The tragic events at the World Trade Centre (WTC) in New York should serve as a wake-up call for companies to adopt a holistic approach to business continuity planning and to take the subject seriously.
This is the word from Jorgen Nielsen, director of consulting at MGX Business Continuity Solutions.
"The scale of the human tragedy and financial loss beggars understanding, but the fact remains that many companies in this financial heartland picked themselves up that very day and began the process of rebuilding their operations."
The records show that the first calls into business continuity companies came in 20 minutes after the first Boeing struck. For companies directly affected at the time, it would have meant a relatively rapid switchover to alternate systems, with minimal or no loss of data. Some 137 affected companies subsequently invoked their business continuity plans using the resources provided by business continuity service provider companies.
"No one anywhere could have predicted the scale of the subsequent disaster and the loss of life," Nielsen says, "but some companies have emerged from it able to continue their operations. All information and records, paper-based and electronic, housed in the WTC were destroyed, but those companies which followed international business continuity best practices will be able to rebuild with their data and systems intact."
Nielsen recalls the previous occasion, in 1993, when the World Trade Centre was the target of a terrorist bomb attack: "It is well documented that many companies went out of business because they didn`t plan for a disaster. Some internalised this lesson; others didn`t, and today they are paying the price."
Nielsen says there are a number of business continuity lessons to be learnt from the WTC disaster:
-- Companies need to adopt a holistic approach to their business continuity programme. "No aspect can be ignored. You always have to be prepared, and constant and regular testing is crucial to ensure everything will work as planned."
-- Those South African companies which have implemented a resilient computer system in a campus environment need to re-examine the level of protection their strategy provides. The resilience is often provided by a second data centre adjacent to the first and in a disaster it is likely that both would be lost. Those companies may be worse off than others, as executives are led to believe they have implemented a comprehensive business continuity plan.
-- While it is important to back up critical data, it is as important to store it off-site at a suitably remote site. Nielsen recommends 10km as being relatively safe but close enough for rapid restore and retrieval.
-- Vital systems should be mirrored, but this does not negate the need for frequent `point-in-time` backups. "If data is corrupted in one system, it will corrupt the other, making rapid back-up and restore crucial."
-- Communications is utterly critical. "The New York Stock Exchange was closed for five days, and the world carried on," Nielsen observes, "but had the telecommunications and Internet infrastructure been taken out, the damage would have been incalculable. Communication is of the utmost importance in such a situation, and you need duplication and redundancy, ideally in a hot site, off-site. What we`ve also seen is that you cannot rely on cellular networks in such an emergency; they simply can`t cope with the volume of calls."
To ensure a business continuity plan meets the required quality metrics, Nielsen recommends it should be submitted against standards such as those created by the Business Continuity Institute. Other guidelines pertaining to disaster recovery are contained in BS7799, now ratified in SA as SABS 17799 and worldwide as an ISO standard.
Finally, Nielsen concludes, business continuity is a specialist discipline requiring concomitant skills and experience. "Often the function is allocated to someone with no experience in the field, and subsequent plans are seldom or never validated. We regularly see, for example, a document that details some technical IT back-up/restore procedure bearing the title `XYZ Disaster Recovery Plan`. But it doesn`t follow best-practice guidelines, has no off-site capability, testing, logistics, crisis centre or allocation of duties in the event of a disaster. Such an approach is asking for trouble."
Share
Editorial contacts