work through aBCM framework for developing andmaintaining effective business continuitymanagement processes; and see examplesof leading BCM capabilities in practice.

INTRODUCTION 5DEFINITION AND SCOPE OF BUSINESS

CONTINUITY MANAGEMENT (BCM) 6DRIVERS OF BUSINESS CONTINUITY

MANAGEMENT 8ROLES AND RESPONSIBILITIES 11DEVELOPING EFFECTIVE BCM

CAPABILITIES 13ADDITIONAL INSIGHTS TO HELP

READERS TAILOR BCM TO THEIR ORGANIZATIONS 16

SOFTWARE APPLICATIONS CAN HELP SUPPORT BCM PROCESSES 21

BCM IN ACTION:EXAMPLES OF “GOOD” PRACTICES 21

CONCLUSION 23BIBLIOGRAPHY 25SUGGESTED READING 26APPENDIX 1: BCM-RELATED

REGULATIONS AND GUIDELINES 27APPENDIX 2: IT - HIGHLY DETAILED

DATA CLASSIFICATION 29APPENDIX 3: BCM SOFTWARE

USAGE SURVEY 29APPENDIX 4:RESPONDING TO

A BLACKOUT 30

Page

S T R A T E G Y

5

6

M A N A G E M E N T

S T R A T E G Y

M E A S U R E M E N Tadvances, progressing globalization and theextension of the supply chain.Companies of allsizes are “connected” to their suppliers andcustomers to a much greater degree today thanever before.When a disaster occurs, its effectsquickly ripple up and down the supply chain.

As a result,management teams and corporateboards face much more pressure to make theirorganizations more resilient when disasters,ranging from simple power outages to Category 4hurricanes to synchronized suicide bombings,strike.To date, however, the corporate BCMcapabilities necessary to establish that resiliencygenerally have ranged from absent to insufficient.This deficiency has a high cost: a University ofMinnesota study finds that 93 percent ofcompanies that lose critical systems for morethan 10 days quickly file for bankruptcy; anotherstudy finds that 90 percent of organizations thatexperience a “catastrophic loss of data andequipment” without a business continuity plan inplace go out of business within 24 months of theloss (Kahan, 2005).

The 9/11 Commission’s exhaustive investigativeresearch concludes that the Sept. 11, 2001,terrorist attacks revealed failures in imagination,policy, capabilities and management.The purposeof this guideline is to help organizations addressand prevent those failures while providing financeand accounting managers with a foundation onwhich to further develop their BCM thinking,strategy and processes.

The purpose of this Management AccountingGuideline is not to fear monger (a tactic practicedby some BCM service providers that should berecognized and disregarded), but to help financeand accounting professionals enable theirorganizations to make the most effective andcost-efficient investment in the BCM capabilitiesthat best meet the needs of the business.

The specific objectives of this guideline are asfollows:

• To define business continuity management as acorporate capability and to identify its essentialcomponents and processes;

• To identify the drivers that make BCM a vitalcorporate and management competency in the21st Century;

• To establish and define the roles andresponsibilities that corporate managers andboards fulfill in developing effective BCM practices;

• To present a step-by-step framework fordeveloping and maintaining effective businesscontinuity management processes;

• To provide an overview of the softwareapplications available to support BCM planningand execution processes;

• To present examples of sound businesscontinuity management capabilities in practice.

While the target audience of the guideline is finance and accounting managers, all senior-level executives, functional and operationalmanagers and corporate directors will benefitfrom its content.

DEFINITION AND SCOPE OF BUSINESS CONTINUITY MANAGEMENT (BCM)

Establishing and maintaining business continuitymanagement processes begins with three steps:

1. Defining business continuity management;

2. Identifying and defining the key components ofa viable BCM framework; and

3. Placing BCM in the context of organizationalrisk management

BCM Defined

This guideline agrees with the BCM definitionput forth by the U.K.-based Business ContinuityInstitute (BCI):“Business ContinuityManagement (BCM) is a holistic managementprocess that identifies potential impacts thatthreaten an organization, and provides aframework for building resilience and thecapability for an effective response thatsafeguards the interests of its key stakeholders,reputation, brand and value-creating activities.”This guideline defines stakeholders asemployees, customers, suppliers, investors, andthe community or communities in which anorganization operates.

Business continuity planning is the processthrough which organizations establish thecapabilities necessary to protect their assets and continue key business processes after adisaster — an unexpected business interruptioncaused by natural or man-made events — occurs.

The following framework (see Exhibit 1)illustrates the components of business continuity planning:

B U S I N E S S C O N T I N U I T Y M A N A G E M E N T

7

Although the discipline still has a long way to go,organizational business continuity managementhas evolved significantly over the past twodecades. In the past,“disaster recovery” wasusually centered in data processing or informationtechnology (IT) departments.These early effortsprimarily focused on getting hardware, softwareand data up and running again after a disruption.These days, it is generally recognized that businesscontinuity planning efforts require a cross-company perspective and therefore should not belimited to the IT department.That said,manyeffective continuity tactics have emerged fromdisaster recovery efforts that arose in the ITfunction during the past decade. For example,many of the same principles that apply to data andsystems backup also apply to facilitiesmanagement and backup.

More recently, disaster recovery has expandedinto “business continuity planning,” a phrase thatwas primarily used to emphasize the need tomove continuity efforts beyond the IT departmentand weave them throughout the organization.Most recently, the use of terms like “business

continuity management” and “business resiliency”have increased, emphasizing the proactive natureof current continuity efforts. A business continuityplan, as the chart above illustrates, begins withexecutive-level assessments of an organization’scontinuity objectives.That assessment is followedby the identification of the organization’s mostimportant business processes.Then, financemanagers and other business managers analyze thecritical components of those processes: people,facilities, technology systems and the data thesystems contain.The analysis should also considerhow an unexpected business interruption mightaffect suppliers and customers.

The ensuing response processes ensure that all ofthe components that enable a critical businessprocess are restored within a prudent amount oftime.Defining what is prudent demands input fromthe finance and accounting function because itrequires a comprehensive understanding of (a) eachprocess’ value to the business; and (b) the cost ofrestoring the process within a given amount of time.

The resulting plan should then be monitored,tested and,when necessary, adjusted or improved.

Value to Business

Cost to Sustain

Monitoring, Testing Improving

Continuity Response Approaches:

Preparation and Crisis Management

Business Impact Analysis

Critical Process Identification

Customers

People Facilities Technology Data

3rd Party Providers

Assessment and Objective Setting

Exhibit 1: Business Continuity Planning

••••

8

M A N A G E M E N T

S T R A T E G Y

M E A S U R E M E N TBCM and Organizational Risk Management

Business continuity management is a subset ofcompanywide or enterprise risk management (atopic addressed in the Management AccountingGuideline “Identifying,Measuring, and ManagingOrganizational Risks for Improved Performance.”)

BCM’s rising importance and IT-based history havecaused internal debates about who owns theBCM function and how BCM relates to acompany’s existing risk management efforts.Again, business continuity management is a subset of a larger risk management strategy.The most significant difference between riskmanagement and business continuity managementrelates to the output of each process. Riskmanagement strategies (either risk avoidance, riskacceptance, or risk mitigation — through riskreduction, risk sharing or transfer of the risk) are“pre-event” responses to perceived risks.MostBCM strategies and tactics focus on the processesthat need to take place after an event or disasteroccurs; the objectives of those processes are torestore the business to normal operations asefficiently and effectively as possible.

The Business Continuity Institute’s “Good PracticeGuidelines (2005)” present a partial, but useful,comparison of the two disciplines; a portion ofthis comparison follows (see Exhibit 2).

DRIVERS OF BUSINESS CONTINUITY MANAGEMENT

The need for business continuity managementcapabilities continues to increase due to thefollowing drivers:

1. A rise in the number of natural and man-madebusiness interruptions;

2. The growing impact of business interruptionson organizations due to rising businessinterconnectivity;

3. The essential obligation to protect, preserveand build value;

4. New regulations and guidelines pertaining to BCM;

5. The business benefits of effective businesscontinuity management; and

6. The generally insufficient quality of existingcorporate BCM capabilities.

Driver 1:A Rise in Business Interruptions

The number of terrorist incidents worldwide hasescalated since the Sept. 11, 2001 attacks usheredin a new age of man-made disasters. Bombings inAfrica, the Middle East, East Asia, London andMadrid have killed thousands.There were 651“significant terrorist attacks” worldwide in 2004,according to the U.S. State Department.Thatfigure is three times the number of attacks thatoccurred in 2003 (Danner, 2005).

Driver 2:The Growing Impact of BusinessInterruptions

Most companies now operate in a moreconnected business climate.Numerousorganizations of all sizes are virtually tethered to agrowing number of customers, suppliers anddistributors through an extended web oftechnology systems and processes.Thatconnectivity exacerbates the negative impact of aprolonged business interruption.Not only didlarge automobile companies lose millions ofdollars to production delays when the U.S.-Canadian border was closed and just-in-timeinventories dried up in the wake of the Sept. 11,2001 terrorist attacks, their suppliers and theirsuppliers’ suppliers also suffered financial setbacks.

Even “normal” disasters, such as hurricanes,power outages, earthquakes and climate change,now inflict abnormal consequences due to theever-increasing interconnectedness of the globaleconomy.Those consequences are virtually

Key Terms

Business ContinuityManagement (BCM):Management's capability toidentify potential impacts thatthreaten an organization and toprovide a framework for buildingresilience and an effectiveresponse that safeguards theinterests of its key stakeholders,reputation, brand and value-creating activities. Stakeholdersinclude employees, customers,suppliers, investors, and thecommunity or communities inwhich an organization operates.

Business Continuity Planning(BCP):The process throughwhich an organization establishesand maintains business continuitymanagement capabilities.Thisprocess includes assessmentsand objective setting, criticalprocess identification, businessimpact analysis, and continuityresponse strategies, as well asmonitoring, testing andimproving these areas.

Disaster Recovery Planning:Often used as a synonym forBCP, but also a term associatedmore with IT-related responsesto business interruptions.

Business Impact Analysis:Theprocess of identifying how aspecific business process, or set ofbusiness processes,would likelybe affected by an unexpectedinterruption.

Crisis Management: A termthat refers to the processesenacted after a businessinterruption has occurred tolimit the negative effects of theinterruption while returning thebusiness to normal operatingmode as effectively and efficientlyas possible.

(continued)

Key Method

Key Parameters

Type of Incident

Risk Analysis

Impact and Probability

All types of events, usuallysegmented

Business Impact Analysis

Impact and Time

Events causing significant businessinterruption

EXHIBIT 2: GOOD PRACTICE GUIDELINES

RISK MANAGEMENT BUSINESS CONTINUITY MANAGEMENT

guaranteed to continue.“Earth, by its verynature, is a prolific architect of mayhem andpurveyor of calamity,” a recent Popular Sciencecover story reports.“The only thing we can doto protect ourselves is strive to learn whereand when such massive natural disasters willhappen — because, rest assured, they willhappen (Behar, 2005).”

