A fast and effective recovery from a fire, earthquake, or malicious attack, depends on two key components: a comprehensive recovery plan and a carefully selected business-recovery team. All 320 employees of the US Securities and Exchange Commission (SEC) may have escaped unscathed the series of terror attacks that demolished New York's World Trade Centre on September 11, but vital documents did not. The commission's office was incinerated during the collapse of Tower 7, destroying crucial evidence and reportedly jeopardising its investigations into initial public offerings and other cases. Certainly the SEC can ask companies under investigation, or charge, to produce copies of documents they've already given the SEC, former New York operations leader Carmen Lawrence told Bloomberg News. "But they'll have to scrap many cases and start from scratch on others," she added.
Now we know why business continuity planners invest so much energy in preparing detailed disaster recovery plans that extend way beyond IT recovery. Getting back up and running after the world throws its worst at you is not only about ensuring an IT provider is always on hand to rescue computer networks, data and host IT services should your computer systems be destroyed. It's also about finding ways for the business to continue should the earth be pulled from under everyone's feet, buildings and paper-based documents destroyed and vital employees killed.
Thousands of lives were lost in the attacks on the WTC. More than 406 buildings were damaged, with eight demolished, including the twin towers. But the total disruption spread far wider. The attacks took out subways, roads and bridges and forced authorities to restrict access on security grounds. Communications and transport were severely disrupted.
In the wake of the attacks some organisations were left reeling, their offices destroyed or access to their buildings blocked off, forcing them into a frantic scramble to retrieve lost data or find somewhere to host their operations. Others seemed to make a virtually seamless transition to managed disaster recovery facilities. Business continuity planners who knew their stuff can glory in the way their banking, finance and regulatory businesses maintained essential processes throughout the disaster. But even the best disaster recovery plans were severely tested by the destruction. As businesses everywhere dust off their disaster recovery plans in the wake of September 11, in the new environment of menace where anyone seems a possible target, there are vital new lessons to absorb about what makes for an effective business continuity plan.
Considering that until the attacks happened even the US military believed the events of September 11 were impossible even in the worst-case scenarios. Experts now say business should focus on a new set of priorities, which even the best current plans may not address. All companies now face new concerns that must and should be incorporated into disaster recovery plans.
"The primary concern for major disaster recovery has refocused from natural disasters to include terrorist attacks within CBDs affecting buildings and infrastructure randomly over a large radius," says Tony Newman, a senior consultant with Australian company Montrose Computer Services. "The critical concerns now are the safety of people - human resources, the accessibility to buildings - the need for alternative premises off-site and outside of the local area, and the IT infrastructure needed to maintain normal business services - the need for off-site recovery facilities and mobile communications." Disaster recovery plans that don't consider all of the above may one day prove worse than useless, Newman predicts"I think what this disaster has proved is that technology is not as big a risk as is the way we use technology to do business. It is the emphasis on the people, and our dependency on them, and how we choose to operate," says IBM general manager and vice president New-York based business continuity and recovery services group Todd Gordon. "The fact that the networks are very redundant, hardware is almost infallible, and we have multiple pieces of equipment to do the same tasks [means] we have geographic load balancing. We have become quite sophisticated as users and as IT providers in terms of how technology is used."
Or as Charles Micallef, a director with Peter Voysey & Associates, puts it: "It's no use just getting your IT up and running in 24 hours if you've got nowhere for your sales force or your marketing force to take orders. If you're providing some sort of help-desk facility and that's a critical part of your business, you need to be able to switch to another site, another venue."