Bus Continuity 1
Bus Continuity 1
Bus Continuity 1
Tw e n t y - F i r s t C e n t u r y C h a l l e n g e s f o r C o m p e t i t i v e n e s s
A S S U R A N C E A N D A D V I S O R Y S E R V I C E S
“Information technology pervades all aspects of our daily lives, of our national lives. Its presence
is felt almost every moment of every day, by every American. It pervades everything from a ship-
ment of goods, to communications, to emergency services, and the delivery of water and elec-
tricity to our homes. All of these aspects of our life depend on a complex network of critical infra-
structure information systems. Protecting this infrastructure is critically important. Disrupt it,
destroy it, or shut down these information networks, and you shut down America as we know
it and as we live it and as we experience it every day. We need to prevent disruptions; and when
they occur, we need to make sure they are infrequent, short, and manageable.”1
1
The White House, Office of the Press Secretary. "New Counter-Terrorism and CyberSpace Security
Positions Announced," Personnel Announcement by National Security Adviser Condoleezza Rice and
Director of Homeland Security Thomas Ridge, Oct. 9, 2001.
CONTENTS
2 Introduction
16 Conclusion
M a r g a r e t E . M c K e o u g h a n d Va l e r i e H o l t
M e t ro p o l i t a n Wa s h i n g to n A i rp o rt s
Authority
John Ball
Standard Chartered Bank
The following white paper was developed as part of a series by KPMG’s Assurance and Advisory Services Center.
I NT R O D U C T I O N
Faced with rising exposure to new risks and declining tolerance for disruptions to
crises and mitigate future risk. These leaders embrace the moral imperative to
protect their people, and they understand that the ability to continuously perform
twenty-first centur y.
The case for implementing a strategy to manage the risk of disasters has always been compelling.
If disaster strikes, and an organization cannot recover in a timely way, the consequences could
include loss of revenue, defection of customers, deterioration of brand equity, and permanent
loss of shareholder value. Indeed, 40 percent of businesses that suffer a disaster go out of busi-
ness within two years.2
Today, as the economics of information, globalization, and technology continue to change the
nature of business worldwide,3 traditional approaches to business continuity no longer
address a widening array of threats. Traditionally, organizations planned for natural or
Traditional
man-made disasters disrupting production, distribution, and data processing capa-
approaches to business
bilities at a single facility. These threats are becoming more frequent, and their
continuity no longer
impact is growing.
address a widening
array of threats. Simultaneously, threats to information assets are quickly becoming significant for
enterprises of almost any size. Computer viruses, information security issues, soft-
ware quality, inadequate data storage, complex technology architectures, and ineffective
information asset management practices can open the doors to a catastrophe with the same busi-
ness impact (if not a more severe one) as that posed by a physical threat.
Moreover, traditional approaches are reaching the end of their useful life as stand-alone solu-
tions. Organizations increasingly operate in multiple locations and depend on information sys-
tems. Business processes are carried out in real time, so that a disruption has consequences along
an entire value chain. The effects of downtime (see Figure 1) are measured in hours or even min-
utes, instead of days. In this environment, preparing for disasters must become part of a larger
effort to mitigate risk. Instead of responding to particular events, organizations need to focus on
maintaining operations in spite of any event.
2
Vic Wheatman. “Aftermath: Disaster Recovery,” GartnerGroup,
September 21, 2001.
3
The e-Business value chain: Winning strategies in seven global industries.
Economist Intelligence Unit research report written in cooperation with
M A N A G I N G B U S I N E S S C O N T I N U I T Y ( 2 ) KPMG, vii. 2000.
"How do I
manage risk so that I’m
always there for my cus-
Thus, the key question for leaders is no longer, “How do I respond in the event tomers and my other This white paper
of a crisis?” Rather, organizations increasingly need to ask, “How do I manage stakeholders?" examines the variety
risk so that I’m always there for my customers and my other stakeholders?” The of issues that organiza-
answer—and the challenge—is to implement a strategy that takes into account the totality of tions face today. It introduces a
risk, ensures the welfare of people, and balances the costs of risk management with the oppor- framework for managing the
tunity cost of not taking appropriate action. According to the experiences of leaders in a variety risk of disasters in the context
of industries, answering the challenge will result in a successful defense against disasters as well of managing the continuity of
as other benefits with strategic payoffs. the enterprise from an infor-
mation asset perspective. It
F i g u re 1 : A G row i n g , Po te n t i a l l y C o s t l y C a p a b i l i t i e s G a p also discusses a process for
implementing a chosen busi-
The gap between the cost of downtime and
ness continuity strategy, inte-
ability to deliver is widening.
grating it with organizational
strategy, and capitalizing on
Downtime in excess of two
hours is unacceptable for opportunities to achieve and
24% of organizations, and Increasing cost
an additional 48% of organi- of unplanned sustain competitive advantage.
zations cannot tolerate downtime
more than 24 hours of Finally, the Appendix provides
downtime.4
interviews with industry lead-
ers whose thoughts reflect
More than 60% of organiza-
tions do not have corporate- issues many organizations are
wide disaster recovery plans Ability to deliver
in effect. For their most through traditional
now addressing.
recent interruption, almost mechanisms
70% failed to completely
meet their disaster recovery
objectives.5
As downtime is increasingly measured in hours and minutes, not days, organizations’ tolerance for it is
decreasing. A capabilities gap has developed, and is widening, between the cost of downtime and the effec-
tiveness of traditional response mechanisms.