The Swiss Reinsurance Company publishes anannual report detailing the human and financialtolls of natural catastrophes and man-madedisasters, and 2004 was a costly year on bothcounts, extending what the report describes as a“discernable upward trend.” The catastrophesrecorded by Swiss RE caused more than 300,000deaths worldwide and directly attributablefinancial losses of more than $123 billion. Propertyinsurers covered $49 billion of that amount.

Driver 3:The Essential Obligation to Protect,Preserve and Build Value

Put simply, ensuring business continuity is one ofthe top priorities of any company’s seniorexecutive team. Senior management is chargedwith the duty of building corporate value.To doso, that value must be protected and preservedduring periods of uncertainty. Effective businesscontinuity management capabilities allow acompany to return to the status quo as quicklyand as cost-effectively as possible.

Driver 4: New Rules and Regulations

The fact that insurance covered only 40 percentof catastrophe and disaster costs reflects anothercompelling driver of business continuitymanagement,which is why the growing numberof new industry guidelines, organizational rulesand government regulations on businesscontinuity management represents, in most cases,a positive development.

On April 7, 2004, the U.S. Securities and ExchangeCommission (SEC) approved New York StockExchange (NYSE) Rule 446,“Business Continuityand Contingency Plans.” The new rule illustratesthe degree to which new laws, rules and guidelinesare driving the need for stronger businesscontinuity management capabilities at a growingnumber of North American companies.

NYSE Rule 446 requires NYSE members andmember organizations to establish and maintainbusiness continuity plans.Those plans must “bereasonably designed to enable [the member

organization] to meet its existing obligations tocustomers, and address the existing relationshipswith other broker-dealers.” The plans must bereviewed at least annually and “updated wheneverthere is a material change in a firm’s operation,structure, business, or location that affects theinformation set forth in the BCP.”

The adjective “material” calls to mind theSarbanes-Oxley Act of 2002, the sweeping law thataffects all companies that are publicly listed onexchanges in the United States. Although theSarbanes-Oxley Act does not mandate publiccompanies to establish and maintain businesscontinuity plans,many of the law’s principalobjectives point to the need for effective businesscontinuity management capabilities.

Indeed, some external auditors are reviewing theirclients’ business continuity processes in the post-Sarbanes era.These requests make sense,according to a leading risk management firm:

“… for SOA compliance, it is prudent to considerbusiness continuity issues as well. An importantaspect of managing a company’s overall risk,including its continuation as a going concern, is itsability to effectively address business continuity anddisaster recovery, particularly with respect to thosebusiness processes that are critical to the successfulachievement of the company’s business objectives.A company’s processes, systems, and controls mustmake available all material information needed for fairpresentation and disclosure in its SEC reports,including the update of accounting estimates withcurrent and reliable information.On a more strategicscale, an organization’s business continuitymethodology and approach must be agreed to bymanagement as the foundation for mitigating financialand reputation risk posed by business interruption.”(Benvenuto and Zawada, 2004).

In the United Kingdom,Publicly AvailableSpecification (PAS) 56 provides a guide to“Business Continuity Management.” Thespecification is sponsored by the BusinessContinuity Institute,which offers the discipline’smost widely respected certification, the Fellow ofBusiness Continuity Institute or FBCI. PAS 56 willform the basis of a “British Standard for BusinessContinuity Management.” Some experts notethat PAS 56 could eventually be adopted as anISO standard.

There are many other regulations and industryguidelines related to BCM, as outlined in Appendix1,“BCM-Related Regulations and Guidelines.”

A recent survey conducted by Deloitte & Toucheand CPM Global Assurance found that regulatory

B U S I N E S S C O N T I N U I T Y M A N A G E M E N T

9

10

M A N A G E M E N T

S T R A T E G Y

M E A S U R E M E N Tcompliance was the second most commonly citeddriver (behind “management recognition of theproblem”) of business continuity in corporations.

Driver 5: Business Benefits

Companies are not only implementing businesscontinuity plans because they have to; some are doingso because there are business benefits. According tothe BCI, these include, but are not limited to:

• BCM can be used by companies to differentiatetheir service-delivery or product-deliveryresilience to potential customers;

• Thorough business impact analyses as well asongoing business continuity monitoring canexpose business inefficiencies;

• Retaining customers following a disaster is lessexpensive than acquiring new customers; and

• Successful crisis management experiences canbuild morale among the workforce and helpprevent employee turnover following a disaster.

Driver 6: Existing BCM Capabilities Are Insufficient

The most important motivator of BCMimprovement may be lack of continuitypreparedness at most organizations.Given theimportance of this driver,more space will bededicated to this discussion.

One expert believes that some facets of corporateBCM capabilities — including the ability toanticipate “business surprises” — are a centurybehind the times.“[W]hen comparing the state ofreal-time monitoring of weather patterns withreal-time monitoring in business,” writes GartnerInc.’s Kenneth McGee,“the business world hasroughly the same capability as hurricaneforecasters had in 1900,” (McGee, 2004).

Other sources are only slightly less pessimisticabout the general state of corporate BCMcapabilities.Deloitte & Touche LLP’s most recentannual survey of business continuity professionalsfound significant weaknesses in continuity training,plan-testing frequency and other BCM areaswithin U.S. companies.

Two-thirds of those survey respondents indicatedthey still do not have a process to ensure that anappropriate BCM program is maintained. Almost60 percent of the respondents do not provide anytraining for their workforce to help employeesunderstand their roles and the requiredprocedures following a disruptive event.Only 28 percent indicated that they know their third-

party dependencies and understand the recoverycapabilities of their key business partners.

Researchers from META Group (which is now apart of Gartner Inc.) also analyzed Deloitte’sannual BCP survey findings and had this to say:“The real challenge, as the report notes, is the sadfact that two-thirds of respondents don’t have atrue BCM function, putting any BC plans andplanning in limbo. Equally troubling, as we havenoted in our research and as this survey pointsout, is that the lack of ongoing BC managementand governance (very critical since BC is not aproject but an ongoing process) is compounded bythe lack of executive involvement,” (Deloitte &Touche, LLP and CPM Global Assurance, 2004).

Nearly half of the respondents to a Fall 2004survey of 2,000 global executives by executivesearch firm Korn/Ferry International indicated thattheir companies do not have procedures in placeto respond to an act of terrorism or acatastrophic event;moreover, 11 percent of therespondents said they did not even know if suchprocedures existed in their organization.Thosefigures are more alarming given the fact that 48 percent of the same respondents reported that terrorism continues to impact the economiesin which their companies operate.

Part of the problem may be cost. Small to mid-sized companies typically spend $50,000 to$100,000 to have an external consulting firm help conceive and implement a continuity plan.Although most large companies have some formof business continuity plan in place,many of thoseplans are outdated or were ineffective to beginwith. A Fortune 500 company would likely spend$750,000 to $2 million to implement suitablebusiness continuity management capabilities.

That instinctive resistance coupled with thosehefty price tags help explain why the disasterrecovery and business continuity managementdiscipline has burned brightly on strategic radarscreens at certain times in the past decade andthen faded quickly. BCM was foisted to the top ofexecutive teams’ priority lists leading up to Y2Kand then again immediately following the 2001terrorist attacks on the United States, but quicklygave way to issues perceived to be more pressing(e.g., a recession) once the events passed.

The magnitude of the risk attached to insufficientbusiness continuity management capabilities willgrow significantly in coming years — not becauseof a likely wave of terrorist attacks or a morecutthroat generation of computer hackers, butsimply because disasters will inflict farther-reaching

Key Terms (continued)

Disaster: An unexpectedbusiness interruption caused bynatural or man-made forces.Theinterruption poses a threat tosome or all of the following:employees, the company’sphysical assets, the company’sfinancial position, and/or thecompany’s brand.

Maximum Tolerable Outage(MTO):The amount of time abusiness process or componentof that business process (usually a production facility or aninformation system) can beoffline before the cost of thatoutage becomes too high forthe business.

Recovery Point Objective(RPO):The point in time atwhich a business process, orcomponent of that businessprocess,will be restoredfollowing an interruption; theRPO occurs before the MTOfor a process or function occurs.

damage as companies’ reliance on technology andan increasingly global population of vendors andsuppliers continues its onward march.

ROLES AND RESPONSIBILITIES

The question of which corporate function shouldtake responsibility for BCM is frequently asked. Itis a good question that will be addressed below. Amore important issue, however, involves definingthe BCM roles and responsibilities of all corporatefunctions and of senior leadership. A sound BCMstrategy demands broad involvement of the boardof directors, senior executive team, the corporatefinance and accounting function, and othercorporate functions and business units.

The board of directors should:

— Understand and actively communicate thevalue of BCM and the risks of insufficient BCM capabilities;

— Request to review the company’s businesscontinuity plan at least once a year;

— Request updates (at least annually) fromsenior executives on the emergence of newBCM-related rules and regulations;

— Approve of the strategic objectives of theorganization’s BCM strategy;

— Direct its audit committee to determine ifexternal auditors require annual or quarterlyreviews of BCM-related documentation andprocesses; and

— Offer advice with regard to how investors shouldbe kept informed in the event of a disaster.

The senior executive team should:

— Have a sound working knowledge of BCMpractices and the risks to the business ofinsufficient BCM capabilities;

— Keep the board informed (annually, at least) of the company’s BCM strategy and any significant changes to business continuity plans;

— Take responsibility for setting theirorganization’s business continuitymanagement objectives;

— Review and approve (initially and thenannually) the critical processes identified inBCM planning exercises;

— Review and approve (initially and thenannually) the business impact analyses;

— Review and approve (initially and thenannually) the continuity response strategiesdeveloped and maintained by corporatefunctions and business units;

— Support and communicate the importance ofBCM test exercises;

— Integrate BCM responsibilities intoperformance management process forexecutives and managers with key BCMresponsibilities.

Other corporate functions and business unitsshould:

— Have a sound working knowledge of BCMpractices and the risks to the business ofinsufficient BCM capabilities;

— Participate in critical process identification;

— Participate in business impact analyses ofcritical business processes within their areasof responsibility;

— Help establish continuity response strategieswithin their areas of responsibility;

— Integrate BCM responsibilities intoperformance management process forexecutives and managers with key BCMresponsibilities.

— Work with corporate finance to betterunderstand the costs and recovery tradeoffs oftheir response strategies;

— Support and communicate the importance ofBCM test exercises;

— Monitor and test the response strategieswithin their areas of responsibility;

— Review and approve (annually) the continuityresponse strategies developed and maintainedwithin their areas (based in part on the resultsand findings of test exercises).

