Introduction

 

This paper is part of a series of initiatives undertaken by the New York State Forum for Information Resource Management (NYSFIRM) to assist New York’s state and local government organizations with determining their planning needs in light of September 11, 2001 (September 11).  It addresses a critical question:  If disaster – natural, technological, or man made – were to strike a facility or network that houses state workers and data, what support exists or is required to secure safe and continued public service to the people of New York?

 

Our purpose is to find support for a continuity planning commitment in New York State government that assures both the ongoing safety/productivity of state workers and the optimal delivery of critical state services to our constituents during and following crisis.  The paper first provides a rationale for continuity planning in the public sector, then defines and distinguishes continuity planning in the context of more familiar concepts and terminology.  Following an examination of current legislative and executive initiatives designed to set standards and coordinate strategies for effective planning, we will conclude with a review of current best practices involved in continuity planning phases and offer recommendations for action.

 

A Rationale for Readiness

 

State government’s responsibility to plan for the continuity of its operations in the face of “a wide variety of disasters” is not a new concept, as the following 1978 legislative finding reflects. However, since that time, profound innovations in information technologies and the devastating events surrounding September 11, have properly sparked renewed concern for just how well prepared we are.

 

The legislature hereby finds and declares that a wide variety of disasters, often caused or compounded by mankind’s own acts, cause loss of life, property and income, disrupt the normal functioning of government, communities, and families, and causes great human suffering.  The legislature further finds that it must provide for preparations to prevent, meet, and defend against and recover from, dangers and problems arising from these emergencies with the least possible interference with the existing division of the powers of the government….The legislature finds that the state must give leadership and direction to this important task of establishing an emergency disaster preparedness program for the protection of each person in the state.

 

NYS Executive Law Article 2B, Disaster Preparedness § 20:

 Historical and Statutory Notes L.1978, c. 640 §7

 

First, rapidly emerging technologies have bred increasing interdependencies between and among the private sector and government agencies, leading to an increasing dependency upon those technologies to access, transmit, and store the vital information that is their premier business asset. Technology is changing the way we do business, causing a shift away from stovepipe structures in government toward a theoretically more collaborative and efficient “government without walls.”[1]  E-commerce and e-government initiatives have taken root, allowing citizens, businesses, and state agencies to become purveyors and consumers of web enabled information flow and transactions 24 hours a day, 365 days a year.  Consequently, new business and management theories like business process re-engineering (BPR) and enterprise resource planning (ERP) have called for careful identification and integration of business functions with technology, and for application of critical change management practices to prepare the workforce to meet the challenges at hand and ahead.  The very structure of the Internet itself – a self-organizing, decentralized entity born of the military’s desire to ensure the survival of valuable information and the continuity of communications during attack – has emerged as an attractive paradigm on the business landscape, challenging old lines of authority with those less tried. 

The new dynamic has also bred new risks.  For example, a single disgruntled employee has the capacity to sabotage an entire system.  Or, the anticipation of unknown disastrous consequences inherent in the Y2K rollover recently mandated costly, deep reaching, cross-organizational planning to identify, address, and mitigate vulnerability from technological failures.

 

Second, the unprecedented events of September 11 have renewed fear in the American consciousness of the likelihood of enemy attack, a fear that had become much diminished since the demise of the Cold War.  Aware that we are vulnerable to unexpected and sudden hits by powerful enemies determined to topple our way of life, we hunger not only to be secure, but also to believe that everything possible is being done in the interest of public safety, or “homeland security.”  This need to believe we are secure creates secondary vulnerabilities, arising from the creation of false securities purchased by illusions of redress or resulting in victimization by opportunist vendors, as well as potentially restricting the very freedoms “our way of life” celebrates.  September 11 and its aftermath opened our collective eyes to knowing that planned, successful, subversive attacks can happen without warning…and because they have happened, we believe it is likely they will happen again.  We must be ready to successfully mitigate both effects of attack and effects of fear on government business by careful, responsible planning.

 

Readiness requires that state government be able to continue meeting the needs of its people despite the fear, chaos, and suffering disasters breed.  Readiness requires developing a flexible, current, and tested planning process in each office, planning that accounts for inventory, alternative communication channels, contingencies, workforce commitment, and understanding of critical priorities.  Planning distributes limited resources allocated for backed up data, replaced equipment and applications, and the needs of critical displaced, reduced, or disabled personnel.  Planning also educates those charged with implementation as to impacts, risks, and remedies.  Planning demands support from leadership expressed in terms of time, enthusiasm, and money.  This calls for accountability that can only be met because stakeholders and stewards alike believe that preparation of resilient internal operations is a prudent economic practice of the public’s business. 

 

 

The Public’s Business and Continuity Planning:

What’s in a Name?

 

A reader could reasonably ask what has “business continuity” to do with public sector viability.  The answer resides in understanding the nature of the “business of government,” distinguishing between continuity planning and related concepts, and assigning appropriate terminology to identify and build the distinct value business continuity planning will bring to government operations.

Business continuity planning (BCP) experts predict that “2 out of 5 of enterprises that experience a disaster go out of business within 5 years.”[2]  However, unlike the private sector, State governments and their agencies don’t go out of business.  Discontinuity in the state’s ability to conduct the public’s business is reflected in lost information, revenue, programs, credibility, and confidence, with increased vulnerability, chaos, and human suffering.  The public’s business is the public services that assure the public’s welfare.  If the state is to secure the public’s welfare through and after crisis, it must practice a gamut of self-awareness exercises before the crisis that ensure the networks of people, places, and things employed to carry out those services are informed, trained, maintained, upgraded, and enabled to continue operating despite disruption, without loss of services essential to constituents no matter how great or small the crisis is.  This type of examination of service processes and priorities, coupled with the consequent strengthening of the systems needed to deliver those services, is called business continuity planning. 