4
KPMG LLP and “Contingency Planning and Management” Survey. “A Review
of Factors Influencing Business Continuity in the Next Millennium,” 2000.
5
Ibid.
( 3 ) T W E N T Y - F I R S T C E N T U R Y C H A L L E N G E S F O R C O M P E T I T I V E N E S S
T H E C U R R E NT E N V I R O N M E NT
Efforts to manage unforeseen circumstances that render assets useless and disrupt
For example, in the 1960s when American Airlines developed SABRE, the widely
used airline reservations system, engineers took great care to ensure the system’s
reliability. They also kept a standby computer in the event that an outage affected
the primary computer running the system. SABRE succeeded while competing ser-
vices failed in large part because of American Airlines’ innovation, but the reliability
Prudent organizations maintain and test plans for responding to likely catastrophic events.
However, the effects of numerous global trends, and the risks that arise from them, are prompt-
ing leaders to question the adequacy of their current capabilities. At the same time, emerging
technologies are enabling new risk management strategies that were cost prohibitive just a few
years ago. Appreciating these forces will lead to a wider view of risks and ultimately a broader
approach to managing business continuity.
T h e E m e rge n c e a n d G row t h o f I n fo rm a t i o n A s s e t s a n d R e l a te d R i s k s
Organizations are rapidly evolving from manually operated stand-alone entities to information-
dependent extended enterprises. For these new entities, information facilitates competitive posi-
tioning, value chains depend on the timeliness of service, and supply chains are technology-
dependent (see the sidebar on the next page). Trends contributing to this evolution include ini-
tiatives common in most industries—enterprise resource planning, customer relationship
The flow management, supply chain management, mergers and acquisitions, outsourcing,
of information is no alliances, and e-commerce. Internet-based service suppliers and the globalization
longer connected with the
of business models are also key factors.
distribution of physical
An important consequence of these changes is that the flow of information is no
objects.
longer connected with the distribution of physical objects. As a result of immense
capacity to share information electronically—across the Internet, wide-area corporate
networks, wireless networks, and other media—the linkage between information-based or vir-
tual processes and physically based processes is dissolving and becoming more complex.
Consequently, value chains are dividing into two interdependent streams—one consisting of
processes in the physical world and the other made up of information flows in the virtual realm.
6
Martin Campbell-Kelly and William Aspray. “Computer: A History of the
Information Machine,” New York: Basic Books, 1996, pp. 169–176.
M A N A G I N G B U S I N E S S C O N T I N U I T Y ( 4 )
T h e E m e rge n c e o f I n fo rm a t i o n - D ri ve n E x te n d e d E n te rp ri s e s
Tr a d i t i o n a l B u s i n e s s M o d e l V i r t u a l E x t e n d e d E n t e rp ri s e
SchwabOne
Bank
Browser Software
Quicken Phone
Bank customer AOL Call
C U STO M E R
Virtual extended enterprises are an emerging feature of e-business and collaborative commerce, as this
financial services industry example illustrates. Whereas customers traditionally dealt with their banks
through human-operated channels or ATM networks, they can now gain access through online as well as
offline channels, and several players have a hand in delivering services.7
Extended enterprises present special challenges to how leaders will manage business continuity.
Traditionally, an organization would write disaster recovery plans for critical processes and applications. As
infrastructure becomes more complex, however, organizations need to consolidate and streamline their con-
tingency planning practices. Moreover, they need to focus on mitigating risk— assuring customers, partners,
and other stakeholders of the availability of information assets.
Many agree that information assets, and the complex extended enterprises they enable, are changing the
nature of competition. Leaders increasingly appreciate that these assets are also exposing organizations to
a new set of risks in the virtual world.
7
Philip B. Evans and Thomas S. Wurster, “Strategy and the New Economics
of Information,” Harvard Business Review, September-October 1997, p. 78.
( 5 ) T W E N T Y - F I R S T C E N T U R Y C H A L L E N G E S F O R C O M P E T I T I V E N E S S
As business
processes move
closer to real-time, the
Leaders responsible for evaluating and develop- T h e Pa ra d i g m S h i ft
cost of downtime
ing future business continuity strategies will need
goes up. The links between physical and virtual assets will
to focus on this division and its potential implica-
have ramifications for how leaders assess the true cost
tions. Ensuring the usefulness of both physical assets and
of unplanned downtime, evaluate their exposure to risk, and set
information assets—as well as protecting the people that are
an agenda for management action. Unplanned downtime is
central to both—will be critical to creating and sustaining com-
estimated to have cost businesses worldwide some $1.6 trillion
petitive advantage and business continuity. Figure 2 shows how
in lost revenues alone in the year 2000.8 That number will cer-
organizations can map themselves based on the value and
tainly climb as downtime is increasingly assessed in terms of
complexity of their information assets, their organizational
how it affects both physical and virtual links in the organiza-
complexity, and their linkages with business partners.
tional value chain.
