Y2K is long gone, but the remediation efforts agencies underwent are still paying off today.

Y2K remediation required an immense amount of work directly relating to business continuity planning (BCP) -- efforts an organization develops to maintain mission-critical business processes in the face of emergencies or disasters.

Today, agencies are using BCP to prepare themselves for future emergencies and to help them grasp how deeply their mission-critical applications are intertwined with those of other agencies.

All Ears

"We're really changing the focus of IT to be more business oriented than we ever have in the past because of the changes after Sept. 11 and our having to shift money toward disaster plans," said Gail Roper, CIO of Kansas City, Mo. "We've got to open the doors. There has to be a major educational piece to help your customers understand why you're doing what you're doing; why we need to work toward enterprise solutions; why we need to have security in place."

Roper said her department is performing risk-mitigation studies and sharing the information with other agencies, a departure from past processes.

"Before, we understood what the risks were, but we weren't sharing those studies with other agencies," she said. "Y2K was the beginning of the lid coming off of IT and individuals sitting down at the table discussing enterprise requirements. We, as technologists, had a propensity to solve the problem before we knew what the problem was. We've had to develop very strong listening skills."

Y2K forced IT staff to look at problems in new ways, Roper said, including business processes and workflow issues, and that experience is lending itself nicely to business continuity planning.

"The skill requirements have changed," she said. "It's easier to meet the needs of your customers when you understand what their objectives are; what they're in business to do; what their work processes are?"

All Together Now

BCP is one piece of an overall crisis-management plan, said David Morrow, managing principal of EDS' security and privacy services, and that larger plan also includes disaster-recovery planning and human-resource recovery planning.

Though all pieces are important, he said, the BCP element forces enterprises to focus on things that must be done, regardless of whatever emergency or crisis is swirling around the enterprise.

"We did a lot of good work in the Y2K era in getting ready to identify what we need to do," he said. "A lot of organizations, commercial businesses and governments, in the process of that, discovered interdependencies between systems and processes that they never knew existed before."

It's not enough that a state or local government simply identifies a mission-critical process, say welfare payments or related benefits, that must be addressed while assembling a business continuity plan, he said, because those processes don't exist in a vacuum.

"If there's some sort of outside organization or group that has input into that process, or if that process relies upon the input of somebody else, some other state agency, then an agency needs to not only concern itself with the welfare business process and how well that works, but also that other process to make [sure] it continues to work, too," Morrow said.

When commercial organizations began work with EDS, those organizations soon realized the degree of their interconnectedness with others could do as much to cripple mission-critical applications as an in-house BCP failure.

"It's very easy to focus just on your rice bowl, just on the things you worry about," Morrow said. "Especially in the IT environment, programs, applications and processes are so complicated and intricate and involved, it's easy to overlook somebody else having an input to [your mission-critical application] that you didn't know