The corporate finance and accounting functionshould:

— Guide the organization’s critical processidentification and (subsequent) businessimpact analysis efforts to help the rest of theorganization understand how to assess thevalue of various business processes;

— Help the senior executive team,otherfunctional executives and, in some cases,the board understand the tradeoffs between cost and recovery time objectives related to specific continuity responseapproaches;

— When possible, enhance business impactanalyses with risk analyses to help prioritizethe likelihood of various business processessuffering downtime during disasters;

— Provide additional analyses of how the timingof disasters can intensify or lessen their impacton certain processes (e.g., a hurricane that

B U S I N E S S C O N T I N U I T Y M A N A G E M E N T

11

12

M A N A G E M E N T

S T R A T E G Y

M E A S U R E M E N Tcloses down an oil refinery that is beingrestarted following a maintenance shutdown,reducing output for longer than expected; or alengthy power outage that delays financialreporting processes near the close of apublicly listed company’s fourth quarter willlikely have more serious consequences to thecompany’s share prices (and value) than anoutage that occurs several weeks away from aquarterly close); and

— Glean what BCM-related documentation andprocesses external auditors want to review.

Who Owns BCM?

What part of the organization should actually ownresponsibility for BCM processes? Answers vary,but there is growing sentiment that corporatefinance is the place to house BCM.There is also agrowing disinclination to house BCM in IT.Doingso is often viewed as a symbol of the discipline’spast, in the days when disaster recovery wasconcerned with backing up data and hardware —and little else.

“More progressive organizations have realizedcontinuity planning must be a business issue,” saysProtiviti’s Brian Zawanda, a business continuityexpert.“One option is championing businesscontinuity through the chief financial officer’sorganization.The CFO has a good macro view ofthe organization and can translate downtime intotangible financial impacts. In many organizations,risk management resides within finance, and therisk manager is a strong possibility for businesscontinuity coordination given this person isconstantly thinking in terms of risk mitigation,”(Stanek, 2003).

The location of the “BCM function” sends a clearmessage to the organization about the importanceof BCM.“Poor positioning in an organization canhave a dramatic influence on success,” writesAndrew McCrackan.“It’s all about communicatinga sense of importance and reflecting the correctprofile of the function in the organization.You willnever convince anyone you are running acomprehensive business continuity program fromwithin your property management department, forexample,” (McCrackan, 2005).

IT appears to be a less common owner of BCMtoday than in years past, according to theDeloitte/CPM Global Assurance Survey,whichfound that the BCM function most often resides in:

• Corporate management, including corporatefinance (in 33 percent of respondents’organizations);

• IT (28 percent);

• Risk management (13 percent);

• Facilities management (8 percent);

• Information security (5 percent);

• Physical security (3 percent); or

• Another area (10 percent).

Twenty-five percent of the same Deloitte surveyrespondents,who were evenly distributed amongsmall,mid-sized and large organizations, reportedthat their companies had no budget in place forbusiness continuity management.

Additional Contributions from Finance

Strategic financial management professionals arewell schooled in the following areas:

• Cost-benefit analyses;

• The alignment of investments with high-levelbusiness objectives; and

• Identifying how organizational change affectslarge investments.

Sound cost-benefit analyses should be one of theessential capabilities of a business continuitymanagement function, a point that the“Interagency Paper on Sound Practices toStrengthen the Resilience of the U.S. FinancialSystem” by the U.S. Board of Governors of theFederal Reserve System, the Office of theComptroller of the Currency, and the SECemphasizes:“The agencies recognize theimportance of cost-effective business continuityplanning.The costs associated with implementingthe sound practices can vary substantiallydepending on the extent to which incrementalimprovements may be needed to address the risksof a wide-scale disruption.”

The cost of ensuring the resiliency of processes,technology and facilities can quickly spiral out ofcontrol if those investments are not made in adisciplined manner that aligns with business needs.For example, the cost of owning and maintainingredundant facilities in another geographicallocation can far outweigh the benefits that thebackup facility provides in the event of a disaster.A lease on a shared facility backup space mightmake more financial sense.

Strategic financial management professionalsunderstand how the business generatesrevenue,what makes cross-enterprise projectssucceed (or fail), and what type of support andunderstanding — from the business units and from the executive team — needs to be presentfor BCM investments to meet their objectives.

Continuity PlanningObstaclesThe appearance of Category 5hurricanes and costly Internetviruses and worms oftenstimulate BCM questions:Who’s in charge of our continuityplanning? Where is the actualplan? Yet, BCM commitment isdifficult to sustain over time dueto several obstacles that preventcompanies from installing,maintaining,monitoring andupgrading business continuitycapabilities, including:

1. ‘Vividness Bias:’ “Vividness Bias” (Bazermanand Watkins, 2004) preventsmost individuals fromthinking about troublingmatters and major risksunless those issues play out,intensely and repeatedly, infront of their eyes.

2. Competing Priorities:Many areas of an organizationcan be resistant to the need for continuity planning whenmore immediate and visibledemands — such as quarterlyfinancial performance targets,production quotas and qualityobjectives — bear down on them.

3. Lack of Standards:BCM and disaster recoveryare relatively new disciplinesthat have undergonedramatic evolutions in recentyears, but establishedstandards are only beginningto emerge, thanks to BCI andsome industry organizations.For example, the AutomotiveIndustry Action Group(AIAG) recently published aguideline titled “CrisisManagement for theAutomotive Supply Chain.”

Many finance departments have taken lead roles inestablishing processes that ensure that theirorganization’s regulatory compliance efforts aresustainable over time.The key processes insustaining compliance with the Sarbanes-OxleyAct, for example, echo the processes necessary to sustain BCM over time:

• The creation of an internal controls culture;

• The establishment of business-unit ownershipof internal controls; and

• The integration of internal controlsconsiderations into IT system upgrades,mergers and acquisitions, corporatereorganizations and other major changes.

Replace the phrase “internal controls” with“business continuity,” and the exact sameapproaches ring true for effective businesscontinuity management.

The corporate finance and accounting function may or may not own the business continuitymanagement function, but it certainly possesses thestrategic vision, risk management expertise, financialmanagement discipline, project-management skillsand macro perspective necessary to make BCMframeworks effective and efficient.

DEVELOPING EFFECTIVE BCM CAPABILITIES

There is good news for corporate managers facingthe challenge of developing business continuitymanagement capabilities.

First, information about disaster recovery,business continuity planning and crisismanagement processes is readily available.Thehigh cost of ineffective business continuitymanagement has spurred academics, consultantsand other experts in the field to shareinformation much more freely than is usually thecase in other disciplines. See the “SuggestedReading” section at the end of this guideline forsuggestions on information resources.

Second, the fundamentals of a sound BCMstrategy are relatively simple to grasp. Professionaldisaster recovery and business continuitymanagers and consultants frequently make thepoint that most elements of their work “are notrocket science.” The toughest part of a businesscontinuity manager’s role is overcomingorganizational resistance to fund and participate inbusiness continuity planning activities.

John Laye, the former president of the CaliforniaEmergency Services Association and a business

continuity specialist, offers advice on how toovercome resistance to continuity planning.Without the proper planning and capabilities, Layenotes,“a major disruptive event is likely to take ona life of its own, driving your company intodecisions that will negatively [affect] plans for abright future.Worse, it can lead to that graveyardspiral aviators know about. Event becomes crisis;crisis becomes disaster; and on down.Over thelonger term, resources for expansion areconsumed, employees being groomed forpromotion leave, and the confidence of investors,regulators, potential partners, and customers isshaken (Laye, 2002).”

Developing business continuity managementcapabilities requires a five-step process.While thebusiness impact analysis (BIA) is the lynchpin step,the BIA cannot be effectively conducted withoutthe first two steps. Each of the five steps containssub-steps, as outlined below:

Step 1: Initial Assessment and Objective Setting

– Establish and communicate senior executiveteams’ support of BCM

– Outline and communicate ensuing steps:

• Critical process identification,

• Business impact analysis,

• Response approaches, and

• Monitoring, testing and improving the plans;

– Identify the team in charge of the project andwhich function and which executive the teamreports to;

– Review the company’s strategic plan;

– Review existing plans related to disasterrecovery, continuity planning, emergencypreparedness and crisis management;

– Identify existing external laws, regulations andrequirements related to BCM; and

– Draft and approve a formal BCM policy that outlines the objective of the business continuity plans.

Step 2: Critical Process Identification

– After reviewing the company’s strategic plan,identify the company’s most critical businessfunctions;

– Identify the business objectives executed bythose functions and the processes throughwhich the objectives are executed;

B U S I N E S S C O N T I N U I T Y M A N A G E M E N T

13

14

M A N A G E M E N T

S T R A T E G Y

M E A S U R E M E N T– Process owners should identify key measures,

components and external requirements of theprocess, such as:

• Performance metrics (how the success ofthe process is measured and/or quantifiedwith specific measures),

• Contracts with external parties,

• Regulatory and/or legal requirements (suchas SEC reporting requirements, suppliercontracts, accounts payable terms, paymentschedules with creditors)

– Pinpoint the key resources and tools thatenable the process to be executed, such as:

• People and skills,

• Equipment (including IT infrastructure,telecommunications,manufacturing systems,transportation vehicles),

• Facilities (warehouses, factories, officespace),

• Software, and

• Information,which includes electronic dataand hard-copy documents.

Step 3: Business Impact Analysis

– Identify the following impacts to specificbusiness processes and corporate functionswhen a disaster occurs:

• Human resources,

• Financial positions,

• Reputation,

• Physical assets,

• Supplier relationships,

• Customer relationships, and

• Investor relations;

– Identify, to the best extent possible, themaximum tolerable outage (MTO) of eachprocess;

– Identify a recovery point objective (RPO) foreach process based on the MTO

• Consider how the timing of a disaster (inthe year,within a fiscal quarter, etc.) mightinfluence the MTO and RPO

Step 4: Continuity Response Approaches

Companies can proactively limit the impacts of adisaster. And managers can speed the company’sreturn to normal operations with effective crisismanagement processes. Preparation and crisismanagement represent the two areas ofcontinuity response approaches.

Preparation

The following preparations focus on humanresources, facilities, IT systems and data, and thesupply chain (suppliers and customers):

Human Resources

– Senior and business unit managementestablishes the strategic importance of BCMand continuity planning throughcommunications, disaster-response testexercises and,where applicable, the inclusionof BCM responsibilities in job descriptions andperformance management processes;

– A succession plan — at the senior-management level and in each department andfunction — is maintained and updated;

– Management considers adopting policies thatprevent a set amount (e.g.,more than two)executives,managers and/or other criticalpersonnel from traveling together on the samecar, plane or helicopter at the same time;

– Disaster-response communications protocols are established and communicatedto employees;

– Alternative communications (e.g.,Web sitesand/or telephone numbers) are maintainedand provided to employees so that they andtheir family members can access updates if adisaster prevents employees from working intheir office or family members from reachingemployees at their office;

– Crisis-management protocols and reportingrelationships are clearly communicated andcopies (electronic or hard) of those protocolsand reporting relationships can be accessed byemployees outside the office; and

– Contact lists are created and maintained foreach employee (and suitable backups,wherepossible, if the disaster renders the employeeunavailable) who is required to restore acritical business process following a disaster.