 

 

 

The Relationship to Disaster Planning

 

Understanding business continuity planning calls for making a distinction about the valued role BCP plays in a family of “planning relationships.”  (See Fig. 1.) The “family” is an ancient but still growing body of work – that is, work related to securing the resources an organism needs to survive in the midst and aftermath of a crisis.  We might say that BCP is the youngest generation in the family line, a legitimate descendant of such familiar concepts as good health or a fighting chance.  Throughout the millennia, human bodies have developed complex immune systems to fight disease.  Through experience, human beings have acquired knowledge of what to do to survive in the face of natural or enemy attack:  pull up the drawbridge; batten down the hatches; head for the storm cellar; circle the wagons; quarantine the contagious; fight fire with fire.  Survival has always begun with having the right response to a particular threat and the resources needed for that response.  Continued survival after the fact has always depended upon an ability to sustain loss and recover function.  As learning organizations unto themselves, the fittest survive because they anticipate change and adapt, and business enterprises or state agencies are not exempt from the process.

The generational relationship of the concepts behind the traditional terms is logical and progressive, rather than redundant or interchangeable.  The related planning terms, familiarly named disaster response, disaster recovery, disaster prevention, disaster preparedness, disaster mitigation, or contingency planning, are all from the same gene pool, but BCP comes with some evolutionary improvement, offering a refreshing new skin stretching to bind and protect the “business” from discontinuity.  The branches on BCP’s family tree support distinct survival mechanisms by addressing key concerns:  What do we do now?  What went wrong?  What can we do to prevent the problem?  How are we vulnerable?  What can we do to reduce the effects of our losses?  If we are unable to implement Plan A, do we have a Plan B, or C, or D…?  These questions have been addressed by formulating multiple plans.  Business continuity planning encompasses or embraces all the kinds of plans and questions named in Fig. 1, but guides them with an eye on sorting out what resources and services must continue if the public’s critical needs are to be met.

Business continuity planning is the branch of thought that reasonably addresses How many plans do we need or can we prudently afford?  It is a layer of thought that could not emerge until after those that preceded it had surfaced; ironically, it now raises questions that must be asked before investing limited resources in any effective planning whatsoever.  If continuity is the goal, then the needs of continuity must drive the details of specific choices the organization makes long before discontinuity occurs.  BCP in state government seeks to understand what will happen to the agency’s critical services if certain functions are discontinued – no matter what the cause – and measures the risk of loss against the cost of readiness through developing alternative, redundant, or resilient resources.  It determines a tolerable level of discontinuity and acts to keep the agency functioning within or above that level.[3]  Such understanding requires naming the agency’s mission; naming the business functions critical to the mission; naming the supporting personnel, technologies, and facilities needed to carry out the business functions; naming the impact created by loss of function; naming priorities; and then preparing people, places, properties, and processes to carry out the functions despite failure of “normal” operations. The long shadow of the naming intimates hard choices about investments and state resources. Business continuity planning is the protocol that navigates the “choice makers” through the shadows.

 

 

Naming

 

Because business continuity planning is still finding its way into common exchanges around the new millennium water cooler, the term is often misused or misunderstood by and among the stakeholders who have not yet agreed upon its meaning, and consequently, its value.[4]  For example, at a recent presentation to NYSFIRM members, Meta Group Vice President Al Passori declared that although disaster recovery commonly refers to technology functions and business continuity is used for the work area, the terms are “in reality interchangeable terms.”[5]  At a subsequent NYSFIRM seminar dedicated to business continuity, presenters from Empire Blue Cross/Blue Shield, Gartner Group, and Veritas rarely used the billed term, but rather elected to speak of business continuity in terms of a disaster recovery strategy.[6]  Along the same line, Disaster Recovery Journal advertises itself as “the magazine devoted to business continuity since 1987.”[7]  Other industry leaders, however, aptly define disaster recovery as a distinct, narrower term, as but one component of a set of plans derived from and implemented because of an enterprise’s awareness of its vital operational needs in the event of interruptions.[8]

 

In short, either the terms are interchangeable, or they are not.  We contend that they are not, and use business continuity planning as a broad tag that uniquely identifies the process or protocol needed to prudently develop and implement a set of cohesive plans required to maintain the public’s business in the event of an interruption.  These cohesive plans are concerned with any type of interruption that might cause “asset loss, regulatory liability, service failure, or a damaged reputation with constituents.”[9]  The evolutionary advantage in this breakthrough layer of planning is broad and flexible enough to include interruptions that are both unplanned (e.g., September 11, earthquake) and anticipated (e.g., Y2K, relocation, retirement[10] ).  If any discontinuity has the potential for disaster, disaster is averted by developing the strength of the connective tissue that fortifies the agency against the breakdown of critical services.  The advantage is that the plan is the planning process itself, a binding process that casts all other plans in the light of a crucial mindset:  continuity of service is critical.  The individual plans minimally include those shown in Fig. 1, as well as others named business resumption, business recovery, crisis management, security self-assessment, and workforce commitment (See Glossary, Appendix A), but it is their respective and collective binding investment in service outcomes that is wanted.  Business continuity planning binds resources to service.

 

Names do matter.  Names identify or validate a presence; they direct our attention to or enhance our ability to perceive nuances and values.  If business continuity planning is a name that defines a breakthrough layer of thought, a layer that somehow calls for action distinct from what has been defined by traditional terms, then it cannot be “interchangeable” with those previous terms.[11]  The need for cohesiveness between business functions and supporting technology, cohesiveness between development and implementation of planning decisions, cohesiveness between and among agencies – all developed within the boundaries of discontinuity, economy, and ongoing service – is the value correct users of the term want stakeholders to perceive.

 

Assigning a value to ongoing public service in the face or wake of disruptive events by consistently and appropriately naming business continuity planning as a desired practice is the critical first step for supporting the continuity of the public’s business in New York State.

 

 

Whose Job Is It?

