Business Continuity Trends: Programs and Pandemics
Interview With Gartner's Roberta WittyQ: How well prepared are financial institutions in terms of their overall preparedness for a disaster?
Witty: There certainly is a heightened sense of awareness. One of the things we're seeing companies do is more frequent testing. The financial services industry has been doing well in this area, especially because of the increased regulatory scrutiny by examiners. Overall financial institutions are doing a better job of preparing for disasters. For the most part, financial institutions are doing a decent job in the areas of BCP and disaster recovery efforts. The majority of the larger banks have full-fledged business continuity management programs in place, where they look at not only the recovery of their technology, but are also looking at the larger picture of crisis management, emergency notification and incident management. Their programs take into consideration all of those things surrounding how to manage a business interruption.
Q: What's the difference between a technical outage and a non-technical outage, and what are some of the considerations that are overlooked?
Witty: There are many business interruptions that occur which are not necessarily triggered due to a technical outage or failure. If there is any industry that understands that business continuity means recovering the business process it is banking. I find it interesting in that most companies don't have a business continuity manager, but they will have a disaster recovery manager. Why? Because their focus has been on 'What if the technology goes down?' That's fine most of the time, and everyone should be looking at technology failures, but there are other reasons why operations stop. One example of this is when your service vendor can't deliver the goods or services as promised. Or in the case of a regional disaster across a wider geographic area in addition to your bank's main site, the disaster also takes out your other sites. In the case of wider geographic disasters, entire areas may be rendered unlivable. We saw this during 9-11 where entire neighborhoods were closed, and people could not get back in to their homes or businesses. The workforce is impacted along with people's homes. Companies aren't planning for those kinds of wider ranging events. They're also not planning for outages based on major supplier problems or an outside service provider being unable to provide a vital service. Whether it's technical or a business process provider (especially with all of the business outsourcing going on in financial services), those outsourced functions are still part of your business cycle and they must be looked at closely for your needed requirements. I would add that even more planning is needed on the part of the vendor.
Q: What's your expectation for technology uptime during a longer event, such as a pandemic outbreak?
Witty: In terms of pandemic planning, I see there's going to be real breakdown of technology in the third or fourth week of a pandemic. The scenario I see is as follows: The first week you're going to have limited amount of workforce damage, people are getting sick, but operating at a level that business can still continue. By the end of the second week, it's not just your institution but all of your suppliers and vendors and the guys who come in to maintain your equipment in your data center who aren't coming in. Why? They're starting to be impacted because they're in the same geographic area as you are. You'll start to see degradation of IT services, so by the end of the third week your staff is diminished, your vendor staff is diminished and people can't respond to a technical outage in the same way. Even simple replacement calls will go unanswered -- you may not be able to get parts because there's no one to deliver them. I see by end of the third week that there could be some real impact on the deliverability of technology.
Q: What about Internet availability and telecomm issues during a pandemic?
Witty: What we recommend for key personnel who will be working remotely is that there be more than one service provider available for their use. Two ISPs and two phone carriers (if available) should be signed up for service. While this may be the belt and suspenders approach, you don't want to have your head of IT operations or other critical personnel unable to log in or call in to your data center during an emergency. You have to start planning for these types of things now -- before a pandemic strikes. Once that event strikes and law enforcement and health officials begin putting in place travel embargoes and quarantines into effect, you really can't expect phone or Internet installations to take place. People will start to react and ask for service, and there may either be periods of waiting to get service or even no service available because no one is there to deliver it.
Q: What about other critical infrastructures -- are they well prepared for a pandemic or regional disaster?
Witty: I think the telecomm companies are pretty much able to handle disasters, and they are prepared for those kinds of emergencies. They are equipped to restore service, and the fact that they may take a while is part of the recovery process. There remain some questions as to Internet availability during a pandemic and how it would impact communications networks. As for those availability issues, there is still much to be worked out. Institutions that have remote workers may have to shift part of the work to different hours of the day based on availability of internet resources in a geographic area.