Continuity for the Rest of Us:

BC For SMEs

Kathleen A. Lucey
kalucey@montaguetm.com
tel: (1)516.676.9234

.
 Continuity Trends Since 9/11 in the
US:

SMEs Need Something Different

.
 Part I: Recent Events Raise the Bar

Part II: How Can SMEs Get What

They Want...
and What They Need?

.
 Part I: Recent Events Raise the Bar

.
 First, a few effects of 9/11 on
downtown Manhattan...

DestroyedBuil

Source: Special Report: WTC Tenant Relocation Summary, TenantWise, Inc., 2003

.
 And a few more...

 Madrid 3/11/2004
 London 7/7/2005, 7/21/2005
 Katrina: Louisiana and Gulf Coast, 8/2005
 Rita: Louisiana and Texas, 9/2005
 Earthquake in Pakistan and India: 10/2005
 Wilma: Mexico and Florida, 10/2005
 New Delhi: 10/2005

.
 Post-9/11 Trends
 Politicization of Business Continuity
– Homeland Security Department includes FEMA
– Patriot Act
– Pre-emptive wars: Afghanistan, Iraq
 Results-oriented regulation
– Inter-agency White Paper
– NASD regs 3610, 3620
– Sarbanes-Oxley

 California Law 1386 (2003), NY State Information Security Breach and Notification
Act (August 2005)
 Increased BC awareness across most non-regulated sectors, and especially
SMEs

.
 What we have learned...
 Effective response is a complex issue, and much larger than
data center Disaster Recovery.
 Small and medium-size businesses are largely unprepared,
but worry.
 Success = BC + Emergency Management + an ongoing
program
 External and intra-industry dependencies have been mostly
ignored.
 Resilience is the most effective strategy...and it is an
organizational, not just a technical issue.

.
 Trends Today
EFFECTIVE RESULTS?

 Compliance with regulatory checklists is NOT enough.

 Not all responses can be planned. Tools and information are necessary but
not sufficient.

 The most effective 9/11 responses empowered operating-level people.

 Testing must become MUCH more serious: greater verisimilitude.

 Effective emergency communication is primary: automated notification

systems.

.
 Trends Today
SMALL AND MEDIUM-SIZE BUSINESSES ARE
VULNERABLE

 Widespread awareness and concern.

 Traditional BC methods are too expensive and seen as unnecessary.

 Tools that are effective AND well-adapted to SME needs are difficult to
find.
 Clear need to develop SME baseline standards and techniques.
 Pressure from large customers and/or suppliers can be a driver.

.
 Trends Today
INTER-DISCIPLINARY AND INTER-SECTOR WORK IS NEEDED

 Government sets security levels, but the private sector holds 85% of critical infrastructure.
 Piecemeal solutions with different mindsets and languages:
– IT: D/R and Technology InfoSec
– Facilities: Infrastructure, Engineering, and Physical Access Control
– Emergency and Crisis Management Planning
– Organizational Planning, Strategic Planning, Social Sciences
– Internal Audit, External Audit
– First Responders: insider jargon and procedures

.
 It is not an option to remain where we have been...and where we are.

.
 Trends Today
EXTERNAL AND INTER-INDUSTRY DEPENDENCIES

 Few businesses accomplish all of their critical functions alone:

– Communications
– Transportation, supply and distribution
– Outsourcing

 Contractual penalties are insufficient to guarantee business survival.

 Creativity, planning, and persuasion are all required. WORKING TOGETHER!
 Multiple-sector testing is difficult and expensive. Need more public sector support.

.
 It is not an option to remain where we have been...and where we are.

.
 Trends Today

RESILIENCE
“The power or inherent property of returning to the form from which
it is bent, stretched, compressed, or twisted.”
– of objects or substances
“The power or ability to recover quickly from a setback, depression,
illness, overwork, or other adversity.”
– of people
“The ability of a system to keep working when one or more of its
components malfunctions. Also called fault tolerance.”
- of systems

.
 Part II: Where Can SMEs Get What They
Want...and What They Need?

.
  How do SMEs see Continuity?

 Ask them and they will tell you.

.
 SME Continuity
Requires the Proper Event

D
N
A
Definition, Notification, Action

.
 What is DNA?

Includes designed processes and tools for:

Definition of events +
Notification and communication activities
required for immediate response +
Action plans to respond to events.