 

New York State must not only build value for continuity of services by correctly naming the protective planning process, it must also name who is responsible for leading the workforce and infrastructure to a condition of ongoing “continuity readiness.”  The good news is that the conditioned response to the breakthrough layer of thought will not be built from nothing, as much is already in place to lead the effort.  The bad news…well, much is already in place to lead the effort.  Unfortunately, contemporary planning needs will be organized around, within, and throughout several institutions and initiatives competing for a place in an existing state government.  The innovative process of continuity planning must be assigned as a clear area of responsibility for which someone or some office will be held accountable.

The architects of a secured continuity will not be surveying a cleared and graded landscape; they will be challenged to rehabilitate a legacy – a legacy in which much and many are quite invested.  The sheer size of the government, its departmental structure, the complexities of rigid regulations and laws that govern its own operation, and the political realities of the workforce inhibit effective change management.[12]  As the Governor’s 1995 Task Force on the NYS Civil Service System reported:

New York State must contend with the competing interests and requirements of numerous state agencies, labor unions, joint labor/management committees, the State Legislature, the Division of the Budget, the State Comptroller's Office, and the courts; a situation which mitigates against achieving consensus about what changes should be made... Action taken at any point in the system sets off a cascading network of reaction....This makes it difficult to effect change to the system as a whole.[13]

If change in the system as a whole is difficult, and the breakthrough layer of thought changes the name of the game by which we prepare for the myriad contingencies and crises that threaten the state’s ability to continue service during crisis, where will the momentum to effect the change come from?  Who is responsible for determining the level of preparedness and setting standards for effective planning?  Who is responsible for holding the responsible accountable?

Several distinct state initiatives are presently charged with developing and maintaining some aspect of protection, response, and/or recovery of state operations in times of threat:  the NYS Emergency Management Office (SEMO), the NYS Office for Technology (OFT), the NYS Office of Public Security (OPS), and the office of the NYS Chief Information Officer (CIO).  The language of each of their respective charters is broad enough to assign or assume leadership for not only disaster recovery or preparedness, but also in asking and resolving the questions entailed in business continuity planning.  Any state agency seeking support for continuity planning should be able to turn to these resources.  However, nowhere in any of the founding documents or published missions of these initiatives does the term business continuity planning appear.  Absent this explicit commitment, finding support for continuity planning from an authorized state body or within the agency is a shadowy search.

 

 

State Emergency Management Office

               In 1978 the NYS Legislature amended Executive Law by adding Article 2B to address the findings quoted at the start of this paper.  The new law provided for the creation of a Disaster Preparedness Commission consisting of the highest ranking officials in 20 key department/agencies[14] (see Fig. 2) from the Executive Branch of the government, as well as the chief fire administrator, three appointees of the governor, and the chief professional officer of the state chapter of the Red Cross (§21.)  The commission was charged with the duty of studying “all aspects of man-made or disaster prevention, response, and recovery,” (§21.3a) and with preparing annually “state disaster preparedness plans” (§21.3c) that “keep current…an inventory of programs relevant to…operations during disasters and recovery following disasters.”  (§21.3d)  The commission is to “provide for periodic briefings, drills, exercises, or other means to assure that all state personnel with direct responsibilities in the event of a disaster are fully familiar with response and recovery plans and the manner in which they shall carry out their responsibilities…”  (§21.3h).  The law defines disaster as “[an] occurrence or imminent threat of  wide  spread  or severe  damage, injury, or loss of life or property resulting from any natural or man-made causes, including, but not limited to, fire,  flood, earthquake, hurricane, tornado, high water, landslide, mudslide, wind, storm, wave action, volcanic activity, epidemic,  air contamination, blight,  drought,  infestation,  explosion, radiological accident, water contamination, bridge failure or bridge collapse.[15]  Interestingly, more recent BCP industry leaders have broadened disaster to mean “any event that has a low probability of occurrence but is capable of causing devastating consequences and a high level of uncertainty.”[16]

 

The functional arm of the Disaster Preparedness Commission is the State Emergency Management Office (SEMO), an operation of the Executive Department’s Division of Military and Naval Affairs.  SEMO acts as the coordinating agent between state, local, and federal emergency/recovery responders, and participates in compacts with other states and the federal government (FEMA, NEMA, NESEC).[17]

 

According to a SEMO spokesperson for the Counsel to the Commission, the emergency preparedness plan is a “never ending document,” always under revision, and in process with its member agencies.  He offered, “All state agencies must be ready to continue operations in the face of disruption.”  He stressed that in preparation for Y2K, each agency was required to review its continuity plan, submit it to SEMO, and have it reviewed by the then OFT Task Force. Each plan was to address the agency’s full operating needs, not just IT concerns, and each agency was required to have a command center and redundant communications. SEMO’s website offers sample Y2K planning documents for various levels of local government, and a link to a sample of a state agency plan.[18]  He added that SEMO sponsors various training sessions throughout the year, open to diverse public sector personnel to advance emergency management professional development.  These are described on the office’s website.[19]  Additionally, the September 2002 Annual Conference promised to address responses to particular threats and hazards and invited representatives of “state agencies” to attend, though the specific terminology of agency or business continuity planning is not a published part of the agenda.

 

 

Office for Technology

 

The Office for Technology (OFT) was created in 1997 under the authority of Executive Law Article 10A as an outgrowth of the Governor’s Task Force on Information Resource Management to “ensure that technology plays a pivotal role in the effective and efficient delivery of state government services…to strategically manage [the State’s] technological resources…Such management must leverage the state’s technology as a vehicle to reform and revitalize government and for promoting positive change.”[20]  As defined in the statute, the office’s functions, powers, and duties comprise “establishing statewide technology policies, including but not limited to, preferred technology standards and security” (§206-a(10)) and completing a comprehensive study of the existing  state information resource technology infrastructure,” which is to reflect inventories of “existing hardware, software, space/environmental needs, telecommunications and networks supporting operations, and the personnel associated with existing operations and management.” (§206-a(12a-d)).  The statute further states that this study is to be completed and submitted to the governor, the senate, and the assembly by October 1, 2002, with interim reports provided in October of 2000 and 2001.  By October 1, 2003, OFT must develop and submit confidential, formal disaster recovery plans for the state data center and statewide network, NYe-Net. (§206-a(12-a(d)).