Facilities

– Using the business impact analysis, identify thecosts and benefits of owning or leasingalternative facilities (production facilities,warehouses, office space for employees);

– Test company-owned backup facilities at leastonce a year to ensure that they function asintended;

– Work reviews of the following systems intoBCM testing:water-detection systems thatprovide early warning of leaks; systems that

detect gases, smoke and other indicators offire or potential fire; airborne-contamination-detection systems; fire-suppression systems;backup power capabilities; and physicalbuilding security;

– Assess how long and to what extent backupfacilities can host and help sustain criticalbusiness processes; and

– Review agreements with providers of backup facilities at least once a year toensure that capacity continues to meet the company’s needs;

IT Systems and Data

– Work with IT managers to ensure that systemand data backup processes exist;

– Evaluate and prioritize the recovery timeneeds of each critical IT system;

– Conduct a cost-benefit analysis to betteridentify the proper balance between recovery time objective and the cost ofrecovering data and restoring systems within those time frames;

– In conjunction with backup facility planning,evaluate the IT readiness of each backupfacility option; and

– Ensure that telecommunications backupconsideration is included in these discussions.

Suppliers and Customers

– Create and distribute contingency planningquestionnaires to key suppliers to raiseawareness and to gauge their BCM capabilities;

– Encourage key suppliers to relayquestionnaires to their key customers;

– Identify alternate suppliers in the event adisaster prevents one or more suppliers fromoperating beyond a maximum tolerable outage;

– Consult with key customers and then create acontingency planning questionnaires thatestablishes each customer’s state of awarenessand BCM capabilities. Encourage both keycustomers to do the same with their keysuppliers and customers.

– Assist key suppliers and key customers bysharing knowledge of organizing for theplanning and development of BCM capabilities.

– Identify emergent alternate sources of supply.

Crisis Management

The second set of disaster-response processesinvolve crisis management steps: the protocol an

organization follows in the immediate wake of abusiness interruption until damaged processes arerestored to full operation.

At a high level, crisis-management plans addresshow the company will handle its people, criticalbusiness processes, relations and communicationwith key suppliers, relations and communicationswith top customers, facility needs, technology (dataand systems) needs and other operating needswhen an interruption strikes.Crisis managementplans also lay out how organizations willcommunicate with stakeholders during the disaster.

A crisis management plan should:

– Identify which executive or executives areresponsible for initiating the crisis management plan;

– Identify which managers are responsible formaking specific HR, facilities, IT, and supplychain continuity decisions during a disaster;

– Include a protocol for communicating withemployees’ family members when a businessinterruption puts employee safety at risk;

– Include a protocol and decision trees thatindicate which executives make thosedecisions and the time frames within whichthose decisions should be made;

– In the protocol identified immediately above,identify backups or alternative arrangements ifany individual in the decision tree cannot becontacted or is unable to act;

– Provide a highly detailed account of howcritical processes will be restored through:

• Alternative work schedules,

• Backup facilities or alternative powersupplies at existing facilities,

• Backup IT systems,

• Backup telecommunications systems, and

• Alternative arrangements with suppliers andcustomers;

– Provide a detailed plan for notifying andupdating the following audiences about thedisaster’s impact on the business:

• Employees (and family members),• Suppliers and customers,• Investors,• Regulators,• The community(ies) in which the company

operates,• Local, state and federal emergency response

officials

B U S I N E S S C O N T I N U I T Y M A N A G E M E N T

15

16

M A N A G E M E N T

S T R A T E G Y

M E A S U R E M E N T• Banks and creditors, and

• The media.

Step 5: Monitoring,Testing and Improving

– Evaluate how significant changes, such asreorganizations,mergers and acquisitions, andmajor system implementations, affect businesscontinuity plans, and adjust plans as required;

– Adjust business impact analyses and businesscontinuity plans to ensure that they take intoaccount significant organizational changes;

– Test business continuity plans at least once ayear (companies in sectors with BCMregulations appear to be moving towardquarterly testing schedules).

– When conducting tests, involve operationaland functional employees and managers.

– When conducting tests, strive to make theexercises resemble a “real” response to thegreatest extent possible (e.g., include local,state and federal emergency response agenciesin the exercises whenever possible);

– Identify weaknesses and gaps uncovered duringthe test exercises, and adjust plans as required;

– Develop a timeline to eliminate weaknesses;

– Report on the outcome of the tests and ensuingremediation plans to keep senior executiveteams and corporate boards informed.

ADDITIONAL INSIGHTS TO HELPREADERS TAILOR BCM TO THEIRORGANIZATIONS

The above framework offers high-level, generalguidance.The more detailed insights that followare intended to help readers tailor businesscontinuity processes to meet the unique needs oftheir organizations.

Human Resources

Managing human resources represents the mostcrucial component of business continuitymanagement.Humans are the most valuable and mostunpredictable element of any business continuity plan.

Consider the example of one business continuityconsultant who recently conducted a nearlyflawless hurricane-response exercise with aFlorida-based client.The crisis management teamexecuted the plan perfectly during the simulatedhurricane and responded smoothly tounexpected situations that the continuity planpreviously did not address.

However,when a real hurricane struck thecompany weeks later, the result was disastrous.Rather than report to their posts and fulfilltheir responsibilities as they had been trainedto do,many members of the crisis responseteam left the office to check on the safety offriends and family members, and to assess thedamage the hurricane inflicted on theirpersonal property.

A recent analysis by the National Institute ofStandards and Technology (NIST) concluded thatthe evacuation of the World Trade Center towersfollowing the Sept. 11, 2001, terrorist attacks wentslower than current estimates of how quicklypeople travel down stairwells when evacuating abuilding.However, those estimates are based ontime measurements during non-emergencyexercises.Granted, there were terriblecomplicating factors that slowed the World TradeCenter evacuations, but the point is a clear one:practice often differs from reality, particularly incrisis response situations.

The subject of succession planning in the contextof disasters is an unpleasant one: If key managersor employees die in a disaster,who will step upand fulfill their responsibilities? But discomfort isnot the only reason succession planning is agenerally underserved area of continuitymanagement. Succession planning tends to be aneglected component of strategic planning ingeneral — even outside the context of BCM:

• A study by RHR International found that 75 percent of organizations are not confidentthat their current talent pool will meet theirfuture executive-staffing needs;

• 50 percent of the same respondents anticipatelosing half of their senior management teamwithin the next five years; and

• A different survey from CCH Inc., asked: Ifyour organization’s top four executives died in a car accident on the way to the airport,would your organization have a successionplan? Only 10 percent of respondentsanswered affirmatively and reported that theircompanies maintain a formal succession plan.

The preceding question begs another: What werefour executives doing in the same car at the sametime? Some companies, such as TeachersInsurance and Annuity Association — CollegeRetirement Equities Fund (TIAA-CREF), limit thenumber of key managers who may travel together.

The psychology of crisis management usuallystarts and ends with discussions of the qualities

that make an effective crisis manager oremergency response team leader.Theconsensus is that crisis managers shouldpossess the same qualities as senior managersand, perhaps even more important, find theirwork personally satisfying.

Ian Mitroff, in his most recent book, greatly expandson that conclusion.His research on crises and howorganizations respond to them reaches a centralconclusion that the emotional preparation fordealing with crises is the single most difficult andimportant factor in determining the success ofcrisis management efforts. It also represents adifficult concept to deal with:How can an intangiblelike “emotional preparation” be nailed down andwoven into a documented procedure? He offers astraightforward answer:Hire advisors or counsellorsto prepare to work through the powerful emotionscrises spark before a crisis occurs.

That suggestion may be a bit too far out of thebox for organizations just venturing into BCM,butMitroff’s suggestions nonetheless address an oftenoverlooked, difficult to manage and inevitableoutcome of disasters and crises in the workplace.He also encourages managers to address andmitigate organizational denial that can impede theadoption of crisis management and continuitycapabilities.His description of common types oforganizational resistance (see Exhibit 3) shouldhelp planners identify and diffuse the denial.

Information Technology

Protecting an organization’s critical IT systemsand business data in the event of a disaster canlead to highly technical discussions and terms like“asynchronous replication.” In practice, however,successful systems and data continuity is all abouttime and money: When do the systems and dataneed to be back up and running, and what will itcost to establish that capability?

The major technology issues in businesscontinuity management include:

• Assessing the value of systems and data to theorganization; and

• Selecting storage/backup solutions andprocesses that reflect that current value

IT has generally performed well over the years in protecting companies’ IT assets,which havechanged and evolved dramatically over the past15 years, during business interruptions anddisasters. As continuity continues its transitionfrom the IT function to the business as a whole,finance and accounting professionals can smoothand strengthen that transition by injectinggreater financial discipline into technologycontinuity planning.

In a technology continuity context, time ismeasured as a “return to operations” (RTO)metric.Traditional methods of data backup, in

B U S I N E S S C O N T I N U I T Y M A N A G E M E N T

17

EXHIBIT 3: COMMON TYPES OF ORGANIZATIONAL RESISTANCE

Denial Crises only happen to others.We are invulnerable.

Disavowal Crises happen, but their impact on our organization is small.

Idealization Crises do not happen to good organizations in out-of-the-way places.

Grandiosity We are so big and powerful that we will be protected from crises and we can handle anything that is thrown our way.

Projection If a crisis happens, then it must be because someone else is bad or out to get us.

Intellectualization We don’t have to worry about crises since the probabilities of their occurrence are too small. Before a crisis can be taken seriously, one would have to precisely measure the odds of its occurrence and its consequences.

Compartmentalization Crises cannot affect our whole organization since the parts are independent of one another.

TYPE OF DEFENSE MECHANISM EXAMPLE

Source: (Mitroff, 2005)

18

M A N A G E M E N T

S T R A T E G Y

M E A S U R E M E N Twhich data is stored on a tape and moved to anoffsite location, typically provided a minimum RTOof 48 hours.That can be a long, long time intoday’s just-in-time business environment.Otherbackup and recovery methods provide shorterRTO,but at a premium. So, one of the keyconsiderations that should inform storage andbackup decisions is the value, or estimatedbusiness impact, of the systems and data. SeeAppendix 2,“Highly Detailed Data Classification.”

Data asset classification must be an ongoingprocess, preferably performed by the businessunit managers who use the data most frequentlyand therefore have the most accurateunderstanding of its value to the business. Asimplified data classification scheme contains fourgroupings (Toigo, 2003):

Similar prioritization categories apply to networksand applications:

• Mission Critical: Network or applicationoutage or destruction that would cause anextreme disruption to the business, causemajor legal or financial ramifications, orthreaten the health and safety of a person.Thetargeted systems or data requires significanteffort to restore, or the restoration process isdisruptive to the business or other systems.

• Important:Network or application outageor destruction that would cause a moderatedisruption to the business, cause minor legal orfinancial ramifications, or present problemswith access to other systems.The targeted

systems or data requires a moderate effort torestore, or the restoration process isdisruptive to the system.

• Minor: Network or application outage ordestruction that would cause a minordisruption to the business.The targetedsystems or network can be easily restored(Cisco, 2003).

Trouble often crops up when organizations selectsystems and data backup solutions.The defaultresponse tends to be that all of the systems anddata are important (why else would we use themin the first place?),which leads to unnecessarilyexpensive solutions in which all or most data arestored in highly accessible formats and locationsthat can be restored immediately.

