Government Technology
Digital Communities: city, county and regional technology news

Business Continuity: Inadequate Planning Affects CIOs



Print
Comment
Disaster-Free Planning

Jul 24, 2008, By Tod Newcombe

Found in: Emergency Management

Let's face it: The 21st century has gotten off to a bad start. We've had threats of pandemics (avian flu and severe acute respiratory syndrome); major natural disasters (hurricanes, earthquakes and tsunamis); and large-scale, man-made crises (terrorist attacks and power grid blackouts). The list is long for a century that's less than a decade old.

These large-scale upheavals have occurred at a time when government business increasingly has moved online. For citizens and public-sector workers, government is a 24/7 operation, where vehicle registrations can be renewed online at 2 a.m. and critical public safety IT infrastructure must be fully operational during a crisis or disaster.

The public is expecting more from government, and running public-sector operations has become increasingly complex, said Jim Kennedy, principal consultant for business continuity and disaster recovery at Alcatel-Lucent. "It used to be if there was a problem, you lost a computer. Now there's digital telephony and more mission-critical applications impacting customer service."

Few would argue about the rising complexity and criticality of IT in government. Clearly business continuity (BC) is no longer a luxury, but rather a necessity in the public sector. When it comes to spending time and money on the matter, BC is treated like a second-class citizen in the public-sector IT world. Funding for BC isn't where it should be, say a number of experts.

Money isn't the biggest obstacle to successful BC in government, according to most experts. Poor planning remains the largest challenge. While most organizations have some kind of BC plan in place -- 93 percent, according to a survey by CSO Research Reports -- the quality, readiness and comprehensiveness of those plans is highly questionable.

CIOs at mid- to large-size firms find many barriers to implementing a sound plan, according to a 2007 survey by Hewlett-Packard. More than half of the respondents (55 percent) said their companies couldn't agree on the right IT solution for BC; nearly half (49 percent) said they didn't have enough time to implement a BC plan; and a third (34 percent) revealed they lacked the data to create a true business case for implementing BC.


Don't Fly the COOP
Part of the problem might be what CIOs are supposed to be planning for. Since many parts of government never shut down, it's no small wonder government IT executives delay the process of figuring out how to make sure they can resume IT in a logical and businesslike fashion.

BC is a more comprehensive approach to disaster recovery (DR), which is the process of getting an organization running after a disruption. BC and DR are supposed to fit into the overall framework of continuity of operations planning (COOP). Ever since the public sector started installing mainframe computers, IT departments have had COOP plans in place to protect payroll and ensure Medicaid, Medicare and Social Security benefits keep flowing during a disaster.

At the federal level, COOP has taken on greater significance since 9/11. Yet problems remain seven years later. Last year, the Government Accountability Office released a report critical of federal COOP exercises, which were meant to assess how well federal agencies could activate their BC plans and get back on an operational footing following a major disruption.

In 2007, the National Association of State Chief Information Officers (NASCIO) published a DR/BC toolkit for CIOs. Citing the growing flow of electronic information within states that has raised the stakes for disruption of public services, the organization warned of the cost both in terms of taxpayer dollars and public trust, should mission-critical applications cease to operate during an emergency: "State CIOs have an obligation to ensure that IT services continue in the state of an emergency."

NASCIO says the steps outlined in its toolkit are simple. However, the depth of planning, communication, cross-boundary relationships and collaboration necessary to carry out such plans is considerable.

As Kennedy points out, BC planning must be carried out in the shadow of IT security. "Let's face it, business continuity is the ugly stepchild of IT security," he said. As evidence, he points to the number of recent surveys that show BC planning lagging in the public and private sectors, especially when compared with security planning.


CIO Role, Difficult Job
Creating and executing a BC plan is like putting a bull's-eye on your back, according to Kennedy. Checklists on what a CIO is supposed to do are awash with the term "critical:" identify critical systems, ensure all critical staff understand the process, ensure all critical business functions remain operational and so on.

Kennedy recommends CIOs become champions for BC planning and find a champion on the business side to help when it comes time to implement and test the plans. But that's not all: CIOs also must ensure their plans have the support of senior-level managers. NASCIO insists today's government CIO needs to go one step further and ensure public-private partnerships -- especially with the industry sectors that deliver power and telecommunications -- are on board ahead of any crisis.

The root of BC is the work that takes place before a crisis occurs. NASCIO's toolkit contains a detailed list of "strategic and business planning responsibilities," with an emphasis on building relationships. Other organizations recommend CIOs' first step should be a business impact analysis. Still other BC planning documents ask that government CIOs take into consideration the need for remote-emergency workers' communications and remote workers in general.

And don't forget the details, say experts. One company had a detailed BC plan, but when a disaster struck, it failed to consider how it was going to feed workers who had to stay on the job for several days. Now it stocks the same ready-to-eat meals used by the military. Another mistake organizations make is not having an alternative work site, a problem that plagued firms devastated by the 9/11 terrorist attacks. What good is backed-up data if your workers have nowhere to work?

The bottom line, said Kennedy, is that good BC requires CIOs to address people, processes and technology. "They've done the last item on the list well," he said. What's been lacking is comprehensive oversight and better execution for following policies and procedures. "We're getting better," he concluded, "but we need to get better a lot faster."