 

 

 

 

 

OFT’s philosophy is to “forge a marriage between agency-specific needs and the best interests of the State”[21] and its work is to make “state government more efficient, integrated, cost-effective and accessible.”[22] Because components of technological networks (including personnel) reach

deeply into and across all state agencies as a response to agency business needs,[23] OFT is well positioned to champion the integrated continuity planning of business process, technology, and information management in all state offices. Two policies in particular clearly spell out OFT’s expectations, which if implemented, create a sound platform from which business continuity planning can grow.

 

First, in January of 1997, the then task force issued Tech Policy 97-1 as a “minimum security policy for the protection of agency assets, including information, computers, and networks.”  The policy calls for each agency to determine the value of an information asset by “considering…the consequences of unauthorized disclosure, modification, destruction, or unavailability of the information.  The value of these assets will determine the level of controls needed to provide…backup and access controls.”  The policy directs each agency to have established lines of communication, with provisions for alternatives, regarding responsibility for information in the “communications chain,” and ultimately introduces the need for each agency to have a designated information security officer (ISO).  Additionally, “all [information] systems must have back-up and recovery procedures that are documented, maintained, and stored off site.”[24]

Second, in February of 1999, OFT issued Tech Policy 99-2,[25] defining the minimum administrative responsibilities of the agency appointed ISO.  The policy states that “The agency must have procedures to prevent, detect, contain, and recover from information security breaches from both internal and external sources and disasters both natural and man made.  The ISO has a duty to ensure that these procedures are in place.”  The policy provides that the ISO needs to understand the agency’s mission and the relationship of information systems to that mission, must forge cooperative relationships across the agency and with counterparts in other agencies, and lead contingency planning efforts that “address how to keep…the agency’s critical functions operating in the event of disruptions both large and small.”

 

The authorized reach of these policies across agency boundaries, when coupled with another OFT charge to “build a government without walls,”[26] is highly suggestive:  It would appear that as the new and fastest growing kid on the block, OFT has been invited by the state to teach us a new game to be played with the old team.  The name of the game is collaboration, but it will involve a predictable painful reorientation period as the stovepipe players sort out the new rules, build the skills, acquire the equipment, and take their positions.

 

The new position of information security officer, required by the directive from OFT to all state agencies,[27] is one example of the challenges faced in developing a new way of doing old business.  There is no official ISO title in the existing civil service lexicon; the policies may spell out duties and responsibilities, but they offer no guidance to qualifications, certification, or compensation.  There is no “test” offered to the public or the workforce designed to identify meritorious applicants for the position of agency information security officer.  Each agency may have a designated ISO holding the position, but that person may be simultaneously functioning with responsibilities associated with his/her “real” title in addition to those duties bulleted in the ISO tech policies.

 

Even more complicated is the fact that acting ISOs have emerged from different work pools and are functioning with varying levels of skills and support in their home agencies, while presumably accountable for carrying out OFT directives.  As the role and value of electronically generated, transmitted, and preserved information continues to grow, as the partnership between technology and business functions deepens, as public conflict over issues surrounding security, right to privacy, and right to access foment fundamental ethical questions of how we are to govern ourselves as a people, lines of authority get complicated:  Who is the ISO and who does the ISO really work for?  The same can be asked of agency public information officers (PIO) and chief information officers (CIO).

 

 

Office of Public Security

 

The third candidate for assuming leadership for BCP is the new Office of Public Security, created by Governor Pataki on October 10, 2001 in response to the events of September 11.  Under the authority of Executive Order 113.34, the office is to “undertake a state wide assessment of the vulnerability of critical infrastructure…and develop plans to promote rapid recovery from terrorist attacks… overseeing policies, protocols and strategies of state agencies.”  The “agencies” specifically named for oversight “include but are not limited to” State Police, DMNA, SEMO, Department of Health, EnCon, DCJS, Department of State, OFT, and DOT.  (See Fig. 2 page 9.)  Note that the executive leadership of all of these are “members” of the Disaster Preparedness Commission, and already have liaisons “working with” SEMO on an ongoing basis.

 

All 50 states maintain some type of office as a primary point of contact to coordinate antiterrorism efforts with the federal government.  However, New York is one of 19 states that has created a new position, office, or agency to handle homeland security issues since 9/11 in cooperation with the federal office instituted by the Bush administration at that time.  The other 31 states have chosen to add additional resources and responsibilities to existing military, emergency management, law enforcement, or public safety structures to meet increased security concerns.  In deciding whether to create a new initiative or to assign responsibility to an old one, the states have conducted internal assessments to answer these primary questions:[28]

·         Does our current state structure continuously identify threats and vulnerabilities?

·         Does our state take corrective action to reduce threats and vulnerabilities?

·         Does our current organizational structure promote interagency cooperation and information sharing?

·         Does our state have a capability to respond to and fight terrorist incident?

 

To accomplish these assessments, OPS has assembled several work groups,[29] most recently the Cyber Security Task Force, a coalition of representatives from state and federal governments, the private sector, and academia.  By performing four essential functions, the task force’s effort is intended to help protect those networks and systems needed to deliver critical government services:[30]

·         Assure a baseline standard of preparedness for the infrastructure.

·         Examine vulnerabilities and appraise susceptibility to catastrophic cyber attack.

·         Rate and prioritize potential means of cyber terrorism.

·         Eliminate redundancy in initiatives and investments.

