Holding firm

By Julian Rogers, Deputy Editor

How 9/11 took business continuity planning out of the hands of the IT department and into the boardrooms of the financial institutions.

The terror attacks on 9/11 brought business continuity and disaster recovery management to the fore and highlighted just how vulnerable the financial hubs of the world are to serious threats. New York was crippled for days after the World Trade Center collapsed as financial firms scrambled to get operations back up and running. Many had to cope with the tragic loss of life to their staff and the fact that their offices had been damaged or destroyed and data lost. Recovery costs totalled billions of dollars while the events that day created unique disaster recover challenges for New York. Before the attacks business continuity and disaster recovery budgets were a shadow of what they are today. Now the institutions realize that threats are coming from all angles and that the world is on high alert. This last year the world has seen devastating hurricanes, earthquakes acts of terrorism, while the threat of an avian flu pandemic looms large in the background. Disaster and continuity management has never been so critical in mitigating these risks. The banks know only too well that if there operations are hampered it could have a serious knock-on effect on its market position, share value and reputation.

Howard Sprow, Assistant VP and Director of Business Continuity Planning at the Securities Industry Association (SIA), says the efforts following 9/11 paved the way for business continuity strategies today. “Before 9/11 there was a certain amount planning that had been done and thinking amongst the larger firms as to how they would recover. However, many of the pieces are not as pre-planned as they are now. Since then the business continuity discipline itself has advanced tremendously. Pre-planning is infinitely more detailed than it was before 9/11. The scope of business continuity plans across the industry is much greater – companies large, medium or small are all under rules that require them to have viable plans in place. Should it ever happen again, we will be in a position to respond even more quickly.” Immediately following the events on 9/11 existing recovery plans kicked and the got operations back up and running, says Sprow. “An awful lot of work and people came together in response to 9/11 and got the thing done in the matter of a few days – the market was pretty much ready to open virtually as normal on the Monday following the attacks. A great deal of things had to be done on the fly and people had to come together.”

RECOVERY
Of course, the banks and exchanges cannot afford to be out of action for extended periods. These financial centers stand as iconic symbols of a nation’s prosperity – 9/11 created a challenge never before envisaged. The New York Stock Exchange (NYSE), the American Stock Exchange and the NASDAQ re-opened on the Monday following the 9/11 attacks – the longest closure since the Great Depression in 1929. When the markets reopened, however, $1.2 trillion was wiped off the value of US stocks. Also, the sheer devastation inflicted on Lower Manhattan left 30 percent (28.7 million square feet) of floor space damaged or destroyed. Telecommunications were destroyed, forcing some banks to relocate – a logistical headache in itself. Researchers at Gartner estimate that downtime can cost a business anything between US$86,000 and US$6 million, depending on the industry. With the trillions of dollars swilling around New York’s financial heart, downtime for the institutions and money markets is truly incalculable.

John Copenhaver, President and CEO of the Disaster Recovery Institute, believes that institutions are industry leaders when it comes to continuity strategies. “The financial sector in general leads all other industry segments in the business continuity planning area. Financial institutions are much more likely to have robust, tested business continuity plans in place than are companies in other segments. Thus, it was not surprising that the financial sector in general was able to respond quickly and recover relatively well from the 9/11 attacks.” Copenhaver adds: “Even given this focus on business continuity planning, however, financial institutions in general – as well as the regulators issuing regulations mandating business continuity planning for these institutions – have learned valuable lessons from the events of 9/11, and are putting these lessons to good use in their planning efforts.”

Last year’s hurricanes that battered the US, inflicted unprecedented levels of destruction. Hurricane Katrina alone caused US$100 billion worth of damage and associated costs – making it the most expensive natural disaster in US history. Fortunately, the banks were given advanced warning of the impending storm and able to call upon continuity plans. “With the hurricanes, while there was tremendous devastation, our industry came through them pretty well,” explains Sprow. “When you consider that all of the firms had some form of advanced warning, they activated plans to deal with the type of facilities that they have in the area, which is largely retail offices. For years all the very good firms have had plans on how to deal with retail office outages and temporary closures so this was nothing new. The plans were implemented and some were back up and running within hours after the hurricane went through.” In the wake of major disasters such as Hurricane Katrina, companies have learned that backing up or replicating data may be the key to keeping their business running, according to a survey by Gartner. In a study of North American IT managers, 45 percent of reported backing up or replicating data to another disk, up dramatically from just six percent two years ago. Although more companies are backing up data, almost three quarters of respondents back up to a local device, leaving their back-up data vulnerable to a local catastrophe.

THREATS
Now that business continuity has been taken off the back burner, what other dangers are firms planning for? Fire, flood, accident or malicious acts are the usual threats that have to be considered. However, unexpected disruptions have emerged on the horizon, including an avian flu pandemic. If the virus does indeed mutate to allow it to pass between humans whole workforces could be struck down. “With the pandemic the main difference is that all geographic areas could be impacted at the same time,” says Sproy. “Where as a common approach to business continuity and recovering of a business is to shift functionality to other geographical areas may not work in the case of a pandemic, so it presents challenges. The firms and the exchanges across our industry have been putting in an awful lot of effort into developing strategies that will work and keep the markets open. That is the goal of the industry and regulators.”

Copenhaver is confident that adequate plans are in place to cope with a possible pandemic. “Most large businesses, particularly those with offices in foreign countries, have begun building and testing pandemic preparedness plans dealing with the specific function and process interruptions likely to occur should a flu pandemic. Many businesses as well have watched the devastation of New Orleans from floodwaters, and have been constructing emergency relocation plans – again, a significant component of the business continuity planning process. In short, recent events have clearly illustrated that some kind of emergency preparedness planning for all businesses is vitally important to their survival.”

Business continuity has also grown beyond the responsibility of the CIO or IT department and emerged as a serious part of a company’s armoury. Firms have staff dedicated to this area of the business and outside consultants to help with their planning. Companies dedicated to business continuity have appeared on the market to assist firms in their hour of need too. If say the stricken firm is unable to operate because of a fire, operations can be moved elsewhere with minimum disruption. The continuity company can offer recovery centres kitted out with workstations, networked computers, servers, internet access and everything else needed to keep an organisation on the rails. “I think most businesses are very familiar with the business continuity strategies,” says Sprow. “Pretty much universally across our industry firms and exchanges have agreed that you need some kind of staff to deal with the business continuity issue. That may be a full-time position within larger firms or it could be someone who is dedicated to business continuity within a smaller firm but they do it as part of other duties. One way or another every firm has someone who is assigned to the continuity discipline.”

LOOKING FORWARD
Of course, dangers and threats have always been around for any business – large or small. In fact, the burgeoning dependency on computerized systems within financial institutions and exchanges leaves them vulnerable to potential outages without adequate contingency procedures. But it is the size of these recent unforeseen disruptions that has got the financial world worried. A serious threat can occur at any time, 24 hours a day so plans need to be in place and tested to see that they actually work. Sproy argues that this area of a firm’s operations will continue to grow while threats still exist. “As long as threats persist and as long as the regulatory climate continues, I think business continuity has to be part of normal planning – not only in the US but other countries as well. Regulators are looking to apply regulations that require firms to do certain things to cover their business and that will continue to a degree.” Sproy says that the whole thinking of how an institution will cope with a disaster has evolved. “Prior to 9/11 people thought of business continuity planning in terms of building outages but now it is an organizational thought process. You now have to think of multi-building outages and planning for the recovery of that situation. That is a major difference that has made us much more resilient.“