F i g u re 2 : T h e I n fo rm a t i o n - D e p e n d e n t E vo l u t i o n
o f E n te rp ri s e s Emerging approaches to business continuity have to take into
account the extent to which organizational value is now embod-
ied in information (and information-based, real-time processes)
Virtual Extended
Enterprise as well as physical assets. Real-time capabilities make processes
Value and Complexity of Information Assets
Low
Organizational Complexity and Degree of Collaboration
High Assessing the cost of downtime in a broadened context often
Source: KPMG, 2001. leads to a new appreciation of the risk of disaster—and
Information assets are driving organizations toward networked business whether an organization should measure its exposure in terms
models. Such models let organizations create and sustain increased of its tolerance for downtime or its need for availability.
value, but the risk of unplanned downtime becomes more significant.
8
“It’s Time to Clamp Down,” Informationweek.com, July 10, 2000.
M A N A G I N G B U S I N E S S C O N T I N U I T Y ( 6 )
Traditional approaches to managing business continuity emphasize recovering from a disaster
before a predefined amount of time elapses. The availability-based perspective (see Figure 3)
focuses instead on ensuring that the organization will always be able to produce an output or
reach some desired conclusion when it needs to do so. How an organization can determine what
degree of availability is most appropriate within its business model is an important step, as dis-
cussed in the next section.
TRADITIONAL EMERGING
FOCUS Minimizing the financial impact Ensuring financial continuity, customer
of disasters satisfaction, and productivity despite a
catastrophe
( 7 ) T W E N T Y - F I R S T C E N T U R Y C H A L L E N G E S F O R C O M P E T I T I V E N E S S
M A P P I N G O R G A N I Z AT I O N A L
R I S K S A N D R E QU I R E M E NT S
ask, “How much protection is enough?” Such an evaluation will require examining the
A useful way to assess the current state, as well as estimate future needs, is to benchmark or map
current risk exposure (see Figure 4). An organization can gauge the usefulness of its cur-
rent practices by mapping exposure, on the one hand, and the commitment required to
Mapping can
manage risk and value achieved, on the other hand. Such an effort can also help lead-
reveal opportunities ers evaluate alternative scenarios as they weigh future courses of action. Quantifying
and risks. risk, however, is not the ultimate goal. Rather, this effort is intended to help managers
understand the value propositions that alternative strategies will support, the commitment
needed, and the opportunity costs of inaction (see the sidebar on the next page).
F i g u re 4 : Va l u e L aye r s i n a B u s i n e s s C o n t i n u i t y Fra m e wo rk
The performance of
my information assets
RISK EXPOSURE
exceeds my stakeholders'
expectations.
I can resume my
automated processes
in the event of a disaster.
M A N A G I N G B U S I N E S S C O N T I N U I T Y ( 8 )
I d e n t i f y i n g a n d U n d e r s t a n d i n g O rga n i z a t i o n a l R i s k s a n d R e q u i re m e n t s
VALUE I can recover my I can resume my I’m always there for The performance of How I manage infor-
PROPOSITION physical assets and automated processes my customers in my information as- mation supports value
data in the event of a and protect my peo- maintaining infor- sets exceeds my stake- chain excellence among
disaster. ple in the event of a mation availability. holders’ expectations. all stakeholders.
catastrophe.
ORGANIZATIONAL Manual operations Automation of busi- Integration of auto- Integration of busi- Integration of informa-
CHARACTERISTICS characterized by ness processes and mated processes ness practices with tion assets with a net-
limited use of infor- inc r ea si n g l y dis- into complex infor- the Internet and on- work of organizations
mation technology. tributed information mation systems and line collaborators. focusing on core com-
technology. reliance on informa- petencies and collabo-
tion for timely per- rating through extended
formance and cus- enterprises.
tomer satisfaction.
TYPICAL Stand-alone plans for Contingency plans Infrastructure for Integration of infra- Integration of stan-
OUTCOMES limited recovery of for restoring computer maintaining availa- structure for main- dards for managing
critical assets. systems and resum- bility of information taining availability business continuity
ing operations. assets, monitoring with systems for across collaborating
risk in real-time, and managing operational enterprises with busi-
managing routine, risk to enhance oper- ness intelligence sys-
non-routine, and cata- ational excellence and tems used to capitalize
strophic events. improve flexibility. on information.
( 9 ) T W E N T Y - F I R S T C E N T U R Y C H A L L E N G E S F O R C O M P E T I T I V E N E S S
Trust between
entities will become
more important in
When assessing business continuity risk expo- S c e n a ri o 3 : Tra n s fo rm a t i o n S t a ge
managing business
sure, both present and future, organizations’ strate- Trust between entities will become more impor-
continuity.
gies will typically address one of three scenarios: tant in managing business continuity as trends driv-
● React: Is it sufficient to react to a disaster? ing economic change take root and become a part of
everyday life. As the sidebar on page 5 describes, one organi-
● Control: Is mitigating risk and controlling the availability of
operations necessary? zation’s actions will increasingly affect another’s success. To
cope, organizations that depend on collaboration with third
● Transform: Should business continuity capabilities be provided
across an extended enterprise to assure the reliability of col- parties should extend business continuity capabilities to these
laborative commerce? components of their value chains. In addition to better stability
of a value chain, the benefits may also encompass improved
S c e n a ri o 1 : R e a c t i o n S t a ge
customer service, marketplace responsiveness, and mutual trust.