 

Like its counterparts in other states, New York’s OPS  is limited in its scope to terrorist related incidents, and does not assume responsibility for natural or purely technological disruptions.  Nonetheless, the scope of information required by and through OPS task forces is relevant, fundamental information generated by and required in the broader BCP process.  Any examination of the technological infrastructure done by a workgroup formed with an eye on preparedness, an ear opened to what those who work with the network fear, and a credible voice (and forum) for verbalizing its findings will be operating in the breakthrough layer of thought: How many plans do we need, and what can we afford?

 

 

Chief Information Officer

 

In addition to the anticipated leadership embedded in the three initiatives described above, the power and potential of a fourth very new player excites hope that the hard questions will be asked and that thoughtful answers will matter.  On January 28, 2002, Governor Pataki established the position of a state chief information officer (CIO) through the authority of Executive Order 114[31] in response to the growing significance of the Internet and technology in developing state operations, and to further the state’s initiatives to create an efficient government without walls.  “The order outlines six responsibilities for the CIO, including oversight of the Office for Technology; “Overseeing, directing and coordinating the establishment of information technology policies, protocols and standards for state government, including hardware, software, security and business re-engineering;” and “Coordinating and facilitating information sharing between and among State government[32]…to promote the use and deployment of information technology that will improve the delivery of government services.”

 

The governor’s press release announcing appointment of the state’s first CIO stresses the CIO’s coordinating function and promises that “the CIO will have full authority and responsibility for overseeing, coordinating and directing State resources related to technology policies and resources.  These resources are now found in every agency and public authority in New York State.”[33]

This paper addresses a question:  If disaster – natural, technological, or man made – were to strike a facility or network that houses state workers and data, what support exists or is required to secure safe and continued public service to the people of New York?  We have looked only to the language of the public promises for evidence of a theoretical support for continuity planning.  The statutes, executive orders, press releases, websites, and various agency spokespersons all indicate a resoundingly positive implication of “we’ve got it covered” when it comes to asking hard questions and assessing what our state agents need to carry out their respective critical missions during disasters of all types.  Nonetheless, a logical series of follow-up questions percolate:  Who knows – or needs to know – the answer to the question we raise?  Do the words proffered to the public match the reality experienced by those in the public sector workplace?  Would acting ISOs read the descriptions written in this paper and say “Not my job” when asked about business continuity planning?  Would IT directors sound an alarming “Not happening?”  Would a lunch hour interview of random state workers on the Albany concourse reveal a consensus that the promise of preparedness and continuity generates no meaningful response among the rank and file?  If there is a gap between what is implied and what is fact, how do we close the gap?

 

 

What’s Involved?

 

The public promises have generated commissions, offices, task forces, workgroups, and executive positions, all filled with people expected to be the actors who implement the hard verbs littering the preceding pages:  to assure, assess, develop, direct, collaborate, coordinate, eliminate, evaluate, examine, identify, inventory, prepare, prioritize, rate, and study…hard verbs that predicate consequential observations about abstract concepts expressed in terms like infrastructure, vulnerabilities, missions, resources, worst case scenarios, and preparedness.  If the desired outcome of their collective work is to secure continuity of the public’s business in times of crisis, they will need the focus of that goal to guide them as they act.  Business continuity planning is an overwhelming, information intense endeavor, requiring input from every office and every worker in the state workforce, input that by its very human nature will not be easily created or handily accepted.  Additionally, the integrity of this essential raw ingredient (the input) is crucial, for it is the catalyst for transformation.  Transformation involves twin investments:  investment in gathering input and investment in developing the resources that input names as critical to continuity of services.

 

Because the outcome (or lack thereof) of the active work potentially affects everyone in the workplace and beyond, under limitless circumstances and unforeseeable degrees of physical, psychological, financial, and environmental trauma, everyone must inform and be informed of the plan.  The ownership role of the individual worker in detailing his/her functions, dependencies, and priorities cannot be underestimated, nor can value of the collective understanding possessed by a unit of workers concerning both colleagues’ individual work and the units’ overall contribution to the agency’s mission.  Securing quality, consensual input and output during pre-crisis planning secures the cohesiveness and continuity of the organization under crisis.  To achieve this, those offering input must believe that their efforts will matter, that recognized and vulnerable priorities will be addressed with policy development, organizational change, and committed funding that make decisive actions viable.  This belief will occur and endure only with commitments from leadership at the managerial level and from sponsorship at the executive levels of government.

 

Best practices in continuity planning carve away the wasted time and resources spent not knowing Why who does what, where, when, and how, before, during, and after a crisis.  They recognize that BCP is a multiphased process that engages people around information tasks and then generates multileveled group consensus for how the specific group can best function to prevent, minimize, or continue despite disruption.  Although it promises to minimize the confusion and chaos of uninformed decision making during a crisis, BCP guarantees benefits for all groups who participate in the BCP process whether interruption ever occurs or not:  They will emerge with a clarified sense of self as part of a cohesive whole, more aware of their collective and individual assets, and by consequence, provide more reliable public service.  The ordinary decisions they make concerning costly purchases of equipment, software, leases, service contracts, professional development, maintenance, meeting schedules, and record keeping will be informed by the goal of continuity.  If by its nature business continuity planning is destined to be an ongoing, living “document,” it stands the best chance of being useful if it lives in the minds of those who have to live with it.

 

 

How It Works

 

BCP is a methodology that uses standardized terminology, intuitive sequencing, and a faceted structure to provide flexible but specific guidance capable of accommodating any combination of discontinuity factors.  Keeping in mind the costs of public safety, public confidence, and public well-being, at its simplest level, BCP explores and fortifies three facets fundamental to the function of each member of the state workforce in providing service to constituents:[34]

·         How would your work be affected if you were lost or lost access to your work facilities?

·         How would your work be affected if you were lost or lost access to information/data?

·         How would your work be affected if you were lost or lost access to personnel?

Fig. 3 outlines the details and considerations planners must attend to regarding each of these continuity facets.

