Jump-Start the Business Continuity Plan: A Checklist

The 11 September 2001 terrorist attacks are different in their human and enterprise operational impact from previous disasters. Enterprises must act to ensure their business continuity in the wake of these and possible future events.

11 September 2001: A Different Type of Disaster

The 11 September 2001 terrorist attacks on the United States are strikingly different from previous events that enterprises usually consider disasters, including the previous bombing of the World Trade Center in 1993. The first clear difference is the staggering loss of life, which is an enormous personal tragedy and a crippling blow to business operations. Many enterprises have lost key executives; therefore, key management decision making has been disrupted at precisely the time it is needed most. Some enterprises have lost virtually their entire IS organizations or disaster recovery teams, compromising the enterprises' ability to recover according to previously determined procedures. Moreover, unlike the 1993 bombing, this disaster has completely destroyed physical facilities, records, systems and other enterprise assets. The secondary effects — e.g., loss of communications, delays in mail and courier services, limits in airline travel — have also been unprecedented.

This tragic event and the effects it has wrought on enterprises worldwide have led us to develop the following guidelines for enterprises to follow as they react to this disaster and prepare for potential future disasters.

Jump-Start a Recovery Program

• Assign responsibility for business continuity planning (BCP) for the enterprise. Good candidates for this position can be found in operations, special projects/project management, audit and information security departments. A knowledge of business operations, and good communications and project management skills are three important skills for this position.
• Conduct a risk analysis to determine the enterprise's ability to recover business operations based on a complete destruction of the production facilities. A gap analysis report will result, identifying where recovery plans do not support current business operations.
• Establish a crisis management team (see "What Is Crisis Management?" COM-14-5246) if the enterprise does not already have one.
• Establish an emergency decision-making hierarchy to address the potential that some executives may be unavailable.
• Be prepared to make regular and updated declarations of the steps the enterprise is taking to deal with the crisis. Draft multiple statements about the recovery process to be used when communicating to the public, shareholders, industry analysts, major customers, internal personnel and business partners.
• Update personnel contact lists and calling trees, including multiple forms of contact information — e.g., office, home, mobile and vacation home telephone numbers, pager numbers, and office and personal e-mail addresses. Consider the use of an outside service that can automate the contact process on notification from the enterprise during an event.
• Establish a personal tracking procedure so that the location of personnel is known at all times during normal business operations.
• Establish a personnel awareness program — i.e., a program educating personnel to potential disasters — and train personnel to react appropriately during an event, including evacuation and contact procedures.
• Determine what other methods of communication are available besides telephone service to establish key communications. E-mail, instant messaging and the enterprise's Web site can be used for communicating with personnel. Personal response systems can be used for limited-distance communications for on-site staff, or for those in close proximity.
• Set up a toll-free telephone number that personnel and their loved ones can use to receive and disseminate information.
• Obtain alternate office space to be used during a disaster — e.g., at an alternate company facility, from a disaster recovery service provider, at a hotel or through an industry association. The use of a "buddy site" (i.e., facilities at an industry peer's business location) may not be available as it may be experiencing similar problems. Although disaster recovery service providers have offered office space and equipment to noncustomers during crisis events, they can't similarly offer recovery services for an enterprise's IT infrastructure.
• Review the enterprise's extra expense and business interruption insurance policies to ensure that they cover the current status of business operations.
• Review your backup schedule and media storage strategy to ensure that the entire information flow, including applications, connectivity and access endpoints, can be recovered, and the backup media can be easily recovered and brought to the alternate recovery site.
• Equip every department with the "essentials" — e.g., flashlights, blankets, emergency communication devices, water, nonperishable food items and medical supplies.
• Store facility floor plans in an easily accessible, off-site location.

Plan for This Type of Disaster

• Ensure that your scenario planning process and recovery plans cover political and terrorist threats to business operations, in addition to the traditional scenarios of natural disasters and power, fire and telecommunications outages.
• Develop contingency plans that cover outages at major suppliers, strategic alliances, external services providers, infrastructure services (e.g., mail and phone) or transportation services to ensure that your business operations can continue even if impacted by an external event to the enterprise.
• Review the business continuity plans of all outside service providers that your enterprises uses to ensure that your business operations are covered by their plans. Ensure the contracts with such vendors cover the business continuity requirements of your enterprise.
• Establish personnel assistance programs to offer medical assistance and other services, such as grief counseling. (See "Anticipate Diverse Emotional Reactions in Wake of Attacks," COM-14-5340, for additional information on managing the emotional side of a disaster.)
• Maintain a current list of vendors that can provide contract personnel within a short time period (e.g., 12 to 24 hours) with skills that match your enterprise's requirements, especially for IT skill sets.
• Focus on the relocation of personnel to alternate, appropriately outfitted locations (e.g., with adequate office space, telephones and computers, fax machines and other office equipment).
• Due to the long hours being worked during a recovery situation, attend to the human needs of your personnel — i.e., ensure food quality and variety, and ease of parking at the alternate processing site, and provide shower, rest and physical activity facilities.
• Work with local, state and federal authorities, and emergency agencies to ensure that the enterprise is planning for and can recover from events that impact more than the enterprise itself. Include the contact information for these authorities and agencies in the business continuity plan and, if appropriate, include them in your disaster recovery tests.
• Ensure that you can recover the connection points of departmental/distributed work areas to the network and core IT services.
• Ensure that vital records of the enterprise that are only in paper form are backed up and stored at an off-site location with transportation availability to it and the alternate processing site.

Long-Term Activities

• Establish a full-fledged business continuity plan that covers business and technology operations.
• Build BCP into the IT project life cycle (see "Integrating BCP Into the IT Project Life Cycle," TU-13-8386), the human resource change process (which is especially important for maintaining personnel contact lists), and facilities and organizational changes.
• Establish a management succession plan to address the potential that some executives may be unavailable.
• Review the proximity of senior management to each other so that an entire team is not lost in the event of a disaster.
• Review senior management travel policies — key executives should not travel together.
• Cross-train personnel in different locations, if possible, so that the recovery process is not impeded by a lack of qualified staff.
• Consider telecommuting as an option for some personnel. If the enterprise already supports telecommuting, decide who will receive remote access priority during a disaster.
• Consider the use of unmanned data centers to separate IT staff and resources so that personnel remain available even if the data center is damaged.
• Conduct repeated and extensive testing of all business continuity plans and procedures to locate possible gaps between business operations and recovery capabilities.

Protect BCP Information

The information contained in a business continuity plan contains confidential and highly sensitive information about the enterprise and its personnel. Personal phone numbers, e-mail addresses and other contact information must be protected to ensure that privacy is not violated or privacy regulations breached. Business procedures involved in implementing the business continuity plan should be considered the intellectual property of the enterprise, and they should be protected as such.

• Full personnel contact lists should be on limited distribution.
• Call trees only need to have contact information, not personal addresses.
• Business continuity plans can be segmented such that each recovery team only have that portion of the overall plan for which they are responsible to execute.

Enterprises must immediately assess their ability to recover business operations in light of the 11 September 2001 terrorist attacks. The scope of these attacks — and the increasingly interconnected nature of modern business — mean that enterprise business continuity plans must be more comprehensive and as current as possible.

This research is part of a set of related research pieces. See AV-14-5238 for an overview.