Reacting to disasters is an adequate risk posture if an organiza-
tion can live without business processes, applications, and
P u tt i n g S t ra te gy i n C o n te x t
other capabilities for 24 hours or longer. Contingency plans
These strategies—reacting to crises, controlling the availability of
that focus on reacting to a disaster are less expensive to develop operations, and providing availability across the extended enter-
than proactive business continuity measures. Such plans, how- prise—are not mutually exclusive. One approach builds on the
ever, are inherently focused on single catastrophic events rather next in an evolutionary manner, and leading organizations’ strate-
gies will blend elements of all three. A large data center, for exam-
than the cumulative impact of downtime. ple, might have contingency plans to restore computer hardware,
redundant telecommunications services to prevent a network
S c e n a ri o 2 : C o n t ro l S t a ge
outage, and service-level agreements to ensure the productivity
Controlling availability is advantageous or necessary for of outsourcers. Differences among organizations will be revealed
organizations that cannot tolerate: 1) downtime in excess of by the tactical decisions that lead to action plans and processes
for managing risk.
a few minutes or hours or 2) failure to deliver adequate ser-
vice levels across the value chain. While the commitment
required is higher in many cases, the indirect benefits can The next section describes an approach to managing the risk of
include better vendor management, productivity improve- disasters that applies to all three of these scenarios and can also
ments, better responsiveness to stakeholders, and lower total help organizations continuously improve their practices in
cost of ownership for technology infrastructure. keeping with changing risks.
M A N A G I N G B U S I N E S S C O N T I N U I T Y ( 1 0 )
A N A P P R OAC H TO M A N AG I N G
B U S I N E S S C O NT I N U I T Y
Once an organization understands its current state and determines how it should
evolve, it can develop a practicable strategy for managing business continuity in the
ing four phases aligned with the organization’s business strategy (as illustrated in Figure 5
and described below). A life cycle approach enables risk management, and it can also
ASSESS RISKS
inuity Man
Cont ag
CE
ss em
ne
AN
s i
en
RM
Bu
DEV
t
AND PERFO
ELOP STRATEGY
Organizational
Strategy
R I SK
RE
t
en
Bu
SU
ne
si
ge
EA
ss
Con na
M
tin uit y M a
IM P E
LEM ENT CHANG
1. A s s e s s R i s k s
Achieving effective business continuity starts with assessing organizational risks and require-
ments for managing them in the future. An organization needs to understand how it relies on its
people, processes, and technology as well as its relationships with customers, suppliers, and other
contributors to its value chain. This knowledge will help the organization understand its toler-
ance for downtime so that it can define the requirements that a business continuity strategy, once
developed and implemented, should satisfy.
( 1 1 ) T W E N T Y - F I R S T C E N T U R Y C H A L L E N G E S F O R C O M P E T I T I V E N E S S
Tackling
cultural issues is critical
to implementing
A structured assessment can help model the dis- change. In some cases, organizations can use the strategy
ruptive impact of downtime and reveal the organiza- to drive other organizational improvements. Such
tion’s vulnerabilities. Such an assessment should provide benefits can include improving the reliability of out-
detailed information about the configuration of information sourcers and other vendors, phasing out dependence on com-
assets and effectiveness of operations. It should also facilitate mercial hot sites, and consolidating and automating technology
development, implementation, and continued use of risk meas- management practices. Organizations may also be able to
ures, controls, and contingency plans. improve the payoffs from alliances and lower the cost of com-
pliance with industry regulations.
Phase 1 Critical Outcomes: Requirements for managing…
Phase 2 Critical Outcomes: Strategy for…
REACT …crises and priorities for restoring
critical operations REACT …responding to crises and restoring
critical operations at an alternative
CONTROL …operational risk and priorities for location
improving availability in critical areas
CONTROL …maintaining continuous availability
TRANSFORM …risks associated with collaborative and resolving non-routine events
arrangements and the availability of
shared infrastructure TRANSFORM …continuous availability across the
extended enterprise and for optimiz-
ing the value of information flowing
2 . D e ve l o p S t ra te gy across the value chain
After an organization defines a set of requirements for improv-
ing business continuity capabilities, the next step is to define a 3 . I m p l e m e n t C h a n ge
strategy that will integrate business continuity as a risk man-
The organization makes the Phase 2 strategy effort an ongoing
agement program into the fabric of the organization. The strat-
reality by investing in a structured program to apply risk man-
egy will focus on the complementary elements of monitoring,
agement standards, tackle cultural issues, and improve technol-
mitigating, and responding to risk; and these issues will encom-
ogy and processes.
pass people, processes, technology, and, increasingly, the inter-
dependence of organizations. If its focus is on recovering from a catastrophe, the organiza-
tion will establish arrangements for storing data at an offsite
If the organization’s focus is on reacting to disasters, its strat-
location, secure an alternate location where restoration of
egy will primarily address the structure and enablers of contin-
computer systems and operations will take place, document
gency plans. Organizations focused on continuous availability
contingency plans, and establish an employee awareness and
will look at the resiliency of technology infrastructure, the per-
training program.
formance needs of stakeholders, and the reliability of processes.
When an organization is focused on transformation, this scenario When the focus is continuous availability, leaders will seek to
will also encompass steps for maintaining trust between collab- improve critical infrastructure, consolidate and automate infra-
orating parties and the integrity of their mutual infrastructure. structure management processes, and implement real-time
M A N A G I N G B U S I N E S S C O N T I N U I T Y ( 1 2 )
monitoring capabilities. Continuous availability, especially in 4 . M e a s u re R i s k a n d Pe r fo rm a n c e
an extended enterprise, will also depend on establishing an As tolerance for downtime diminishes, organizations must be
event management shared service that is responsible for pro- able to measure risks and performance as well as monitor both
viding strategic leadership and coordinating interdependent in real time. These efforts should be part of an ongoing contin-
risk management activities. uous improvement effort—one in which the organization main-
tains an adequate risk posture and improves the effectiveness of
Phase 3 Critical Outcomes
its risk management program.