 

 

	FACILITY FACET	INFORMATION FACET	PERSONNEL FACET
Scope	Spaces, furnishings, equipment, and infrastructure connectivity that facilitate work processes	Data stored in paper and electronic formats that are generated by a work process or required to complete one.  Includes the operation of the storage/retrieval system and the storage medium itself.	People who are trained, authorized, and available to perform a work process.
Detail	·          Safe, secure work area with lighting and furniture ·          Power ·          Telecommunications hook-up ·          Computers configured with required applications ·          Monitors ·          Printers & copiers ·          Telephone & fax	All ·          Files and records ·          Databases ·          Directories ·          Policies, reference resources that inform work procedures ·          Instructional materials, forms, and publications for public use ·          Web pages Stored in/on ·          Paper resources ·          Floppies, tapes, CDs, zip drives, hard drives ·          Network (server, topology, protocols, security) ·          Mainframe ·          Inter/Intranet	Because they possess: ·          Familiarity with process, including its goals, regulations, and dependencies ·          Skill proficiency  required to complete the process ·          Authorization by title, chain of command agreement, assignment, certification, identi-fication verification, password ·          Ability to physically and psychologically function in the designated position as well as ability to access the facility, information, and other personnel needed to perform the work process
For each business process, consider:	What will we do if the tools we need are unavailable? Depending on how long we can function without them without intolerable harm, we accept loss or plan for hot site, warm site, cold site, quick ship, and reciprocity agreements.   Can resilience or replacement be built into product performance or service agreements?	Where else does the information we need exist? If the answer is “nowhere” and the information is critical, resources must be allocated to duplicate it and preserve it off site.	Who else can do Joe’s job? A list of substitutes must be collected.  Or, to the extent that Joe’s skills are unique and in high demand, or that his organizational knowledge is broad and deep, investment in succession planning must be made.   What emotional support might Joe, his family, or coworkers need to aid in continuity or recovery? Workers who are grieving or concerned about family safety are not free to work.

 

Figure 3. Essential Facets of Continuity. To the extent that the detail of any facet is required in an agency’s business process, continuity of the process is compromised when the detail is destroyed or disabled. If the process is time sensitive and critical to the agency’s administration or mission, or if the facet detail represents a single point of failure, investment in protecting the process and facet detail becomes more important. If process discontinuity affects public safety or confidence, the highest availability of alternative, redundant, or replacement resources becomes critical.

 

 

 

 

The values assigned to the facet entailments during the overlapping phases of business continuity planning direct choices that must be made to assure continuity of services.  The maps identify what losses of function can be tolerated, prevented, mitigated, worked around, and recovered while mission critical services are continued, lesser mission services are resumed, and “normalcy” is restored.  The maps illuminate the gaps; the gaps beg attention; the attention begets action.  The phases of BCP enjoy a momentum in a dynamic and cyclic sequence of initiation, development, and implementation of improved practices, each premised on the equation that Continued operations = Personnel +Information + Facility management.

 

Initiation

 

The initiation phase of continuity planning combines a series of back-up steps taken to build the momentum needed for getting the undertaking off the ground and keeping it going.  It aims to stimulate interest among key players by harnessing credible awareness of existing resources/functions to a credible analysis of risks and potential for harm that can come from not planning for disruption.  How far the interest spreads will be reflected in the level of support garnered from leaders and sponsors, who in turn will determine the scope and structure of the planning process.  Therefore, the tasks of the initiation phase will include auditing current policies and procedures; inventorying hardware, applications, contracts, and regulations; itemizing services and work products provided by each employee; identifying interdependencies; assessing risks; and conducting a business impact analysis.  This information creates a logical springboard for developing a solution-oriented mindset.

 

Theoretically, BCP can be initiated by anyone motivated to ask the right questions and capable of creating a willing audience, whether they be superiors, peers, or subordinates.  If the impetus originates at lower levels, it must seek the attention of executive sponsorship, whose authority can reach high, deep, and wide into the agency to create teams, establish expectations, and procure the funding needed for the plans’ implementation.  On the other hand, if the impetus originates at the executive level, it must seek the support of lower level leadership whose familiarity with the people and business functions under study is both specific and influential.  Without such support, the executive initiative will meet with resistance and resentment.  Input will arrive late, incomplete, and insincere, if at all.

 

A caveat about responses to information-related initiatives is noteworthy.  BCP is not an easy sell, whether it is moving from the top down or the bottom up, but move it must to engage enterprise-wide involvement if it is to be effective.  The initiating agent needs to locate and massage the bottlenecks.  In general, a push-pull dynamic governs the world of information sharing in any organization of human beings, a dynamic that intensifies as the parties involved are distanced from understanding one another’s objective.  Information we push at others often meets resistance.  Our item may be competing with more pressing items for our audience’s attention; the terminology may be too unfamiliar or abstract; the format dense or distracting; the content threatening in some way.  If we wish to push effectively, we adapt our strategies to identify and minimize the barriers blocking effective reception:  change our timing, simplify our presentation, signify respect, accept limitations.  Conversely, we ourselves may desire to know certain information, but pull at it with great difficulty from perceived resources.  The information resources we require may in fact not exist, be unidentified (we don’t know where to look), or scattered throughout the organization.  We may know that resources do exist and who/what they are, but be unable locate or access them.  Or, we may find them unintelligible, unwilling, or unable to meet our needs.  These real constraints on the human capacity to absorb, synthesize, share, or create information will be a factor at play in the work ahead, a factor intensified by the political and bureaucratic operations of government.  Without sensitivity to factors that govern information related behaviors, pushed directives that inform levels of authority of a need or requirement to do continuity planning will be ineffective, as will queries trying to pull information from inter/intra-agency resources.