.
 Definition is key

Poor Definition = emergency response tragedies:

 Regional Blackout of August 14, 2003

 Three Mile Island
 9/11

.
 Notification

Tools and strategies must be:

 Carefully designed for feasibility

 Understood and rehearsed; UP-TO-DATE
 Cover initial interruption management +
recovery + return (move)

.
 INTERRUPTION MANAGEMENT MODEL
Initial Interruption Management
Interruption
Executive
Management Employee EMT
Oversight Team
Support Government

Emergency Logistics
Team
Liaison
Emergency
Media Relations Funding Transportation,
Team Communications

Physical
Command Center HAZMAT
Security
Support Team

Admin. Damage
Business
Services Assessment
Continuity
Coordination
Insurance
Liaison

Site Repair or Relocate

Recovery Management

Business Recovery IT Recovery

Coordination Coordination Purchasing

Site Repair Site

and Relocation
Restoration and
Information
Business Re-creation
. Technology
Continuity
Recovery
Teams 2005 Montague Technology Management, Inc.
Teams
All rights reserved.
 Actions

Implemented Actions and strategies should:

 Be additive: chosen to cover the maximum
number of scenarios first.
 Provide the best response to requirements:
the right choice.
 Provide a continuity capability that increases
measurably over time.

.
 ALL DNA processes must be working to
achieve effective continuity.

.
 Where are MOST of the
Continuity Challenges ??

CONTINUITY ISSUES BCARE

SOLUTIONS
Catastrophic Interruptions Continuity

Minor Interruptions Availability

Core Business
Everyday Blips Value Chain Reliability
Processes
Process Dysfunctions Engineering

.
 BC Jumpstart for SMEs

Steps 1 thorough 4:

1. Interruption Scenario Class Definitions: Internal and External.

2. Strategies and Tools by Scenario Class: Additive continuity components and

interruption avoidance / mitigation measures by scenario class.

3. Gap Analysis: The firm’s current capability vs. the recommended set of
continuity components and avoidance / mitigation measures, by scenario class.

4. Project Plan: Timeline and cost estimates to move forward.

.
 Interruption
Scenario Classes

EXTERNAL SCENARIOS
Classes: 1 - minor (a and b) to 5 - catastrophic
 External scenario characteristics:
– Day / time (workday hours, non-working hours)
– Geographic scope
– Length of time
– Premises infrastructure services impact
– Firm premises damage
– Injuries to firm personnel
– Effect on workplace

.
 External
Scenario Classes

DURATION OF INTERRUPTION BY CLASS

Class Length of Interruption

1: Minor less than 1 day
2: Significant 1-3 days
3: Serious 3-5 days
4: Very serious 5-10 days
5: Catastrophic 10 or more days

.
 Internal
Scenario Classes

Specific to each firm and each site. For example:

ClassDescription
A Local equipment failure
B Local PBX failure
C Central network outage
D Workplace violence
E Supplier outage
F Disclosure of confidential information
G Key staff loss
H Reputational Risk

.
 Benefits for SMEs

 1: Avoid the risk. 2: Lower the risk probability. 3: Recover, reduce damages.
 Implement FIRST what is needed for all interruption scenarios.
 Pay attention to the obvious.
 Spread development and costs over time by building to catastrophic, “worst-
case” capability step-by-step.
 Make BC capability progress visible, measurable, understandable, and
“present-able.”

.
 And so what does all of this mean for us as
business continuity professionals?

.
 We Need to GROW!

 Accept that current “best practices” are not the only truth.
 Study the concepts of allied fields; stay open to new
ideas. Learn!
 Connect to related disciplines: emergency management,
InfoSec, facilities, infrastructure, equipment reliability and
physical security...and organizational theory!
 LISTEN....LISTEN.....LISTEN....AND HEAR!

.
 References (1)

 Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S.

Financial System, Board of Governors of the Federal Reserve System; Office of
the Comptroller of the Currency; and Securities and Exchange Commission.
Draft (Sep 2002): http://www.sec.gov/rules/concept/34-46432.htm
Final (Apr 2003): http://www.sec.gov/news/studies/34-47638.htm
 Report: Crisis, recovery, innovation: responsive organization after September 11,
John Kelly, David Stark. Center on Organizational Innovation, Columbia
University. New York, NY June 2002.
http://www.coi.columbia.edu/pdf/kelly_stark_cri.pdf
 SEC Approval of NASD Rules 3510 and 3520, including amendments 1-8, as
published in the Federal Register, April 7, 2004. http://www.nasdr.com/pdf-
text/rf02_108_app.pdf

.
 References (2)

 Special Report: WTC Tenant Relocation Summary, TenantWise, Inc., 2003.

http://www.tenantwise.com/wtc_relocate.asp
 *"A Desk on the 20th Floor: Survival and Sense-Making in a Trading Room,"
Daniel Beunza, David Stark. Working Paper Series, Center on Organizational
Innovation, Columbia University. Available online at
http://www.coi.columbia.edu/pdf/buenza_stark_d20.pdf
 5 Habits of Highly Reliable Organizations, Keith H. Hammonds, “Fast Company
Magazine,” Issue 58, May 2002, Page 124.
http://www.fastcompany.com/magazine/58/chalktalk.html

*Note extensive bibliography.

.
 Questions ??

Kathleen Lucey
Montague Technology Management, Inc.
. kalucey@montaguetm.com
(1)516.676.9234