REACT Develop and test contingency plans
If the organization is focused primarily on disaster recovery,
CONTROL Ongoing delivery of continuously avail- efforts to measure risk and performance will involve testing
able internal infrastructure
and updating contingency plans. These efforts will also encom-
TRANSFORM Continuous availability of infrastructure pass the execution of emergency response, disaster recovery,
shared across the extended enterprise; and business resumption plans in the event of a catastrophe.
strategic use of information assets
In the context of continuous availability within an organization
or across its extended enterprise, the focus of measurement
P u tt i n g P l a n s to t h e Te s t will address the operational risks that threaten the organiza-
Organizations that develop emergency response, crisis man- tion’s ability to accomplish its goals efficiently and effectively.
agement, and disaster recovery plans need a mechanism to Monitoring in this context will link and integrate incident
determine if they are effective. In the absence of an actual dis-
response, crisis management, disaster recovery, and other
aster, testing is the best tool. Testing helps leaders answer such
questions as: processes. Monitoring will also encompass real-time perform-
ance measurement from a customer’s perspective.
1. Are assumptions about threats and vulnerabilities
correct?
2. Is the risk management strategy adequate and
The technology-driven benefits of measuring performance can
comprehensive? be significant. Organizations will likely see improvements in
3. Will crisis management processes handle all relevant security management and end-user support as well as greater
contingencies? scalability and flexibility of critical infrastructure. They will
4. Is the business continuity strategy effectively integrated also enjoy better alignment of business and technology.
with the people, processes, and technology it supports?
5. Is the organization maintaining the integrity of its Phase 4 Critical Outcomes
information?
6. Is the organization aligned to maintain its desired risk REACT Maintainability and timely execution
posture? of contingency plans
9
KPMG LLP and “Contingency Planning and Management” Survey. “A Review
of Factors Influencing Business Continuity in the Next Millennium,” 2000.
( 1 3 ) T W E N T Y - F I R S T C E N T U R Y C H A L L E N G E S F O R C O M P E T I T I V E N E S S
I M P L I C AT I O N S A N D
O P P O RT U N I T I E S
priately to crises as well as improve their ability to mitigate the risks of such events.
Such achievements can help organizations build and sustain continuous competitive
Efforts to improve competitiveness are more important than ever as the cost of downtime
increases while the value of traditional response mechanisms decreases. Faced with this grow-
ing capabilities gap, organizations need to consider whether their current approaches to risk
management and business continuity remain appropriate.
As shown in Figure 6, choosing solely to achieve timely recovery from unplanned downtime
(react) may be appropriate for certain organizations; for others, seeking to maintain information
availability so that they are always there for their customers (control) may be the better alterna-
tive, depending on the degree to which information assets drive value in the organization. When
organizational strategies rely heavily on information assets and begin to leverage extended-enter-
prise scenarios, embedding availability throughout critical areas of the value chain (transform)
will help ensure the sustainability of competitive advantage.
F i g u re 6 : Fu n d a m e n t a l D ri ve r s o f B u s i n e s s C o n t i n u i t y S u c c e s s
Competitiveness
Transform: improve information
asset performance and sustain
competitive advantage across the
extended enterprise
Availability Recoverability
Control: design, implement, React: achieve timely
and maintain 24x7 information recovery from unplanned
availability infrastructure downtime
Addressing the three fundamentals helps leaders manage risks and improve competitiveness across the
value chain.
M A N A G I N G B U S I N E S S C O N T I N U I T Y ( 1 4 )
As entities evolve into extended enterprises they will rely
Te n Q u e s t i o n s fo r L e a d e r s
increasingly on information assets. As they transform, they
As leaders assess their contingency plans and other busi-
must ensure that their business continuity strategies evolve ness continuity efforts, they should consider a number of
along with them. To leverage the opportunities inherent in critical questions, including:
business continuity management, organizations must ensure ● Is our business continuity strategy event-driven or
risk-driven and stakeholder-focused?
that such efforts are aligned and integrated with their overall
● How critical is information availability to our success?
organizational strategies.
● Are capabilities for managing business continuity
aligned with organizational strategy?
Managing business continuity within organizational strategy
● Who are our stakeholders and what is their tolerance
promotes a variety of benefits, which can include operational for unplanned downtime?
excellence, scalable technology platforms, cost-effective ● Does the risk management program address people,
technology management, and improved vendor management. processes, and technology as well as the extended
enterprise?
● Does the business continuity strategy eliminate single
L e ve ra g i n g Y 2 K I nve s t m e n t s points of failure?