 

 

 

The Business Impact and Risk Analyses

 

Dual components of the continuity planning process bridge the initiation and development phases:  business impact analysis and risk analysis.  If BCP seeks to keep the organization functioning within or above a predetermined level of tolerable discontinuity, the planning must discover What can/can’t we afford to lose? and What’s at stake if we lose it?  The answers require setting thresholds, which in turn requires knowing the cost of losses and the vulnerabilities they present to the operations.  This analysis begins with creating a breakdown of each work unit’s business processes, identifying process objectives, interdependent input and outputs, the personnel and facility details involved, time frame flexibility, and projected losses if the process is delayed or failed.  Processes are defined as “an area or grouping of business functions focused on the production of specific outputs”[35] and are classified by those who perform them with triaged terms like critical/nonrecoverable, necessary but recoverable at high cost, and relatively insignificant.[36]

 

The business impact analysis (BIA) examines consequences of an interruption to these very specific agency functions or processes caused by any factor that destroys or disables a work area facility, information or information system, or personnel in any combination.  (see Fig. 3 page 15.)  BIA uses a pre-established metric to calculate the cost of interrupted operations in terms of public safety, public confidence, and public dollars, considering lost revenue and increased expenses (temporary staff, overtime, rentals, travel, replacements), lost productivity (number employees x hours out x hourly rate), and damaged reputation (with constituents, credit rating with suppliers and financial markets).[37]  Impact analysis also considers that losses may be immediate or cascading, as losses compound losses when interdependent units and structures fail.

 

The study of a process’s purpose, requirements, and failure enables those charged with continuity planning to place a value/priority on protecting the process during crisis.  This is achieved by understanding the impact of dysfunction in a facet area, and then mitigating the risk by building alternative, resilient, or redundant resources into organizational strategies, practices, and cost of doing business.  This information creates a basis for prudently and properly allocating continuity and recovery resources.  Windows of required recovery time (recovery time objective, or RTO)[38] can be determined, as can critical recovery points (recovery point objective, or RPO).[39]  The breakthrough layer of thought spotlights self-evident priorities for developing flexible, cohesive continuity action plans.

 

 

Plan Development and Implementation

 

Wisdom reminds us that any plan is better than no plan, and that simple plans are better than those too complex to follow.  However, the only plans worth having are ones that work.  While part of continuity planning may involve intense documentation, the goal of BCP is not to write a book that will sit encased next to the fire extinguisher or first aid kit, awaiting use in some future time of crisis.  Plans that slumber in books are not working.

 

Kenny Klepper, Senior Vice President for Systems, Infrastructure, and Technology at Empire Blue Cross/Blue Shield, testifies with refreshing candor to his experience as a personal and corporate survivor of the collapse of World Trade Center 1.  Emphasizing that no worst case scenario prior to September 11 would have ever entertained the events that then unfolded, he recalls the emotional impact and chaos of the evacuation, and allows that grabbing for lists or a “planbook” would not have been on anybody’s mind.  He admits that Empire – whose 2,000 traumatized, displaced Tower employees lost nine colleagues in the collapse as well as 5 kerabytes of ultimately recovered data that day – had no written plan and does not intend as a “lesson learned” to create such a “written plan.”  Empire’s viability emerged because of what was already working for the enterprise.  He cited three key conditions that were invaluable assets:  an intelligent self-healing network which employed a sonic ring able to reroute traffic when a node was detected as down; a resourceful and committed workforce who were empowered to make decisions and leveraged to act responsively to the needs of the organization;[40] and a history of excellent working relationships with the real estate and supplier communities who were willing and able to quickly assist in locating/equipping temporary offices.  Continuity was achieved because the equation of quality personnel + quality information management + quality facility provision had long been inherent to providing customers with high quality service 7x24x365.

 

BCP’s vitality seeks residence in the mindset and competence of every working employee, in the intelligent resilience of the working technological infrastructure, and in the working cooperation of the facility provider network (i.e., supportive relationships with local community, real estate professionals, financial institutions, reciprocity arrangements, vendors, etc.).  There is no BCP product handily indexed to address What will we do? if or when any one of a million scenarios plays out.  Rather, BCP develops as organizational self-awareness develops, and it atrophies as the self-awareness practices atrophy.  The marathon runner who hopes to cross the finish line has conditioned herself to go the distance long before the starting gun is fired.  The successful continuity plan needs muscle, lungs, and heart.  What has been done and is being done gives continuity a fighting chance, not what will be done.

 

That said, the single most important concern the state should have as it engages in continuity planning should be Is the planning engaging?  Does the planning process itself engender vitality in the organization, or deplete it?  Discovery of assets, or the development of assets, is a life giving, not life threatening, undertaking.  If resistance, apathy, frustration, or a desire to be satisfied with outsourced or printed output characterize the groans of the drones and decision makers, all are well warned that the planning is not developing at all, no matter how much time, money, or effort is allocated or spent.

 

 

The Team

 

Effective continuity planning wants engaging leadership.  Leaders are not people who tell others what to do – they are those gifted spirits who bind others to them to follow.  Competence, dedication, eloquence, and clarity of vision bind.  The team charged with business continuity planning within the agency must have a capacity for effective leadership, and bring to the table the binding concerns of diverse interests.

 

The teams assembled as core champions of continuity must be people whose combined personal qualities, knowledge bases, and positions of influence inspire others to follow from different starting points in the agency’s units.  The team cannot be limited to IT staff.  The team must be a group of carefully selected individuals chosen by proper authority.  These individuals most likely will not share one another’s perspective and priorities.  Their unifying factor will be a passionate and contagious commitment to ever-improved service delivery to constituents of New York State.  They will have a freedom to lead because authority has freed them for leadership, and it is for their leadership effectiveness they will be held accountable.  With these essential prerequisite attributes understood, the BCP leadership team should represent IT, human resources, operations, finance, and legal interests, and each team and team member should have access to varied layers of governance within the agency, and to counterparts in other agencies.