In truth, all systems and all data are not createdequal. And the value of data and systems changes,sometimes quickly, sometimes slowly. Lower-valuedata should be stored in less expensive formatsand locations.High-value data should be stored inhighly accessible formats and at locations thatallow for immediate RTO — a combination ofcapabilities that adds significant but prudentexpense to a technology continuity strategy.

Again, the assessment of systems and data value ismost accurate when conducted — and regularlyrevisited — by a combination of IT, finance andaccounting and business-unit managers whoactually rely on the data in their day-to-dayoperations.Once that process is in place, it makessense to evaluate storage solutions,which, like the

EXHIBIT 4: SIMPLIFIED DATA CLASSIFICATION SCHEME

Critical Data/documentation that must be retained for legal reasons, for use in key business processes, or for restoration [of] minimum acceptable work levels in the event of a disaster.

Vital Data/documentation that must be retained for use in normal business processes and that represents a substantial investment of company resources that may be difficult or impossible to recoup, but may not be required in a disaster recovery situation. Information that requires special secrecy or discretion may also fall under this category.

Sensitive Data/documentation that is needed in normal operations, but for which alternative supplies are available in the event of a loss.Data that can be reconstructed fairly readily but at some cost could also be classified as sensitive.

Non-critical Data/documentation that can be reconstructed readily at minimal cost, or duplicates of critical, vital or sensitive data that have no prerequisite security requirements.

CLASSIFICATION DEFINITION

(Toigo, 2003)

rest of the IT world, have evolved significantly andquickly in recent years and continue to posechallenges for the IT function.

A 2005 survey by IT trade association CompTIAfound that data protection and security is thebiggest challenge identified by IT professionals whomanage storage networks for their organizations.The Wall Street Journal confirmed as much when itran a chart in May 2005 detailing eight costlybreaches of IT security that had taken place at largecompanies and institutions in the previous threemonths.When Bank of America’s computer backuptapes were lost, the Social Security numbers of upto 1.2 million customers were also swiped.

In May 2005,Time Warner made headlines when itacknowledged that 40 backup tapes containing theSocial Security numbers of roughly 600,000current and former employees disappeared whilebeing transported to an offsite data-storagelocation by a records management company.TimeWarner’s response to the loss illustrates the valueof data to organizations today as well as the steepcost of mismanaging data storage: When aninternal investigation did not locate the missingtapes,Time Warner immediately contacted theU.S. Secret Service; it also offered to pay affectedemployees (which could translate to as many as85,000 people) for one year of credit monitoring.

The key question facing continuity planners is notwhether to invest in a storage solution, but ratherwhich storage solution to select.

Supply Chain

New York-based TIAA-CREF is one of the largestprivate retirement systems in the world. It serves3 million members in the academic communityand roughly 15,000 institutional investors whilemanaging some $300 billion in assets.Membersand customers want TIAA-CREF to answer asimple but critical question in the event that aterrorist attack,massive blackout or less dramaticbusiness interruption affects the firm: Are myretirement investments safe?

As a result, a process for communicating withcustomers is an important component of TIAA-CREF’s business continuity managementprogram.Question-and-answer sessionsrepresent an increasingly common tool inbusiness continuity management; plannersdistribute questionnaires among top suppliersand, sometimes, in the business-to-businessspace, to large customers.The purpose of theseinquiries is to gain a more accurate sense of how

relationships with vendors and customers can beaffected by disasters, and how interruptions atlarge customer and vendor locations can affecttheir own organization’s continuity.

One of the provisions of NYSE 446 requireseach member company to disclose to customershow its business continuity managementprogram addresses the possibility of a futuresignificant business disruption, and how thecompany plans to respond to events of varyingscope: “Such disclosure must, at a minimum,bemade in writing to customers at accountopening, be posted on the member’s or memberorganization’s Internet Website and be mailed tocustomers upon request.”

The rule also calls for a fair amount of specificity inthe disclosure, recommending that the companyidentify scenarios of varying severity (whether theevent affects the firm only or involves an entireoffice building, business district or region); statewhether the company plans to continue businessduring each scenario (and provide recovery-timeestimates if that’s the case); and highlight itsplanned responses.

The Department of Marketing and Supply ChainManagement at Michigan State University hasdeveloped a highly practical “Supply ChainBusiness Continuity Planning Framework” that inmany ways parallels the overall BCM frameworkidentified in this Guideline.The system includesawareness, prevention (including riskidentification, risk assessment, treatment andmonitoring), remediation (planning how tominimize the event’s impact and duration andidentify the resources needed to do so) andknowledge management (i.e., how theorganization learns from the experience andstrengthens its processes accordingly).

Questionnaires are commonly used to driveawareness of the need for BCM among suppliers,and to equip in-house continuity planners with amore accurate assessment of supply-chaincontinuity risks.The objective should be a simpleone — to learn more about the continuity andrecovery capabilities of select vendors — that canbe easily communicated to vendors.

These questionnaires range in length from one tosix pages and typically are arranged into sectionsthat address different facets of continuity: overallcontinuity strategy, crisis communications, backupfacilities (including data storage) and testing.Theforms differ according to level of detail. Forexample, on the topic of mainframe and

B U S I N E S S C O N T I N U I T Y M A N A G E M E N T

19

20

M A N A G E M E N T

S T R A T E G Y

M E A S U R E M E N Tdistributed systems recovery, one questionnairemay ask whether the vendor has a recoveryprocess in place for those systems; anotherquestionnaire might continue that line ofquestioning by asking the vendor to list the typeof recovery solution it uses (third party vs. in-house); and yet another questionnaire may probethe vendor on the extent to which the processingcapability in the back-up facility matches theprocessing capability of the primary facility duringnormal operating conditions.

The framework is discussed in a lengthy paperthat is the result of Michigan State Universityresearch of companies with established andeffective supply-chain continuity processes.Theresearch project — one of five on businesscontinuity management the AT&T ResearchFoundation funded in 2003 — also establishesthe 14 principles of effective supply-chainplanning.The 14 principles, and select “key issues,”are as follows:

1. Create internal awareness from thebottom up and from the top down.

• Disruptions can have serious financial andcompetitive impact

• Operational personnel are closest to thesupply base and have better appreciation ofrisk sources

• Top management controls the resourcesneeded and must endorse supply-chaincontinuity planning

2. Drive awareness into the supply basethrough the supplier selection andsupplier management processes.

• Establish key processes for communicatingwith the supply base

• Motivate suppliers to recognize and managerisks

3. Prioritize suppliers and commodities tofocus attention.

• Resources are limited and must be properlyallocated

• Focus efforts on critical commodities andtheir suppliers

• Focus on high-risk commodities and suppliers

4. Consider the full spectrum of resourcesand flows managed within the supply chain.

• Multiple resources (materials, informationand services) flow in the supply chain andare critical to smooth operation

• Must consider exposure related to all ofthese flows

5. Understand both probability and impactof supply-chain disruptions.

• Risk is a function of the dimensions ofprobability and impact

• In practice, disastrous impact mayoverwhelm low probability

6. Eliminate/reduce exposure wherefeasible;buffer or mitigate whereelimination is not feasible.

• Eliminating or reducing exposure is the idealsolution, but not always feasible

• If exposure cannot be reduced, bufferingstrategies can limit impact

7. Develop and monitor predictive BCP-specific indicators.

• Indicators are needed that will help identifychanging risk levels in advance of adisruption

8. Use multiple information sources tomonitor risk.

9. Revisit these issues on a regular basis.

• Supply chains are dynamic

• Sources and levels of risk will vary over timedue to changes in supply-chain structure,economic developments, environmentalchanges and political developments

10. Plan for disruptions

• It is impossible to totally eliminate the riskof supply-chain disruptions

• It is critical to have both a plan and processes in place to deal with disruptionswhen they occur

11.Manage the impact of disruptions.

• Consider both the cost and the duration ofthe disruption

12.Take a continuous improvement view ofsupply chain continuity planning.

• Exposure to supply-chain disruption cannotbe fixed overnight

• Protecting the supply chain requires ongoingattention and effort

13.Conduct a post-event audit of supply-chain disruptions as standard operatingprocedure.

• Learn from mistakes

14.Share knowledge of supply-chaincontinuity planning throughout theorganization (Zsidisin, Ragatz and Melnyk, 2003).

SOFTWARE APPLICATIONS CANHELP SUPPORT BCM PROCESSES

As demonstrated above, business continuitymanagement is nothing if not detail-oriented anddocument-intensive. Business continuity softwareapplications can help manage the informationmore efficiently than filing cabinets.

First-generation BCM software applicationsoffered document management functionality andthe ability to develop continuity plans, although theplans were usually limited to a generic, single-scenario cause, such as a power failure.Theapplications were difficult to use, targeted to usersin the IT function (documenting recovery plans forsystems and applications only), and demonstratedlittle, if any, return on investment.

Recently, a new generation of BCM software hit themarket. It is generally geared toward business users,and provides functionality that can automate all orsome of up to five important BCM processes:

1. Business impact analysis;

2. Documentation of an organization’s process andsystems relationships (mapping, for example,which database hosts the customer records thatcall center employees access through thecustomer relationship management system);

3. Continuity and recovery planning;

4. Situation management (which allows for thetracking and managing of crisis managementactivities in real-time); and

5. Notification (which sets rules for the type andtiming of communications with employees,suppliers, customers and other vitalstakeholders during a crisis).

Some BCM software applications contain the fullrange of these capabilities. Stand-alone solutionsalso exist.A recent Gartner report projected that75 percent of global 200 companies will haveimplemented emergency notification applications(either as a hosted application or in-house) byDecember 2007.

The report identifies seven advantages automatednotifications hold over manual calling trees, including:

• Quicker notification times (minutes vs. hours);

• Ability to guarantee delivery of a consistentmessage;

• Ability to use multiple forms of communication(land line, cellular phone, pager, e-mail andinstant messaging via a computer or handhelddevice, or fax); and the ability to confirm themessage’s receipt (Noakes-Fry and Witty, 2005).

Additional information about the selection and useof BCM software applications is included inAppendix 3,“BCM Software Usage Survey.”

BCM IN ACTION: EXAMPLES OF“GOOD” PRACTICES

Implementing BCM software may one daymaterialize as a legitimate best practice —once best practices emerge. Even the highlyrespected Business Continuity Institute shies away from the phrase. Instead, it offers up “GoodPractice Guidelines.”

Leading business continuity managementprocesses are more likely to exist in companiesthat operate in highly regulated industries andsectors.Today, financial services leads the way,followed (distantly, in most cases) by healthcare.

A published interview with NASDAQ executivevice president of operations and technology andCIO Steve Randich illustrates the challenge ofidentifying best practices in this emergingdiscipline.The equity exchange had just completeda disaster recovery test with 50 of its membercompanies.Despite the interviewer’s attempts toelicit information from Randich, the most heoffered was “this thing went very well.” Asked ifthe exercise produced any insights, Randichanswered,“Not really.” (Mearian, 2004)

Who could blame him? If the tests had exposedshortcomings,NASDAQ would only rattle itscustomers’ nerves by publicly acknowledging itscontinuity vulnerabilities.The same holds true forother companies, especially those wary of alarminginvestors and analysts. As a result, practitionershave to hire consultants and scour bookappendices, academic white papers,Web sites(including http://www.continuitycentral.com,http://www.thebci.org/ and http://www.drj.com),and published transcripts of DR and BCMconferences to glean good practices.