When the world ushered in a new millennium, it also concluded a ● How do we reinforce key management disciplines to
$600 billion effort to correct the Y2K computer glitch. As part of ensure reliable service delivery to all stakeholders?
these efforts, many organizations developed sophisticated contin- ● Does the risk management program support real-
gency plans to respond to potential Y2K-related crises. An unex- time service monitoring and reporting with predictive
pected payoff: “Companies including 7-Eleven, Amgen Inc. and capabilities for critical infrastructure?
drugstore-chain CVS Corp. activated emergency plans after [the ● How do we optimize the value of information flowing
September 11th] terrorist attacks halted air traffic, threatening to across the value chain?
cut off supply channels for many goods nationwide. Those plans ● Does management have timely, independent assurance
had been designed to address the effects of potential shutdowns that its business continuity capabilities are adequate?
in the year-2000 transition.”10
When assessing and improving business continuity practices,
Y2K-related contingency plans are often an excellent repository.
For leaders they reflect thoughtful, comprehensive methodolo-
gies, as well as capture detailed knowledge of critical infrastruc-
ture. Determining where organizational change and new
technology assets invalidate knowledge is a challenge, but lever-
aging Y2K can help leaders achieve efficiency and effectiveness.
10
Joe Richter. “Companies Say Y2K Steps Got Goods to Market When Flights
Halted,” Bloomberg News, September 17, 2001.
( 1 5 ) T W E N T Y - F I R S T C E N T U R Y C H A L L E N G E S F O R C O M P E T I T I V E N E S S
C O N C L U S I O N
As risks have evolved and multiplied while tolerance for downtime has declined,
leading organizations are taking new steps to implement business continuity pro-
grams that protect their people as well as the information and physical assets on
A program for business continuity can influence business strategy by facilitating the compet-
itive advantage that evolves from continuous availability and customer satisfaction. Moreover,
it can help organizations shift their focus from crisis response, to proactive crisis management,
to improved risk and performance measurement, and, ultimately, to enhanced and sustained
customer satisfaction.
F i g u re 7 : B u s i n e s s C o n t i n u i t y M a n a ge m e n t S c e n a ri o s
Customer Extended
IMPACT Facilities/Processes
Satisfaction/Productivity Enterprise/Value Chain
DOWNTI M E
Da ys Hours/Minutes Zero Downtime
TOLERANCE
M A N A G I N G B U S I N E S S C O N T I N U I T Y ( 1 6 )
A P P E N D I X : I NT E RV I E W S W I T H
L E A D E R S
D e s c ri b e t h e m i s s i o n a n d s e r v i c e s o f t h e Au t h o ri t y.
Margaret E. McKeough: The Authority is responsible for operating and maintaining Ronald
Reagan National Airport and Dulles International Airport. The Authority is a self-sustaining cor-
poration. We must generate revenues to cover expenses and secure financing to construct new
facilities and needed infrastructure. Our priority in 1987 was to build a new terminal facility at
National, which was completed in 1997. Now growing demand requires significant capital
investment at Dulles. A year ago the Authority began a six-year, $3.4 billion expansion program
at Dulles that includes a fourth runway, a new air traffic control tower, gate facilities on midfield
concourses, two new parking garages, an underground passenger train system, and various infra-
structure improvements.
Valerie Holt: An airport requires services similar to a city. To support the aviation operations, the
Authority operates bus systems, fire and police departments, retail businesses, and licensing and
permits functions. The Authority itself employs 1,200 persons. The total employment base at
National is approximately 10,000 people, while Dulles Airport provides employment to over
15,000 people.
H ow d o e s m a n a g i n g t h e ri s k o f d i s a s te r s f i g u re i n t h e d ay- to - d ay wo rk o f
t h e Au t h o ri t y ?
McKeough: The aviation business requires a great focus on safety. Every airport is obligated by
federal regulation to have an emergency response recovery plan. Safety issues also extend to our
corporate functions. The stability of the Authority impacts regional transportation and the
regional economy.
Holt: An unfortunate example is the three-week closure at National Airport after September 11.
The temporary closure sent ripples throughout the regional economy, and we are still experienc-
ing its effect.
McKeough: When National Airport was closed for an extended period of time after the
September 11 terrorist attacks, countless people advocated the need for the airport to reopen.
Those dramatic responses vividly demonstrated how tied the two airports are to the health of the
regional economy.
11
Telephone interview with Margaret E. McKeough and Valerie Holt,
October 24, 2001.
( 1 7 ) T W E N T Y - F I R S T C E N T U R Y C H A L L E N G E S F O R C O M P E T I T I V E N E S S
W h a t i m p a c t i s te ch n o l o gy h av i n g o n ri s k m a n - lower square footage rates on leased space for the airlines.
a ge m e n t a n d o n t h e o p e ra t i o n a l s i d e , s p e c i f i - Until recently, industry standards suggested revenue from these
cally as a business enabler?
services would be maximized if facilities were located near the
McKeough: Technology is a key factor in efforts to heighten
airline gates, past security, where people wait to board aircraft.
security and baggage screening processes. For example, we
With the change in airport security regulations, however, it may
had new, highly sensitive CTX baggage screening equipment
now be better to locate those venues pre-security, where more
in limited deployment before September 11. The initial plan
people have access to them. We don’t know how the economic
was to have one machine at each airport. We now plan to have
model will actually be affected. With the market dynamics con-
multiple machines at both airports.
tinuously changing, the business decisions made to generate
Holt: Regardless of the industry, management is always look- revenue are going to need to be reevaluated. It’s way too soon
ing to technology to improve efficiency. For example, the high- for clarity on these issues.