 

Developing the means to see and attend to the gaps potentially created by a disruptive event requires support for/from the team both for/from those feeding forward specific input about unit functions and facet performance, as well as support for/from those feeding back authority and funding to address unacceptable risks.  The phasing is fluid.  Implementation exists as decisive actions are taken, thus initiating another layer of self-awareness as a new facet of performance is integrated and evaluated in the effective operations of the affected service processes.  In short, once started, the phases drive each other forward or into the ground by the momentum of a positive or negative self-adjusting feedback loop.  Keeping the feedback positive by keeping the feed lines open, the organization nourished, and the "plans" exercised is the team's tendered duty.

 

 

About “How to” Resources

 

The BCP experts all describe a process that looks the same, using similar terminology, phases, checklists, and advice.  Every best practice underscores the need for updated inventories, contact lists, and a business impact analysis.  They all underscore the need for executive support, and for aspects of the plans to be tested and updated at least twice a year.  BCP develops more than a document in hand; it is an overarching planning process integrated into the everyday decision making and operations of the public’s business.

 

The best practice of continuity planning wants cohesiveness created from a collective commitment to ongoing service despite disruptive events.  Supporting reference sources, in the nature of conferences, literature, professional consultants, and software, can testify to those experiences that work.  They can inform those seeking support of the scope and structure, the terminology, the possibilities and pitfalls of standard or best practices in business continuity planning and help adjust those practices to the needs of the public's business in particular.  They can point to model formats, actual checklists, and sample memos.  But they cannot provide, replace, or preempt the natural attitude of enthusiastic resourcefulness that the leadership team itself must bring to the table.

 

That said, supporting reference sources abound, many advertised or accessible for free, subscription, or sale online.[41]  For the reader's convenience, Appendix B provides a reference table concerning some exemplary sites, followed by a list of the sources cited in or used as background for this paper.

 

In addition, NYS Office of General Services (OGS) Procurement Services Group (PSG) has published a brief contracting strategy for BCP and security, available at the NYSFIRM website. PSG oversees centralized statewide contracts for those commodities, services, and technologies for use by all state agencies, and lists the following vendors as on contract (*) or under contract development with NYS:

·         *Peregrine (asset management and crises response ) tools

·         *Veritas (storage software solutions)

·         Sunguard (comprehensive pre-recovery strategies)

OGS also points out that many “back-drop contracts for IT services provide a vehicle to purchase consultant services which include but may not be limited to ‘...business impact analysis, continuity of operations....risk assessment....disaster recovery.’ ”  Existing comprehensive service agreements with vendors may already offer the kind of support those charged with leading the BCP process need or are seeking.

 

 

Conclusion

 

Recent developments in technology and world events have significantly affected our consciousness of the profound risks that exist to the state’s ability to continue its service to the public during a wide variety of disasters potentially caused by man-made, technological, and natural circumstances.  Planning for all the possibilities has evolved to a breakthrough layer of thought and action:  Since we can’t plan for every scenario of attack, the eye must be set upon continuity of services no matter what the scenario, and all people involved in securing or providing those services must be engaged in the collaborative work needed to achieve that goal.  Business continuity planning is a proactive, ongoing self-assessment/self-improvement process that seeks to analyze assets, identify priorities and vulnerabilities, and then calculate potential impact of lost services in order to prudently develop resilience and redundancy in personnel, information management, and facility support. Failure in any facet essential for service provision has the potential for creating or cascading disaster. The best way to secure continuity of the public’s business is through fortification of the facets themselves, i.e., the personnel, information management, and facility support networks that may face anticipated or unplanned interruptions. Recognizing the cohesive and self-protective value that distinguishes the concept of business continuity planning from other related planning strategies is an innovative way to improve government service to our constituents.

 

The governor and the state legislature have established several offices, commissions, task forces, and work groups to ensure optimal operations during and after crisis, but explicit state responsibility for  business continuity planning is not clear in the present government structure.  Surely the newly created Cyber Security and Critical Infrastructure Coordination will play a vital and central role in statewide coordination in the near future.  Though continuity planning requires everyone’s participation, no one can make it happen outside of an atmosphere fully enriched by interest and investment of a designated, genuinely committed leadership.  State agencies should expect to find responsive resources for developing and adapting continuity strategies specific to their own missions and business processes, and know where to find them.  Authorities have a duty to support their creations by providing them with necessary resources, including adequate staffing, titles, access, time, education, policy, deadlines, contracts, and technology.  These resources may be costly and are not unlimited, and a just distribution can only occur when a careful investigation has determined essential services, and attached them to work processes, available personnel, IT, interdependencies, and impacts if lost.  The employment of business continuity planning practices provides cohesive guidance for decision making when it comes to funding, staffing, facilitating, and innovating government operations for safe and continued service to the people of New York State. 

 

 

herefore, we conclude that three actions are required in order to facilitate the development of a compelling business case and action plan within New York’s state and local agencies:

 

 

·         The concept of continuity planning must be elevated to a greater priority.  The term and function of business continuity planning should be integrated into public policies, workplace communications, professional development opportunities, lines of organizational budgeting, job responsibilities, and performance reviews.

·         Clear responsibility for who will lead and coordinate continuity planning must be established, both within agencies, and as an overarching support for state and local government.  Cross-organizational leadership teams invested with influential personalities, established program/technical authority, defined titles, and adequate training are required.  Technology staff should be part of such teams, but not make up the entire team or represent a disproportionate number.

·         Adequate resources must be made available at the agency level to effect an ongoing process of planning, developing, and implementing continuity measures to protect the public’s business from intolerable harm and disruption.  Necessary resources include funding, contracts, personnel development, possible organizational restructuring, and technological improvements aimed at enabling continuity of services despite any type of event that threatens provision of vital government services.

	Visit The Forum’s web site (www.nysfirm.org) and use the Business Continuity Health Check as a quick way to assess the adequacy of your organization’s plans for business continuity.   The Business Continuity Health Check was developed by the Forum’s members in conjunction with members of the Forum’s IT Corporate Roundtable and is available for use by any organization at no charge.