During a 2004 roundtable discussion attended bythe financial services industry’s top continuityexecutives, the CEO of the Society for WorldwideInterbank Financial Telecommunication (SWIFT)offered up this advice: “Whatever you do,makesure it has the support from the very top of yourorganization, or it just won’t get implemented.Business continuity can no longer be a stafffunction buried low in the organization…it’s a lineof business now.” (SunGard, 2004)

While that sentiment echoes the same pointalmost every BCM service provider hammers, itcarries a bit more weight coming from a CEO.

B U S I N E S S C O N T I N U I T Y M A N A G E M E N T

21

22

M A N A G E M E N T

S T R A T E G Y

M E A S U R E M E N TIn 2002,AT&T invested some $250,000 toidentify examples of best practices in businesscontinuity management.The money fundedextensive BCM research at five U.S. universities,including Michigan State University,whichproduced the supply-chain continuity researchcited earlier in this Guideline.The researchproduced five white papers that examinebusiness continuity practices from different anglesand in different industries; together, that researchpinpoints six practices that companies shouldfollow if their executives seek to implementadvanced BCM capabilities (AT&T uses the term“business continuity planning” (BCP)):

1. They do more than concentrate ontangible assets such as systems,networks and physical assets. EffectiveBCP isn’t simply a matter of keeping criticaldata in more than one location or buildingredundant systems. It addresses equallyimportant aspects of organizationaldiscontinuity such as employee education,alternative work processes andcommunication with customers.Training is acritical element in any BCP plan.

2. They learn from their mistakes.TheMichigan [State] researchers observed thatwhen supply-chain disruptions occurred, forinstance, the best firms learned from them.“A serious disruption requires a post-incidentaudit that identifies important lessons learned —things that went right and things that wentwrong,” says Dr.Zsidisin. But even within thecompany that was most advanced in the use ofaudits, the process was managed by the buyingorganization, not the supply-chain partnerwhere the actual disruption occurred.Unlessthe suppliers take responsibility for the audit’sexecution, an audit has limited utility as a toolfor self-improvement.

3. They are open to using third-partyproviders.Outsourcing BCP functions tothird-party providers that store criticalcompany data and make available alternativefacilities to continue such operations in theevent of a disruption can provide significantprotection — particularly when IT processesare not a firm’s core capability.Using managedservice providers can also enable companies tokeep pace with rapidly changing ITenvironments and continuity needs.

4. BCP is integrated across firms.Theincrease in complex interactions amongapplications across an organization and itspartners means that disruptions at one point

may propagate rapidly throughout anorganization in ways that may not be easily andquickly understood.Rather than asking businessunits to handle BCP within their own silos, anintegrated approach is needed.That doesn’t justmean handing the job to the IT department —functions such as human resources andcustomer service need to be in the loop.

5. Plans are tested and updated on aregular basis. Companies with untestedplans may face as much risk as those with noplans at all.Where testing was observed in theuniversities’ research, it was often limited tothe evaluation of system or data backup andrestoration, and not the actual restoration ofbusiness functions.The research identifiedcost concerns as the major impediment toregular and comprehensive testing, but savingmoney in this way is a false economy — anoutdated or ineffective BCP program has nextto no value.

6. Above all,BCP is perceived as morethan a cost. Despite their relatively advancedBCP programs, even executives in the financialservices industry see BCP primarily as merelya cost of doing business — a kind of insurance.“BCP was not seen as value-added activity thatmight be used to garner competitive advantagein any of our case studies,” says Amitava Dutta,professor of Management Information Servicesin the School of Management at GeorgeMason University (AT&T, 2004).

Financial services companies tend to be clusteredin large cities, like New York,where many of thetop organizations in the industry experienced theSept. 11, 2001 terrorist attacks firsthand.Yet, itwas the blackout that struck much of NorthAmerica in August 2003 that showed how wellthe harsh lessons of Sept. 11 along with businesscontinuity fundamentals have worked their wayinto the procedural fabric of many financialservices companies.

For example,TIAA-CREF treats its “resiliencyprogram” as an ongoing process that is woveninto most aspects of business planning.The firm:

• Opened operations centers in different regionsof the United States that can assume greaterworkloads in the event of an unexpectedinterruption at another office location;

• Generally requires executive management andbusiness unit leaders to work from alternativelocations as frequently as once a week;

• Constantly tracks the whereabouts of topexecutives; and

More Good Practices

A 2003 Deloitte & Touche studyexamined the businesscontinuity managementprogress leading financialservices companies hadachieved since Sept. 11, thendistilled that field research intofive activities that characterizeeffective practices:

1. Making the BCM effort a topmanagement priority led bysenior executives;

2. Making continuous availability,rather than disaster recovery,the ultimate objective of the program;

3. Focusing on the businessimpact of potentially disruptive events rather thanbasing plans on the frequencyof past events;

4. Broadening the scope ofevents beyond technologysystem failures to include anyfailure that could affect theavailability of employees,working facilities andimportant records; and

5. Extending BCMconsiderations to includepotential interruptions tothird-party providers of critical services, such astelecommunications,security exchanges, publictransportation, and energy providers.

• Mandated that no more than 75 percent ofsenior managers can be in one office location atthe same time.

The Bank of New York elevated its businesscontinuity group from a mid-level function withinthe technology group to a spot on its organizationalchart beside the chief technology officer.

The bank’s customer communications task forcetreated the North American blackout of 2003 as alearning laboratory, emerging with insights thatcontinue to shape the continuity group’s strategy:

1. The realization that telecommunicationscontinuity is paramount in financial services;

2. A greater appreciation for the value ofgeographic diversity as a continuity tool; and

3. The understanding that responsibility forbusiness continuity must extend beyond IT,throughout the business.

The “process not a project” mantra resonatesthroughout organizations with the most effectivebusiness continuity management processes in place.

Like many other enterprises,Charlotte,N.C.-based Duke Energy established an internal groupto assess the global company’s existing disasterrecovery and business continuity capabilities in thewake of Sept. 11.The business continuitymanagement program that the assessmentlaunched is instructive.

The cross-functional group’s six-month reviewidentified 42 recommendations for improvement.Three months later, in June 2002, the companyopened its business continuity and crisismanagement program office and expanded itsprevious emergency-response policy to include anexpansive definition of business continuity and toincorporate crisis management as a corporateaccountability. By the end of 2002, 35 of the 42recommendations had been implemented, andbusiness units are now held accountable forweaving continuity considerations into processimplementation.

Duke’s managing director of business continuityand crisis management and its manager of crisiscommunications report that their new officeemphasized the “what” over the “how” to ensurethat the business units had the flexibility tointroduce business-continuity elements into theiroperations in a way that was most appropriate.

The program office then developed an enterprise-wide, three-tiered approach that involvedparticipation from all levels of the organization to

respond to emergency incidents. Later, theprogram office integrated the separate functionsof business continuity, crisis management andcorporate security into a new organization:“continuity, insurance and security services.”

Today,Duke Energy’s business continuity directorreports that crisis management and businesscontinuity have become embedded in thecompany’s culture — another characteristicfrequently identified in companies with strongbusiness continuity management practices.(Bowman and Mobley, 2005).

CONCLUSION

Natural disasters and other unexpected businessinterruptions occur more often and inflict greaterdamage on companies than they have in the past.

Business continuity management enablesorganizations to reduce the negative impacts ofdisasters and to return to normal operationssooner.To date, the general state of BCMcapabilities among North American companies hasbeen insufficient.

The gap between the financial toll of worldwidecatastrophes and the amount of that toll coveredby insurance in 2004 was about $74 billion.Theloss of life attributed to those catastrophes topped300,000.Those figures seem like a compellingmotivator for better business continuitymanagement. But they are not the only drivers.New regulations with specific BCM mandates arealso emerging.

The epidemic of business continuity plans sufferingfrom dust-inhalation on the shelf is being cured bythe growing number of regulations and industryguidelines — along with more requests fromexternal auditors to review the plans.

The development of sufficient BCM capabilitiesrequires:

• An understanding of the roles andresponsibilities of corporate managers andboards in implementing effective BCM practices;

• Adherence to a framework for developing andmaintaining effective business continuitymanagement processes;

• An understanding of the ways in which financeand accounting managers can apply their uniqueskills and experience to the execution of BCMpractices;

• An understanding of the tools that can helpautomate and support BCM processes; and

B U S I N E S S C O N T I N U I T Y M A N A G E M E N T

23

24

M A N A G E M E N T

S T R A T E G Y

M E A S U R E M E N T• Knowledge of emerging “good practices”

among companies with more sophisticatedBCM capabilities.

Much of that knowledge has arisen from insightinto insufficient responses to disasters andbusiness interruptions. Just as the 9/11Commission “looked backward in order to lookforward,” so, too, should companies learn fromlessons of the past to ensure that they will notsuffer through the same mistakes — or absorbsimilar costs — when future disasters strike.

BIBLIOGRAPHY

AT&T. 2004. Achieving Resilience — BestPractices in Business Continuity. AT&T, April.

Barnes, James C. 2001. A Guide to BusinessContinuity Planning. Chichester: John Wiley & Sons Ltd.

Bazerman,Max H., and Watkins,Michael D. 2004.Predictable Surprises:The Disasters You Should HaveSeen Coming and How to Prevent Them. Boston:Harvard Business School Press.

Behar,Michael. 2005.When Earth Attacks! PopularScience, May.

Benvenuto,Nicholas and Zawada, Brian. 2004. TheRelationship Between Business Continuity andSarbanes-Oxley. Protiviti.

Bowman,Tom and Mobley,Michael. 2005.CaseStudy:Duke Energy Recognizes the Value ofConvergence, April.CPM Global Assurance.

Business Continuity Institute. 2005. BusinessContinuity Research, February.

“Business Continuity Software Survey Results,”2005.Continuity Central,March. Portal Publishing Ltd.

Childs,Donna R. and Dietrich, Stefan. 2002.Contingency Planning and Disaster Recovery: A SmallBusiness Guide.Hoboken: John Wiley & Sons.

Cisco Systems. 2003.Disaster Recovery: BestPractices White Paper. 1992–2003 Cisco Systems Inc.

Croy,Michael. 2004.The Business Value of Data.Disaster Recovery Journal, Summer.

Danner,Mark. 2005.Taking Stock of the ForeverWar. New York Times Magazine, September.

Deloitte & Touche, LLP and CPM GlobalAssurance. 2004. Entering the MainstreamBusiness Continuity 2004.

Goff, John. 2005.Who’ll Stop the Rain? CFO, April.

Goggins,Kelley. 1999.Contingency Planning 101.Contingency Planning & Management Magazine,March.