est source of profit revenue for airports is usually parking R e c e n t e ve n t s a re c e rt a i n l y a ffe c t i n g h ow a i r -
operations. Traditionally, airports have used staff to manage the p o rt s a n d t h e a i rl i n e i n d u s t r y p l a n fo r c a t a s t ro -
lots and to track the huge sums of revenue associated with p h e s . W h a t i s s u e s a re a t t h e fo re f ro n t fo r yo u ?
parking operations. We are completely changing the technol- McKeough: Airports and airlines will continue to work closely
ogy that supports our revenue controls systems, to improve its in planning for and responding to disaster. Clearly, the
efficiency and accuracy, thereby reducing loss. We’re also September 11 incident identified vulnerabilities at airports
implementing technology that will read license plates electron- throughout the country. Aviation security is highly regulated.
ically, documenting how long a car has actually been in the lot. Improvements to the passenger and bag screening processes
This will eliminate the need for manpower to take manual will require greater attention, too.
inventory of the vehicles parked in the lots. We’re also planning
Catastrophe planning is ingrained in airport systems. If there is
to eliminate the exit lane personnel by using the automated
an aircraft incident on the airfield, a response plan clicks into
payment technology employed in transit systems.
activation. When we evacuated National on September 11, we
W h a t t h o u g h t s d o yo u h ave fo r a i rp o rt s a n d had to look at the ripple effects. What do you do with the
o t h e r i n d u s t ri e s t h a t m ay b e l e s s we l l p re p a re d ? checked luggage that is left behind? What do you do about the
McKeough: I certainly can’t say we’ve got all the answers. We cash registers that were left in open stores? Our focus has
reopened both airports, but we’re not fully back in business yet, and always been on the “air side” of airport operations, but we rec-
clearly, with every day of not being back, our challenges mount. ognize the need to reconsider the land side implications of dis-
Holt: When the revenue flow into your business is impacted, aster planning and the impacts on corporate functions.
you need to manage costs and, in our case, the hundreds of I’ve joked with Valerie that the development of a formal busi-
third-party contracts that support our operations. Security, for ness continuity plan used to be at the bottom of a large stack of
example, could represent a tremendous cost. If the federal gov- priority projects. Well, after September 11, the needs flow out
ernment adjusts the way that’s handled, it could also adjust how of your head a lot quicker because you’re experiencing them
it’s funded. The business challenges are enormous. right now. You don’t have to predict the response plan; you’re
McKeough: Every airport relies on its retail and food and bev- living the response plan.
erage concessions to generate a certain amount of revenue. In
some cases, those revenues help reduce the rents charged to the
airlines. So, higher food and beverage and retail revenues mean
M A N A G I N G B U S I N E S S C O N T I N U I T Y ( 1 8 )
John Ball, Standard Chartered Bank
Based in Singapore, John Ball is head of markets operations in the global markets division of
Standard Chartered Bank. With facilities in 57 countries, U.K.-based Standard Chartered pro-
vides risk management services to local and multinational companies, including investment and
financial institutions and central banks. It has 150 years’experience in emerging markets—espe-
cially in the currencies of Asia, the Middle East, and Africa. Ball talks here about how new tech-
nology is enabling improvements in disaster recovery and business continuity.12
H ow d o e s yo u r o rga n i z a t i o n a p p ro a ch t h e i s s u e o f b u s i n e s s c o n t i n u i t y ?
Simplistically, we view disaster recovery (DR) as loss of software and systems and business con-
tinuity (BC) as loss of premises. Each of our locations has to have its own standalone DR and BC
plans that they test on a regular basis. For locations in our core markets, where we operate main-
frame applications, we outsource the maintenance to a third-party service provider that guaran-
tees DR. Each location is also required to have identified an alternative BC plan (BCP) site. In
London, for example, that site is in a separate building altogether.
Within markets operations we are centralizing the transaction processing for 10 sites, including
U.K., U.S., and our Asian core markets, into two processing centers. In addition, we are replacing
the mainframe applications with scalable solutions that we are moving into a single global data
center in the United Kingdom. The 10 sites and two processing centers access the applications in
the data center remotely. There are considerable risks associated with such a facility. Consequently,
for DR purposes we operate a second data center in a separate building that is a real-time image
of the first and connected via a fiber-optic cable.
Each data center has been designed to operate the complete set of markets’ applications at full oper-
ating capacity. In practice, the applications are split between the two data centers with data mir-
rored to the non-active site for fail-over operations. Therefore, if the primary center goes down, the
failure will not be apparent to the users because its mirror image will already be operating.
W h a t a re t h e b u s i n e s s d ri ve r s o f yo u r a p p ro a ch ?
We decided in 1999 that we needed to reduce our unit operating cost. We operate in some fairly
expensive places—Hong Kong, London, Singapore—and we wanted to create economies of
scale. Our mainframes weren’t scalable, and they had no Internet technology, which is going to
be a number-one requisite going forward.
To minimize cost, we realized that we needed to move off the mainframe, use common applica-
tions in all locations, create economies of scale for processing, and apply standardized procedures
and controls. That meant consolidating all our software into a single location, thereby reducing
not only mainframe charges but also support costs and future upgrade costs. We also addressed
the issue of DR through the creation of the split data center concept. Obviously, there is a risk with
operating the data centers in the same city, if both buildings go, but that is a business risk we are
comfortable with.
12
Telephone interview with John Ball, November 7, 2001.
