. Continuity for the Rest of Us: BC For SMEs Kathleen A. Lucey kalucey@montaguetm.com tel: (1)516.676.9234.

.

Continuity for the Rest of Us:BC For SMEs

Kathleen A. Luceykalucey@montaguetm.com

tel: (1)516.676.9234

.

Continuity Trends Since 9/11 in the US:

SMEs Need Something Different

.

Part I: Recent Events Raise the Bar

Part II: How Can SMEs Get What They Want... and What They Need?

.

Part I: Recent Events Raise the Bar

.

First, a few effects of 9/11 on downtown Manhattan...

Destroyed Buildings: Tenant Relocation Summary as of September 2003

Midtown New Jersey Elsewhere Downtown Undecided Total

Total Tenants 39 11 7 17 0 74

Damaged Buildings: Tenant Relocation Summary as of September 2003

Midtown New Jersey Elsewhere Downtown Downtown

Existing Undecided Total

Total Tenants 32 1 3 10 64 1 111

Source: Special Report: WTC Tenant Relocation Summary, TenantWise, Inc., 2003

.

And a few more...

Madrid 3/11/2004

London 7/7/2005, 7/21/2005

Katrina: Louisiana and Gulf Coast, 8/2005

Rita: Louisiana and Texas, 9/2005

Earthquake in Pakistan and India: 10/2005

Wilma: Mexico and Florida, 10/2005

New Delhi: 10/2005

.

Post-9/11 Trends

Politicization of Business Continuity

– Homeland Security Department includes FEMA– Patriot Act– Pre-emptive wars: Afghanistan, Iraq

Results-oriented regulation

– Inter-agency White Paper– NASD regs 3610, 3620– Sarbanes-Oxley

California Law 1386 (2003), NY State Information Security Breach and Notification Act (August 2005)

Increased BC awareness across most non-regulated sectors, and especially SMEs

.

What we have learned... Effective response is a complex issue, and much larger

than data center Disaster Recovery.

Small and medium-size businesses are largely unprepared, but worry.

Success = BC + Emergency Management + an ongoing program

External and intra-industry dependencies have been mostly ignored.

Resilience is the most effective strategy...and it is an organizational, not just a technical issue.

.

Trends Today

EFFECTIVE RESULTS?

Compliance with regulatory checklists is NOT enough.

Not all responses can be planned. Tools and information are necessary but

not sufficient.

The most effective 9/11 responses empowered operating-level people.

Testing must become MUCH more serious: greater verisimilitude.

Effective emergency communication is primary: automated notification

systems.

.

Trends Today

SMALL AND MEDIUM-SIZE BUSINESSES ARE VULNERABLE

Widespread awareness and concern.

Traditional BC methods are too expensive and seen as unnecessary.

Tools that are effective AND well-adapted to SME needs are difficult to find.

Clear need to develop SME baseline standards and techniques.

Pressure from large customers and/or suppliers can be a driver.

.

Trends Today

INTER-DISCIPLINARY AND INTER-SECTOR WORK IS NEEDED

Government sets security levels, but the private sector holds 85% of critical infrastructure.

Piecemeal solutions with different mindsets and languages:

– IT: D/R and Technology InfoSec

– Facilities: Infrastructure, Engineering, and Physical Access Control

– Emergency and Crisis Management Planning

– Organizational Planning, Strategic Planning, Social Sciences

– Internal Audit, External Audit

– First Responders: insider jargon and procedures

.

It is not an option to remain where we have been...and where we are.

.

Trends Today

EXTERNAL AND INTER-INDUSTRY DEPENDENCIES

Few businesses accomplish all of their critical functions alone:

– Communications– Transportation, supply and distribution– Outsourcing

Contractual penalties are insufficient to guarantee business survival.

Creativity, planning, and persuasion are all required. WORKING TOGETHER!

Multiple-sector testing is difficult and expensive. Need more public sector support.

.

It is not an option to remain where we have been...and where we are.

.

Trends Today

RESILIENCE

“The power or inherent property of returning to the form from which it is bent, stretched, compressed, or twisted.”

– of objects or substances

“The power or ability to recover quickly from a setback, depression, illness, overwork, or other adversity.”

– of people

“The ability of a system to keep working when one or more of its components malfunctions. Also called fault tolerance.”

- of systems

.

Part II: Where Can SMEs Get What They Want...and What They Need?

.

How do SMEs see Continuity?

Ask them and they will tell you.

.

SME ContinuityRequires the Proper Event

DN

A

Definition, Notification, Action

SME ContinuityRequires the Proper Event

DN

A

Definition, Notification, Action

.

What is DNA?

Includes designed processes and tools for:

Definition of events +

NNotificationotification and communication activities required for immediate response +

Action plans to respond to events.

.

Poor Definition = emergency response tragedies:

Regional Blackout of August 14, 2003 Three Mile Island 9/11

Definition is key

.

Tools and strategies must be:

Carefully designed for feasibility

Understood and rehearsed; UP-TO-DATE

Cover initial interruption management +

recovery + return (move)

Notification

.