Comments

By Captain Ern Lewis, USN ret on Jul 30, 2008

Excellent article and comments. Think Janet Ahlgren hit the target when she points out that COOP involves everyone involved in the operations of an enterprise. I suggest two final steps -- based on what smart military commanders have done throughout history to prepare for war (and any exec whose enterprise has been engulfed in a major disaster has "been to war"). Three quotes come to mind: (1) "No plan survives first contact with the enemy";(2) "The race does not always go to the swiftest nor the contest to the strongest - but that is the best way to bet"; and "If you ain't at war -- you'd better be practicing for it." Smart COs subject their teams to regular structured practice covering stuff that can go wrong and subject themselves and their team to randomly scheduled no-notice drills with objective "hot washup" assessments. Nearly every enterprise -- large or small should embrace this approach. A growing number of large and/or complex enterprises executives are investing in operational models of their business process -- that can readily be used to drill and test COOP. I suggest we move from COOP to COPE [Continuity of Operations Planning & Exercise]BZ to those that do.

By Janet Ahlgren on Jul 26, 2008

Partnerships are essential. We would also suggest that looking at disruption and resumption as being somehow distinct from each other reflects bureaucratic thinking, not reality. Some government agencies and private sector companies already take an integrated approach. The State of Missouri, for example, has adopted a single system for planning, training, responding and recovering from natural and manmade disasters. It takes as given that different agencies and law enforcement organizations will have different systems and processes. To avoid the IT strategy obstacles Newcomb cites, Missouri now uses technology from IBM and VirtualAgility that overlays existing systems to enable everyone from Homeland Security to the local police to interoperate before, during and after a disruption, without sacrificing control of anything proprietary. It's a git' er done philosophy that's allowed Missouri to bypass bottlenecks that still prevent other public and private entities from developing practical COOP solutions. James O. Price, Jr. points out in his comment: A good BC/DR program touches the entire organization. With respect, we would add that a truly worthy program also touches all the different organizations that will respond to the disruption and take part in the recovery. Now that it's technically possible to address the entire crisis management cycle with one complete solution, why would anyone settle for anything less?

By James O. Price, Jr., CBCP, ITIL on Jul 9, 2008

I agree whole-heartedly with Bill Lang's comments. I want to add, however, that CIOs need to understand what the BC professional needs to successfully perform his/her function, particularly in a large organization. BC/DR too often is the "ugly stepchild" in many organizations. Unfortunately, the end does not turn out like the stories of Cinderella and the Ugly Duckling. Too often, planners and coordinators are hired to satisfy an audit or regulatory requirement and not given the funding, staff or budget needed to establish a comprehensive BC/DR program. Time between events and the changing economic climate hit BC planners/professionals hard as, in the eyes of CIOs, it becomes less and less of a priority as opposed to initiatives that "keep the lights on" and generate revenue. BC professionals are often buried deep in the organization and do not have the opportunity to plead their case to the true decision makers. Typically, the position is made a part of an IT organization, thus adding fuel to the misconception that BC/DR planning is solely an IT function. While BC/DR should work with IT Security, it should not be a part of that organization. Ideally, it should have its own funding, reporting structure and staff and should occupy a significant slot on the organization chart. A good BC/DR program touches the entire organization - not just IT and should be treated/funded/supported accordingly.

By Bill Lang, CBCP, MBCI on Jul 3, 2008

CIOs need to leave BC to the professionals since this article makes it very clear that the whole BC picture is rather cloudy on the realities of business survival. IT security is a very narrowly focused effort to secure data so that data is not lost or stolen. There is very little actual Emergency Management, IT Disaster Recovery, or BC training in the data security field. The reason IT security is a separate field is because the "netting" that is data processing security has an almost insurmountable number of holes. The immediate and almost overwhelming need to secure data calls for many man hours of concentration to plug the holes in the netting and has created a cottage industry in data security. Once we ingrain a higher level of data security in our data processing systems, that data security industry will begin to dry up or morph into other areas. The analogy is that a Katrina of data integrity loss has burst the data security levees flooding the IT world with immediate need to survive the rising waters, and Information Security has been called in to sandbag the levees while the data processing core of software engineers rebuild the data processing levees with more integrity. BC is just one area of business survival and it addresses less immediate needs than the torrent of data security problems. This is why BC is slow to be addressed. When the data security breach waters are lapping at your nostrils, it's hard to think about less pressing BC stuff. Novice BC presentations and checklists talk about critical data and critical processes, while professional BC talks about the criticality of the data and processes. Any BC professional that simply says, identify your critical processes and your critical data doesn't really know what they're doing. BC Management (BCM) is really all about recovery time objectives and recovery point objectives and how to meet those objectives with interim business processes and appropriate forms of IT redundancy and IT DR as well as some Emergency Response. Simplistically, BCM addresses people, processes, and technology. But if the only part of "people" is where they are going to sit, you would have an incomplete plan. If you only addressed how "processes" would be done without IT, you would have an incomplete plan. If you only addressed how your "technology" would be recovered, you would have an incomplete plan. This is why it is better to leave BCM to the professionally trained BCM people.

Respond to a comment.

If You Liked This Article, You May Also Like...

Latest News in Emergency Management


Latest Government Technology News


Industry Solutions for Government

Read real world deployments of technology in government from our sponsors.

View All Industry Solutions
Exclusive white papers, best practices
and presentations. Registration required.

Highlights

  • Whitepaper - Mobility Matters in Extending Public Service Delivery

    Mobile technologies are making mission-critical data (voice, data, video, maps) available on-demand and on-site through mobile networks and devices. Many organizations are planning remote access to their production-level enterprise applications. This whitepaper explores the drivers and benefits for going mobile in the public sector, along with suggestions for getting started.

  • Digital Directions Podcast

    If you were Kevin Bushweller and had recently launched a publication aimed at helping school district CIOs integrate technology, you would be smiling as much as he does. Learn about Kevin's new venture, Digital Directions, in this interview...and the social media project he has created for educators.

  • Why Mobile Device Management is Critical to IT
    Learn more about how IT organizations can manage mobile devices as corporate assets, and safeguard the corporate data that is accessed on them.