( 1 9 ) T W E N T Y - F I R S T C E N T U R Y C H A L L E N G E S F O R C O M P E T I T I V E N E S S
H ow d o t h e s e b u s i n e s s i s s u e s a ffe c t yo u r b u s i - affected due to the ability of staff to invoke the DR at our BCP site.
n e s s c o n t i n u i t y p ro g ra m ? The fact that we made 98 percent of our payments on September
We operate from the time the markets open in Japan until they 11 is testament to the quality and commitment of the people and
close in New York. In creating our BCP, we knew we would the fact that it is critical to have a viable DR and BC plan.
need processing capabilities that could enable us to support
H ow w i l l o rga n i z a t i o n s ch a n ge t h e i r b u s i n e s s
locations in all time zones. We decided on a two-center strategy. c o n t i n u i t y p ra c t i c e s i n t h e f u tu re ?
We built our first processing center in Singapore in November
I think we will all be better prepared. Like everyone else, we
2000, and it is now handling transactions for Singapore, Hong
have become much more aware of the importance of BCP.
Kong, and Japan. In May 2002, our second processing center
People used to pay a lot of lip service to BCP and consider it a
will be live in India, where we will process transactions gener-
necessary evil. It is time consuming and can be expensive. But
ated from Mumbai through to New York close. The implemen-
our experience on September 11 showed us just how beneficial
tation of two processing centers gives us built in business
having properly prepared BC and DR plans can be. I know some
continuity. However, until both centers are live, Singapore oper-
institutions struggled after September 11—institutions I would
ates a standalone BCP.
have expected to have been better prepared. I think to a large
In the longer term, we intend to roll out this model in Africa as extent complacency had set in. As a U.K. bank, we have seen the
well as in the Middle East/South Asia (MESA) region. The impact on business of terrorist activity in London, and that
Africa project is well advanced in creating two processing cen- made us much more aware of the associated issues. I think peo-
ters to support the region. We hope to start the MESA project ple’s awareness has certainly changed now, especially with
next year, the objective of which will be to consolidate applica- regard to areas previously considered reasonably safe.
tions into a single data center and a single processing center to A l t h o u g h b u s i n e s s c o n t i n u i t y p l a n s h ave b e e n
support the region. The ultimate goal will then be to consolidate re ga rd e d a s a c o s t , t h ey h ave o bv i o u s l y p rov i d e d
all the regional processing centers so that there are just two sup- va l u e . H ow d o yo u fo re s e e t h e i m p l e m e n t a t i o n o f
B C P ch a n g i n g i n t h e f u tu re ?
porting the whole of global markets.
In the short term, people have chosen temporary BCP solu-
W h a t a re t h e m o s t wo rri s o m e t h re a t s to t h e c o n -
tions—one in which, for example, you rent space in an empty
t i n u i t y o f yo u r e n te rp ri s e ?
building that you hope never to use. But I think they will even-
The answer depends on the country. In the United Kingdom,
tually move toward in-built business continuity, as we are doing,
our biggest threat has been due to terrorism. In Indonesia,
and new technology makes that possible.
where we are a foreign bank in a country that’s had considerable
political and economic troubles in recent years, our problems There is no longer a requirement for big mainframes that are
arise due to rioting and changing attitudes. expensive to operate; with new technology you can mirror data
remotely, operate live back-up sites, and add processing power
In Singapore and Hong Kong, on the other hand, our main
fairly easily. Take us, for example. We operate a single data cen-
threats are fire or natural disasters. We would have said the
ter in London that essentially functions as our DR site. So, whilst
same of New York prior to September 11. We housed our pay-
we may have spent a little bit more on putting the necessary hard-
ments systems and cash management operations in 7 World
ware in place, it’s not that much more of an incremental cost over
Trade Center, where we were tenants.
what it has been to upgrade our applications.
When we evacuated 7 World Trade Center, some of the IS and
Changes in technology enable people to change the way they
IT support teams were able to get to New Jersey and initiate the
view DR and BCP. The new technologies will be incorporated
critical back-up applications there. Like everyone else, we had
into the organizational infrastructure as companies upgrade
problems getting the right people to the right location, but fortu-
from mainframes to the next generation of technology.
nately, our U.S.-dollar (USD) clearing was not significantly
M A N A G I N G B U S I N E S S C O N T I N U I T Y ( 2 0 )
KPMG’s Risk and Advisory Services
KPMG’s Risk and Advisory Services (RAS) practice focuses on the fundamental business issues—
managing risk, increasing revenues, controlling costs—that all organizations, in all industries, must
address in order to flourish. RAS encompasses a wide array of advisory services designed to help
companies deal with these issues and to better manage the financial and operational functions of their
organization. RAS professionals help companies identify and manage risks, including the risks inher-
ent in the technology systems used to support business objectives, and provide them with informa-
tion to help them meet their strategic and financial goals.
Felipe Alonso
Charles McKinney
Rick Cudworth
Jeanne Edwards
Sally Hales
David DiCristofaro
John Boucher
Robert A. Litt
Sarah Wise
Colleen Drummond
Diane K. Nardin
The information contained herein is of a general nature and is not intended to address the circumstances of any par-
ticular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guar-
antee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.
No one should act upon such information without appropriate professional advice after a thorough examination of
the particular situation.
©2001 KPMG LLP, the U.S. member firm of KPMG International, a Swiss association. All
rights reserved. Printed in the U.S.A. on recycled paper. 23522atl