At the national news level, the year 2009 was characterized by several events: a sluggish economy, continuing and expanding presence of the U.S. in the Middle East, an ongoing debate about healthcare insurance; further evidence of climate changes and the H1N1 flu pandemic. But what were the business continuity (BC)
1. Impact of the economy on business continuity. Perhaps the most visible evidence of the economy on the profession is the disappearance of many business continuity jobs in 2009. With the exception of certain industries such as banking, business continuity is often viewed as something that can be deferred, postponed or cancelled, with little or no measurable impact on a company. Unless business continuity is a requirement, a BC program is not likely to exist in a company. Evolution of the government-run Private Sector Preparedness (PS-Prep) program, however, may encourage acceptance of business continuity from a competitive perspective. Even though the PS-Prep certification program is currently voluntary, some experts believe that market forces (e.g., competitive pressures that make it "good business" to be accredited) will drive awareness and acceptance of BC.
2. Development of BC/DR standards. The development of business continuity and disaster recovery standards moved at a brisk pace in 2009. Awareness and acceptance of the British standard, BS 25999, was strong, due largely to efforts of the British Standards Institution (BSI) and its U.S. affiliate. The current national standard, the NFPA 1600, was updated and will be released in 2010. ASIS International and the BSI began work on a new American national standard, likely to be released in 2010. The International Organization for Standardization (ISO) continued work on a new global BC standard. The Business Continuity Institute (BCI) introduced BS 25777, a standard for IT disaster recovery, which parallels ISO 24762, which was introduced in 2008. Each of these standards addresses the key issues in business continuity and IT disaster recovery, while adding unique attributes of emergency management (NFPA 1600) and a management system (BS 25999, BS 25777, ISO 24762). Also, the joint ASIS/BSI standard is expected to build on its predecessors, hopefully evolving into a highly useful document.
3. Continued movement by DHS/FEMA on Public Sector Preparedness. Fulfilling requirements of Title IX of P.L. 110-53, the Department of Homeland Security finally announced three recommendations for business continuity standards: two from the U.S. and one from the U.K. The completion of the voluntary certification program is expected to take several more years before full deployment. Lack of any formal requirement for business continuity -- with a few exceptions, e.g., the banking sector -- is an important aspect of the new PS-Prep program. Without establishing a formal government mandate, the use of a voluntary approach is expected to allow market forces to validate a formal accreditation process. And this is expected to stimulate the growth and acceptance of business continuity.
4. Increasing importance of supply chain in business continuity planning. The importance of protecting supply chains grew in 2009. Many companies required that their vendors address BC issues before signing contracts. Traditionally, business continuity planning focused on internal business functions, with an eye on both internal and external dependencies. Supply chains expand this view by identifying the end-to-end relationships a business has across its operations, and the potential impact of a disruption to these chains.
5. Web-based activities focusing on business continuity. Web-based activities were initially introduced to BC groups to encourage the exchange of information and experiences, and establish chat services, such as LinkedIn and Plaxo. Business continuity professional organizations, such as the BCI, also launched special groups for their members to network and discuss various issues. Webinars/webcasts, podcasts and online conferences/virtual seminars grew in number as a response to users being restricted from travel due to costs. In many ways, the Internet was a key factor in the progress of the BC profession in 2009.
6. Little focus on pandemic planning. Despite official declarations by the Centers for Disease Control (CDC) and World Health Organization (WHO) of an H1N1 pandemic, many businesses, large and small, put their pandemic planning efforts on hold because they did not realize the severity of the H1N1 pandemic. Few people lost their lives during 2009, as compared to previous pandemics. Many businesses asked themselves, "Was the investment in pandemic planning worthwhile?" For medium to large businesses that made the investment in pandemic awareness and preparations, the results were valid, especially in the context of corporate social responsibility. Small- to midsized businesses (SMBs) rarely invested anything in pandemics, hoping to dodge the bullet that, fortunately, hasn't yet been fired.
7. Little awareness of BC in SMBs. Despite efforts by the government and a few private sector organizations, SMBs have yet to embrace business continuity and disaster recovery-related activities, most likely because of the economy. According to a 2009 Symantec Corp. study of 1,425 SMBs (with 10 to 500 employees) worldwide, the lack of a dedicated IT staff and tight budgets were the main reasons that SMBs have yet to take basic steps to protect themselves. According to the study, 59% have no endpoint protection (i.e., software that combines antivirus with advanced threat protection technologies such as desktop firewall and intrusion prevention for laptops, desktops, and servers); 47% do not back up their desktop PCs, leaving important information at risk; and 33% lack even basic antivirus protection.
8. Impact of global climate change. Despite a relatively quiet hurricane season in 2009, reports surfaced about water levels growing in various parts of the country, such as in the Louisiana bayou. Year-end winter storms have been surprisingly harsh and deadly, indicating climate change can have a negative impact on businesses.
9. Green issues. The importance of "green" in specific areas touched by business continuity and disaster recovery, such as data center primary and emergency backup power systems (a key strategy for BC/DR), energy efficient HVAC systems, better building insulation to prevent heat loss and low-voltage overhead lighting, gradually increased during 2009. While BC/DR and "green" are not normally aligned with each other, savvy data center managers found ways to integrate BC/DR while "greening" their data centers.
10. Continual threat of terrorism. Terrorism is not something that encouraged business continuity activity in 2009, but the threat of terrorism still exists. Smart BC professionals, especially those in major US cities, made sure their plans addressed terrorist situations.
Business continuity and disaster recovery never made national headlines during 2009. A relatively quiet year for disasters, by comparison with other years, 2009 saw the business continuity profession progressing slowly but steadily. Its slow and often sluggish performance was largely tied to the national economy. On the positive side, the Internet paved the way for many innovative programs that spread the word on BC and encouraged greater participation.
About this author: Paul Kirvan, CISA, CSSP, FBCI, CBCP, has more than 20 years experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter.
This was first published in December 2009