Honour,David. 2003.U.S. Regulators Hit the RightNote. Continuity Central, April. Portal Publishing Ltd.

Kahan, Stuart. 2005.Disaster Recovery is aNumbers Game. WebCPA, April.

Kean,Thomas H. (chair), and Hamilton, Lee H. (vicechair). 2004.The 9/11 Commission Report: FinalReport of the National Commission on Terrorist AttacksUpon the United States.New York: W.W.Norton &Company.

Laye, John. 2002. Avoiding Disaster:How to Keep YourBusiness Going When Catastrophe Strikes.Hoboken:John Wiley & Sons.

McCrackan, Andrew. 2004. A Practical Guide toBusiness Continuity Assurance. Boston: ArtechHouse.

McCrackan, Andrew. 2005. Is Business Continuitya Subset of Risk Management? Continuity Central,February. Portal Publishing Ltd.

McGee,Kenneth G. 2004 Heads Up:How toAnticipate Business Surprises and Seize OpportunitiesFirst. Boston:Harvard Business School Press.

Mearian, Lucas. 2004.Nasdaq’s Tests Showed NoWeaknesses,CIO Says.ComputerWorld, May.

Mitroff, Ian I. 2005.Why Some Companies EmergeStronger and Better from a Crisis.New York:Amacom.

Mitroff, Ian I., and Alpaslan,Murat C. 2003.“Preparing for Evil.” Harvard Business Review, April.

Noakes-Fry,Kristen and Witty, Roberta J. 2005.Automated Emergency Notification Will SpeedDisaster Recovery. February.Gartner Inc.

Ramsey, Scott. 2004.The Evolution of BusinessContinuity Management:The Process of EnsuringContinuous Operations of Mission CriticalBusiness Functions.CTG,2004.

Schmerken, Ivy. 2003. Wall Street Goes Dark:Blackout 2003. Wall Street & Technology,October.

Stanek, Steve. 2003.Who Owns BusinessContinuity Management?www.KnowledgeLeader.com.Protiviti, 2003.

SunGard. 2004. Industry Roundtable:Models ofResilience.Dialogue, First Quarter.

Swiss Reinsurance Company. 2005. Sigma:NaturalCatastrophes and Man-Made Disasters in 2004.

Thomas,Glyn. 2005.The Changing Role ofBusiness Continuity Software.Continuity Central,April. Portal Publishing Ltd.

Toigo, Jon William. 2003. Disaster Recovery Planning:Preparing for the Unthinkable; third edition.UpperSaddle River: Prentice Hall.

B U S I N E S S C O N T I N U I T Y M A N A G E M E N T

25

26

M A N A G E M E N T

S T R A T E G Y

M E A S U R E M E N TUnited States Government Accounting Office.2004.Report to the Committee on Energy andCommerce,House of Representatives: FinancialMarket Preparedness.GAO-04-984.

Wallace,Michael and Webber, Lawrence. 2004.TheDisaster Recovery Handbook: A Step-by-Step Plan toEnsure Business Continuity and Protect VitalOperations, Facilities, and Assets.New York: Amacom.

Zsidisin,George A., Ragatz,Gary L., and Melnyk,Steven A. 2003. Effective Practices in BusinessContinuity Planning for Purchasing and SupplyManagement.Michigan State University, June 2003.www.bus.msu.edu/msc/research.html.

SUGGESTED READING

Publishers of books,magazines and Web sites areresponding quickly to the growing demand forbusiness continuity management information.Organizations devoted to BCM, such as TheBusiness Continuity Institute, have generouslyshared useful information about the emergingdiscipline. John Wiley & Sons, Prentice Hall,Harvard Business School Press, Amacom andother leading business-trade book publishers arereleasing new titles on BCM and its componentseach year. And publications, such as the DisasterRecovery Journal, have played strong roles instimulating and furthering discussions and debateson how organizations can establish better businesscontinuity management capabilities.

What follows is a supplement to this guide’sbibliography.This section is intended to provide more details on specific resources that will sharpen readers’ searches for additional information.

Online Recommendations

The Business Continuity Institute (BCI)www.thebci.org is one of the world’s foremostauthorities on BCM issues.The BCI’s current(2005) version of its “good practice guidelines,” isrequired reading for any manager involved withBCM.The guidelines are available for free viadownload at the site:www.thebci.org/gpg.htm.

The Disaster Recovery Journal Web site,www.drj.com, provides several free samples ofcontinuity and recovery plans (most are fromuniversities and non-profit organizations) alongwith an example of a questionnaire companies canprovide to vendors to assist with the process ofgauging the BCM capabilities of supply chains.Thesite also contains a page with a lengthy list of links

to other BCM resources:www.drj.com/freelinks/links.html.

The information clearinghouse Continuity Central,www.continutycental.com, also provides acomprehensive collection of links to other BCMarticles, sites and resources:www.continuitycentral.com/basicbc.htm.

DRI International,www.drii.org, offers educationand certifications in business continuitymanagement; its site also provides (for free) one ofthe best BCM glossaries available:www.drj.com/glossary/drjglossary.html.

A hard copy of the Disaster Resource Guide(currently, in its 10th edition) is available ($20) atwww.disaster-resource.com.The guidecontains dozens of articles on most facets of BCMas well as a lengthy products and servicesdirectory.The Web site contains links to freearticles and other resources.

Philip Jan Rothstein is an influential voice indisaster recovery issues.His firm’s Web site,www.rothstein.com, contains links to hundredsof books (for sale) and articles (free) related toBCM topics. Rothstein also provides brief reviewsof books available through his firm.

Book Recommendations

If you buy one guidebook to assist with yourorganization’s BCM efforts, Jon William Toigo’sDisaster Recovery Planning: Preparing for theUnthinkable (Prentice Hall, 2003) is a soundinvestment.Toigo has written for numerouspublications, including ComputerWorld andScientific American.His past experience as anexecutive in financial services companies is clearlyevident in his detailed advice on buildingmanagement consensus for BCM.The rest of thebook’s nearly 500 pages delve into every facet ofbusiness continuity management. It concludes with adiscussion of the testing and maintenance of plans.

If Toigo’s book is the definitive BCM text book,James C.Barnes’ A Guide to Business ContinuityPlanning (John Wiley & Sons, 2001) qualifies as thebest set of Cliff Notes on BCM.The relatively slimbook contains more than 150 pages of checklistsand forms,with a few paragraphs of analysesthrown in for good measure.

The Disaster Recovery Handbook:A Step-by-Step Planto Ensure Business Continuity and Protect VitalOperations, Facilities, and Assets (Amacom,2004) byMichael Wallace and Lawrence Webber is a goodsecond or third choice for overarching BCM

guidance.The book comes with a CD-ROM thatincludes a PowerPoint presentation with anoverview of the business continuity planningprocesses and more than 45 forms and checkliststo assist with various components of BCM.

Avoiding Disaster:How to Keep Your Business GoingWhen Catastrophe Strikes (John Wiley & Sons, 2002)offers fewer checklists and a greater emphasis onBCM principles.The fourth chapter offers adviceand observations specifically targeted to seniormanagers responsible for BCM.

This final set of book recommendations focuses on three titles that provide more targetedinformation about specific components of BCM.Each of the following books would be bettersuited to readers who are seeking to elevate the sophistication of existing BCM strategies and processes:

• Ian I.Mitroff,who has overseen two decades ofresearch at the University of SouthernCalifornia’s Center for Crisis Management,would likely dispute a categorization of hisbook,Why Some Companies Emerge Stronger andBetter from a Crisis (Amacom,2005), as “moretargeted.” Mitroff views risk management,business continuity planning and “crisiscommunications” as ultimately incompleteapproaches to guiding companies throughdisasters.He prefers the term “crisismanagement” as a more encompassingdescription.His approach to crisis managementis grounded in technical risk-managementapproaches but also addresses thepsychological and spiritual effects, in thecontext of employees and the collectiveorganization, that abnormal disaster sparks.

• Predictable Surprises:The Disasters You ShouldHave Seen Coming and How to Prevent Them(Harvard Business School Press, 2004)examines how vividness bias — why humansoften do not act on knowledge — hampersorganizational BCM efforts.The book identifieshow companies can identify emerging threats(future disasters) earlier in their development.The book also contains an excellent 10-pointcrisis-response plan in its second appendix.

• In a similar vein, Heads Up:How to AnticipateBusiness Surprises and Seize Opportunities First(Harvard Business School Press) makes thecase that disasters and other “businesssurprises” can be anticipated and responded toin ways that reduce their negative impacts.Thebook, authored by a Gartner Group vicepresident, applies many of the conceptsinvolved in business intelligence and business

performance management to businesscontinuity management.

A Book for Small Businesses

Contingency Planning and Disaster Recovery:A SmallBusiness Guide (John Wiley & Sons, 2002) is aimedat owners and managers of small companies(generally, those with annual revenues below $10 million).

Small companies crafting contingency plans fortheir IT assets typically do not need to delve intosuch complex areas.Continuity and recoverysolutions are simpler for small business owners,although not all vendors who target that marketrecognize the need for simplicity. “Do not bepersuaded by the colourful marketing brochuresand impressive brand names with tantalizingpromises of corporate-calibre disaster protection,”note co-authors Donna Childs and StefanDietrich.“You need to establish a good balance foryour business between your particular needs andthe scale and cost of your solution.”

The co-authors advise small business managers togroup their needs into “basic” and “robust”categories.The former is designed to address themost frequent business interruptions: human error,equipment failure and third-party failures. Robustcontingency covers those three businessinterruptions and provides more protection againstweather-related disasters, terrorism and sabotage.Arough equipment cost estimate for each brand ofsmall-business contingency approach is alsoprovided. Basic contingency capabilities roughlytranslate to $5,000 in initial equipment costs plusabout $1,000 annually in replacements andupgrades.Robust contingency capabilities cost about$10,000 in initial equipment costs and roughly$5,000 annually in replacements and upgrades.

APPENDIX 1: BCM-RELATED REGULATIONS AND GUIDELINES

Although there has been no “Sarbanes-Oxleyequivalent” for business continuity management,the number of new continuity rules, regulationsand guidelines that have accumulated in differentindustries, countries and governmentorganizations in recent years, and particularly sinceSept. 11, 2001, is large and constantly growing, asthe following (partial) list illustrates:

• The Foreign Corrupt Services Act in 1977required U.S. publicly held companies toprovide “reasonable protection for informationservices,” and holds corporate managementaccountable for doing so.

B U S I N E S S C O N T I N U I T Y M A N A G E M E N T

27

28

M A N A G E M E N T

S T R A T E G Y

M E A S U R E M E N T• The Internal Revenue Service (IRS) 86-19

contains legal requirements for the backup and recovery of computer records containingtax information.

• The Computer Securities Act of 1987 requiredU.S. federal agencies that rely on electronicsupport, and the private-sector companieswith which the agencies conduct business, toestablish and maintain recovery plans.