IT Recovery Coordination

Business Recovery Coordination

INTERRUPTION MANAGEMENT MODEL

BusinessContinuity

Teams

InformationTechnology

RecoveryTeams

Interruption Management

Team

Executive Oversight Team

Media Relations Team

Command Center Support Team

Business Continuity

Coordination

Initial Interruption Management

Recovery Management

Employee Support

EMT Government

Liaison

Emergency Funding

Physical Security

Transportation, Communications

Site Repair and

Restoration

HAZMAT

Admin.Services

Damage AssessmentE

mer

gen

cy L

og

isti

csSite

Relocation and

Re-creation

Sit

e R

epai

r o

r R

elo

cate

Purchasing

2005 Montague Technology Management, Inc.All rights reserved.

InsuranceLiaison

.

Implemented Actions and strategies should: Be additive: chosen to cover the maximum number of scenarios first. Provide the best response to requirements: the right choice. Provide a continuity capability that increases measurably over time.

Actions

.

ALL DNA processes must be working to achieve effective continuity.

.

Where are MOST of the Continuity Challenges ??

CONTINUITY ISSUES

Catastrophic InterruptionsCatastrophic Interruptions

Minor InterruptionsMinor Interruptions

Everyday BlipsEveryday Blips

Process DysfunctionsProcess Dysfunctions

BCARE SOLUTIONS

CContinuityontinuity

AAvailabilityvailability

RReliabilityeliability

Engineering

Core Business Value Chain

Processes

.

BC Jumpstart for SMEs

Steps 1 thorough 4:

1. Interruption Scenario Class Definitions: Internal and External.

2. Strategies and Tools by Scenario Class: Additive continuity components and interruption avoidance / mitigation measures by scenario class.

3. Gap Analysis: The firm’s current capability vs. the recommended set of continuity components and avoidance / mitigation measures, by scenario class.

4. Project Plan: Timeline and cost estimates to move forward.

.

Interruption Scenario Classes

EXTERNAL SCENARIOS

Classes: 1 - minor (a and b) to 5 - catastrophic

External scenario characteristics:– Day / time (workday hours, non-working hours)

– Geographic scope

– Length of time

– Premises infrastructure services impact

– Firm premises damage

– Injuries to firm personnel

– Effect on workplace

.

External Scenario Classes

DURATION OF INTERRUPTION BY CLASS

Class Length of Interruption

1: Minor less than 1 day

2: Significant 1-3 days

3: Serious 3-5 days

4: Very serious 5-10 days

5: Catastrophic 10 or more days

.

Internal Scenario Classes

Specific to each firm and each site. For example:

Class Description

A Local equipment failureB Local PBX failureC Central network outageD Workplace violenceE Supplier outageF Disclosure of confidential informationG Key staff lossH Reputational Risk

.

Benefits for SMEs

1: Avoid the risk. 2: Lower the risk probability. 3: Recover, reduce damages.

Implement FIRST what is needed for all interruption scenarios.

Pay attention to the obvious.

Spread development and costs over time by building to catastrophic, “worst-case” capability step-by-step.

Make BC capability progress visible, measurable, understandable, and “present-able.”

.

And so what does all of this mean for us as business continuity professionals?

.

We Need to GROW!

Accept that current “best practices” are not the only truth.

Study the concepts of allied fields; stay open to new ideas. Learn!

Connect to related disciplines: emergency management, InfoSec, facilities, infrastructure, equipment reliability and physical security...and organizational theory!

LISTEN....LISTEN.....LISTEN....AND HEAR!

.

References (1)

Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System, Board of Governors of the Federal Reserve System; Office of the Comptroller of the Currency; and Securities and Exchange Commission.Draft (Sep 2002): http://www.sec.gov/rules/concept/34-46432.htm Final (Apr 2003): http://www.sec.gov/news/studies/34-47638.htm

Report: Crisis, recovery, innovation: responsive organization after September 11, John Kelly, David Stark. Center on Organizational Innovation, Columbia University. New York, NY June 2002. http://www.coi.columbia.edu/pdf/kelly_stark_cri.pdf

SEC Approval of NASD Rules 3510 and 3520, including amendments 1-8, as published in the Federal Register, April 7, 2004. http://www.nasdr.com/pdf-text/rf02_108_app.pdf

.

References (2)

Special Report: WTC Tenant Relocation Summary, TenantWise, Inc., 2003. http://www.tenantwise.com/wtc_relocate.asp

*"A Desk on the 20th Floor: Survival and Sense-Making in a Trading Room," Daniel Beunza, David Stark. Working Paper Series, Center on Organizational Innovation, Columbia University. Available online at http://www.coi.columbia.edu/pdf/buenza_stark_d20.pdf

5 Habits of Highly Reliable Organizations, Keith H. Hammonds, “Fast Company Magazine,” Issue 58, May 2002, Page 124. http://www.fastcompany.com/magazine/58/chalktalk.html

*Note extensive bibliography.

.

Questions ??

Kathleen LuceyMontague Technology Management, Inc.kalucey@montaguetm.com(1)516.676.9234