With hurricanes bearing down implacably on Florida, FindWhat.com saw its business-continuity plan (BCP) put to the test last summer.
Preparing for possible interruptions to its main data center in Fort Myers, the Internet-based advertising company dispatched network engineers to a second data center in Atlanta. Their job was to "flip the switch" that would transition data services in the event the Fort Myers data center crashed.
Ensuring continuous operations is critical to FindWhat.com, whose average daily revenue is about $250,000. The company's proprietary platform continuously sends out advertising to various Web sites, reaping revenue through "click-throughs" on those ads. In addition, FindWhat.com offers private-label advertising services to corporations, including Lycos and Verizon.
"We have a lot of people depending on us," according to chief technology officer Tony Garcia.
As it turned out, FindWhat.com didn't need to swap data -- its Fort Myers data center never lost power. That illustrates another aspect of the plan: There were diesel-fueled generators that supplied backup power to keep servers humming despite widespread blackouts. "It's a unique time when traffic lights are out but you look in the data center and see server lights still blinking," Garcia said.
According to analysts, BCPs provide a blueprint for operations in case enterprises experience unanticipated interruption -- whether from hurricanes, hackers, power outages or any other risk. Such plans usually include arrangements for backup power, redundant computer systems and alternative work locations for employees, among other items.
FindWhat.com appears to be in rare company. On average, only 34% of companies have instituted full corporatewide plans, according to Business Continuity Management, a Newport Beach, Calif.-based executive search firm that serves the business continuity, disaster recovery, data security and emergency management industries.
Risks may vary according to geography, industry and other factors, but generally fall into one of four distinct categories: financial loss, damage to reputation, regulatory penalties or operational disruption, said Roberta Witty, an analyst with Stamford, Conn.-based Gartner Inc.
"Your starting point should be what's known as a business-impact assessment, or BIA," Witty said. "You go through (and analyze) every department to understand which ones are mission-critical, what the risks are to each department, the estimated costs of any downtime and how quickly you would need to recover."
Once the analysis is done, you should determine what kind of technology will enable your systems to remain in operation, or at least resume operating quickly, in event of outages. Moreover, you may need to make plans for employees to relocate to alternate work locations, entailing additional travel and other costs, Witty said.
You have to look at all the risks surrounding your data center and what effect they may have, said Michael Smith, a business-continuity consultant with Marsh Risk Consulting.
"From there, you can decide whether you need to spend money to mitigate that risk. It's really important to understand the business needs, because that's what drives cost on the information technology side," Smith said.
No amount of planning can guarantee complete security against risk, said Michael Miora, chief executive officer of consulting firm ContingenZ Corp., in Playa del Rey, Calif. The key is to identify your areas of greatest risk and not worry too much about risks you can't mitigate, he said.
"In the event of disaster, you're going to take a hit -- there's no way around it. What you want to do with a BCP is make sure your losses are livable, your market share is maintained, and you don't lose the confidence of your customers and shareholders," Miora said.
Scenario-based planning enables you to identify your risk profile based on the likelihood of an event happening, said Timothy de Lisle, managing principal with Corigelan LLC, an IT consulting firm in Chicago.
Whereas hurricanes are highly likely along the East Coast, earthquakes might top the list if you're in California. Proximity to federal agencies -- possible terrorist targets -- also presents additional risks.
"You can't plan for 80 million different scenarios, but you can come up with four to five scenarios that cover just about any type of event that could occur," de Lisle said.
On the other hand, Witty said, some companies fail to plan for enough contingencies. "Every scenario will present different things to think about. If you only think about a fire in your building, you won't have a complete plan that deals with other risks that arise," she said.
Too often, organizations draft plans and then stick them on a shelf, Miora said. What's needed is buy-in from the brass. "Business continuity requires active participation and signoff by executive management, middle management and perhaps even lower levels of the organization," Miora said.
Equally important, according to de Lisle, is a business-continuity coordinator or other business manager who can spearhead the plan's development, mark its progress and publish it throughout the enterprise. "When you're done with this exercise, everybody in your organization should be aware of this plan," he said.
To keep your plan current, Marsh's Smith suggests conducting twice-yearly tabletop exercises involving stakeholders from business units. Presenting various hypothetical scenarios, and seeing how people respond in turn, provides a "non-threatening way" to conduct training and amend the plan.
Garry Kranz is a freelance business and technology writer in Richmond, Va. He can be reached at firstname.lastname@example.org.
This was first published in December 2004