• Presidential Decision Directive 63 (PDD 63)was signed by President Clinton in 1998, andcontains language and guidance that nowsounds eerily prescient, as the inter-agency andpublic-private cooperation the directive callsfor resembles what is now the U.S.Department of Homeland Security. “Becauseof our military strength, future enemies,whether nations, groups or individuals,mayseek to harm us in non-traditional waysincluding attacks within the United States,” thedirective reads.“Because our economy isincreasingly reliant upon interdependent andcyber-supported infrastructures, non-traditional attacks on our infrastructure andinformation systems may be capable ofsignificantly harming both our military powerand our economy.” PDD 63 called oncompanies in certain industries (informationand communications, banking and finance,energy, transportation and vital humanservices) to establish,monitor and upgradedisaster recovery and business continuity plans.

• The Comptroller of the Currency and the Office of Thrift Supervision have issued severalregulations for the financial services industry,including BC-177, a 1980s-era requirement that banks develop and maintain businessrecovery plans.

• The “Interagency Paper on Sound Practices toStrengthen the Resilience of the U.S. FinancialSystem” was finalized by the U.S. Board ofGovernors of the Federal Reserve System, theOffice of the Comptroller of the Currency, andthe SEC in April 2003 after a contentiousdrafting process,which at one point containedlanguage dismissed as “draconian” by critics.The final paper,which addresses companiesthat are involved with clearance andsettlement activities for the wholesale financialsystem, contains several “sound practices”intended to ensure that the targeted financialinstitutions implement and maintain sufficiently

robust BCM capabilities that “provide usefulguidance to business continuity planners in alltypes of companies, not just those in thefinancial sector” (Honour, 2003).These include:(1) Determine appropriate recovery andresumption objectives for clearing andsettlement activities in support of criticalmarkets; (2) Maintain sufficient geographicallydispersed resources to meet recovery andresumption objectives; (3) Routinely use ortest recovery and resumption arrangements.

• The “Contingency Planning Guide for InformationTechnology Systems” contains“recommendations” from the National Instituteof Standards and Technology (NIST),whichprovides instructions and considerations forgovernment IT contingency planning in the UnitedStates.The document outlines a seven-stepcontingency planning process,which,while gearedtoward IT continuity, echoes most of the sameprocesses put forth as leading practices bybusiness continuity management experts: (1)develop the contingency planning policystatement; (2) conduct the business impactanalysis; (3) identify preventative controls; (4)develop recovery strategies; (5) develop an ITcontingency plan; (6) plan testing, training andexercises; and (7) maintain the plan,which “shouldbe a living document that is updated regularly toremain current with system enhancements.”

• NFPA 1600, a standard of the National FireProtection Association (www.nfpa.org), hasbeen made an American National Standard,which is a national subset of the InternationalOrganization for Standardization (ISO).Although critics have questioned thestandard’s teeth, its most recent iterationcontains a robust BCM component,whichincludes 10 key competencies mentioned byseveral other guidelines.

• The American Society for Industrial Security(ASIS) has developed a comprehensivebusiness continuity guideline,“A PracticalApproach for Emergency Preparedness,CrisisManagement, and Disaster Recovery,” which isaccompanied by step-by-step implementationinstructions in a 48-page document availableon the Web site of the internationalorganization for security professionals:www.asisonline.org/guidelines/guidelinesbc.pdf.

• Section 1910.38 of Part 29,Code of FederalRegulations,Occupational Safety and Health

Administration (OSHA) requires companies toestablish emergency action plans that addressemployee safety.The plans should addressemergencies “that employers may reasonablyexpect in the workplace,” such as fire, toxicchemical releases, hurricanes, tornadoes,blizzards, floods and others.

• The Detroit-based Automotive Industry ActionGroup (AIAG) recently released a guideline,“Crisis Management for the Automotive SupplyChain,” which its executive director said wasnecessary because “as recent crises suggest, thesupply chain is vulnerable. A domino effect inthe supply chain may be created whendisruptions occur at any single point.”

This list of regulatory and guideline drivers is notcomplete; rather it is intended to illustrate thewide range of organizations, government agencies,industries and business processes (i.e., supply-chainmanagement) in which business continuitymanagement’s profile is rising.

APPENDIX 2: IT: HIGHLY DETAILEDDATA CLASSIFICATION

Some IT disaster recovery experts present highlydetailed data-classification frameworks.Theseframeworks can help organizations make morecost-effective decisions about how and where theyback up and store their business data:

APPENDIX 3: BCM SOFTWAREUSAGE SURVEY

A recent survey of global business continuityprofessionals conducted by Web site ContinuityCentral found that nearly 60 percent ofrespondents use BCM software.The mostfrequently cited reasons for using BCM softwareare, in order of priority:

1. To manage and update business continuity plans;

2. To manage and coordinate crisis managementresponse;

3. To train personnel; and

4. To evaluate the adequacy of existingcapabilities.

The most frequently cited continuity managementprocesses respondents use BCM software toautomate were the following:

• Call lists (75 percent)

• Business impact analysis (59 percent)

• Testing and exercising (55 percent)

• Crisis team development (47 percent)

• Crisis management (42 percent)

• Risk assessment (42 percent)

• Project management (40 percent)

• Online access (40 percent)

B U S I N E S S C O N T I N U I T Y M A N A G E M E N T

29

Mission Critical Frequently used, immediate availability, significant and immediate financial impact

Business Critical Regularly used, reasonably available, significant long-term financial impact,significant operational impact over time, eventual compliance impact

Essential Periodically used, available within defined time frame, potential long-term financial impact, probable operational impact over time, probable compliance issues

Consequential Occasionally used, available within extended time frame, possible but not likely financial impact, possible operational impact over time, probable compliance issues

Non-Critical Rarely used, limited availability, unlikely financial impact, doubtful operational impact over time, potential compliance impact

Inconsequential Used only on request, limited availability, no financial impact, doubtful operational impact over time, potential compliance impact

Disposable Never used, no need for availability, no financial impact, no operational impact, no expected compliance impact

CLASSIFICATION DEFINITION

Source:Croy, 2004

30

M A N A G E M E N T

S T R A T E G Y

M E A S U R E M E N T• Dependency modeling (37 percent)

• Linking to standard databases (32 percent)

• Training (29 percent)

• Gap analysis (27 percent)

• Automated crisis communications (16 percent)

• Strategy selection (9 percent)

The most important criteria and components thatwill guide future BCM software purchases are, inorder of priority:

• The ability to import and link existinginformation (people, resources, etc.) into thesoftware application;

• The ability to customize the tool to reflect thepurchaser’s organizational structure and standards;

• ease of use (including an in-applicationcoaching module);

• The ability to create plans in universaldocument formats, such as PDF;managementreporting capabilities;

• a database controlled by plan owners;

• the ability to produce a full audit trail forreporting purposes;

• The ability to link to external databases;

• Robust security;

• Web-based capabilities; and

• The ability to dynamically build process andsystems relationships and interdependencies.

APPENDIX 4: RESPONDING TO A BLACKOUT

The response of financial services companies tothe North American blackout of 2003 is detailedvividly in a “Wall Street Technology” article(Schmerken, 2003).The story reflects severalrealities: smaller firms face larger cost andresources obstacles when establishing basicbusiness continuity management capabilities;no amount of planning can ever cover all of thechallenges live events deliver; and businesscontinuity management programs requireconstant updating and adjustments.These

lessons are evident in the real-life BCM casestudies that Schmerken’s reporting uncovers:

• The American Stock Exchange’s offsite backupgenerators were delivered hours after theblackout struck Thursday at 4:10 p.m., and theexchange’s trading systems were back onlineby the open of business Friday morning;however, the operation of the exchange’strading floor air-conditioning and heatingsystem requires steam,which was unavailableuntil the New York City Office of EmergencyManagement located a portable boiler shortlybefore close of business Friday.

• The NYSE’s business continuity plan worked well — almost too well.The exchangeconverted to a generator hours after theblackout struck and opened for business asusual the next day; however, security protocolsealed off entrance to the exchange’s building.When one trader stepped outside to informhis ride home that he would be staying late tofulfill his BCM-related responsibilities, he wasalmost denied re-entry into the building.

• One of Lehman Brothers’ post-Sept. 11continuity initiatives, calling trees,were used toinform employees who worked in the oneoffice tower that did not successfully transferto backup power (the firm’s main tradingfloors and data centers in Lower Manhattanand New Jersey were up and running withinhours) via diesel generators that they shouldwork from home on Friday.On the otherhand, office space that Lehman Brothers doesnot own in another part of the city did notmaintain backup generators and was closedthe following day.

• NASDAQ’s primary data center inConnecticut only experienced a brief powerdisruption before its diesel generator firedup.The electronic exchange also contactedmost of the 300 firms it provides services to,the “vast majority” of which were able toconnect with NASDAQ thanks to a fullyredundant telecommunications network(Schmerken, 2003).

Barry Baptie,MBA,CMA,FCMABoard Director and Business Consultant

Kenneth Biggs,MBA,CMA,FCMABoard Director and Business Consultant

Dennis C.Daly,CMAProfessor of AccountingMetropolitan State University

Alphonse M.Galluccio,CMA,FCMA,CFEVice President Internal AuditThe Jean Coutu Group (PJC) Ltd.

William Langdon,CMA,FCMAVice President,Knowledge ManagementCMA Canada

Melanie Woodard McGee,MS,CPA,CFEManager of Accounting Joint

Venture ControllerAmerican Airlines/Texas Aero Engine

Services, LLC

John F.Morrow,CPAVice President,The New FinanceAmerican Institute of Certified Public Accountants

Robert C.Sweeting,BSc,PhD,FCAProfessorManchester Metropolitan University Business School

David L.TousleyChief Financial OfficerPediaMed —The Pediatrics Company

Kenneth W.Witt,CPATechnical Manager,The New FinanceAmerican Institute of Certified Public Accountants

B U S I N E S S C O N T I N U I T Y M A N A G E M E N T

31

This Management Accounting Guideline was prepared with the advice and counsel of:

For additional copies or for more information on other products available contact:

In the U.S.A.: American Institute of Certified Public Accountants1211 Avenue of the AmericasNew York,NY 10036-8775 USATel (888) 777-7077, FAX (800) 362-5066www.aicpa.orgVisit the AICPA store at www.cpa2biz.com

In Canada and elsewhere: The Society of Management Accountants of CanadaMississauga Executive CentreOne Robert Speck Parkway, Suite 1400Mississauga,ON L4Z 3M3 CanadaTel (905) 949-4200FAX (905) 949-0888www.cma-canada.org

Eric Krell, author

Mr.Krell,who is based in Austin Texas, is the author of hundreds of articles andcolumns on corporate finance, corporate governance, human capital management, riskmanagement and other topics for magazines and media outlets.He writes for BusinessFinance,where he is also a columnist; Consulting Magazine;HR Magazine;1 to 1 Magazineand several business school reviews.His writing has also appeared in consumer outlets,including National Public Radio affiliate KUNC in Colorado and Rolling Stone. Krell holdsa B.A. from the College of William and Mary. Eric@erickrell.com

030002ISO Certified

AICPA Member andPublic Information:www.aicpa.org

AICPA Online Store:www.cpa2biz.com