Commentary: Time for “business continuity” planning for local governments
By Steven Lewis
Many local governments today are recognizing the need to develop “Business Continuity” (BC) plans in order to cope with disasters. The purpose of these plans is to be able to continue such “business” functions as employee payroll, retiree payments, sending out tax notices, collecting and processing taxes, etc.
Municipalities usually turn to their CIO or head of Information Technology to provide BC planning, since they perceive that the plan will revolve around their computer systems. What we’ve seen, however, is that the local-government CIO’s are not well equipped or trained in developing and implementing BC plans, and often have no idea as to how to proceed in a systematic fashion.
What is outlined below is a pragmatic approach that we have implemented over the years, and which we believe municipalities can find helpful in developing their own BC plans.
Initially, the planning process can seem quite daunting, given the seemingly-infinite number of ways in which disasters can strike. However, in our experience we have seen that focusing on the effects of the disaster – rather than the specific phenomenon which caused the disaster, greatly reduces the number of variables to be considered. These effects can be grouped into the following three categories, each of which is discussed in turn:
– loss of information,
– loss of access,
– loss of personnel.
LOSS OF INFORMATION
This category includes the destruction of information which the organization needs in order carry out its functions. The loss could have been caused by events ranging from the “low-tech” destruction of paper files in a fire, up to the “high-tech” destruction of network files by a computer virus.
LOSS OF ACCESS
This category includes the loss of access to information, buildings, tools, equipment, etc. The access loss could have been caused by civil disruption blocking streets, extreme weather, equipment breakage, loss of electric power, downed communications lines, lack of “digital ID’s” on home computers, etc.
LOSS OF PEOPLE
This can result from pandemic illness or quarantine, national guard emergency call-up, inability to travel due to extreme weather, etc. Many local governments with small staffs suffer from a lack of sufficient cross-training, so that there are some key functions which can be performed by only one or two individuals, which can’t be performed if they are unavailable.
THE BC PLANNING PROCESS
The first stage of the planning process is often referred to as the “Business Impact Analysis” (BIA). This stage begins by interviewing the key personnel in each administrative department. These interviews are designed to help quantify the actual impacts on that department of each of the three categories of loss, as well as to indicate the nature of acceptable Recovery Time Objectives and Recovery Point Objectives (eg., the amount of data loss) which each department could tolerate.
This stage also includes a review of the seasonal variations in departmental workloads throughout the year, as well as dependencies on key outside suppliers such as single-source vendors supporting the operations of taxing, collections, direct-deposit payroll processing, etc. It also documents the unique risks and vulnerabilities of each department, as well as manual work-arounds available for each function in the event of the loss of computer availability.
Following this, the tasks associated with the restoration of each function are outlined, along with specific personnel assigned to each task.
Next, the actual times to restoration are estimated and compared with the desired Recovery Time Objective for each function. The differences between these two then need to be reconciled – which can often require considerable negotiations, procedural changes and/or the acquisition of new equipment.
The results of these steps allows the prioritization of the relevant applications and functions and their combination into a comprehensive BC plan.
Finally, the BC plan must be tested. Since typically, the first round of testing fails for numerous reasons, usually a well-defined high-value function such as Payroll is tested first. Once the issues have been worked out for this application, additional functions such as Accounting, Purchasing, Retirement, etc., can be tested on an individual basis. Ultimately, the goal of the testing process is the restoration and testing of all high-priority applications at the same time.
THE BENEFIT OF THE BC PLANNING PROCESS
As a result of conducting the BC planning process, municipalities are able to get a clear understanding of their abilities and limitations regarding the restoration of each of their functions, as well as a better understanding of the risks and vulnerabilities which each faces. This can result in beneficial in-advance decision-making rather than trying to reach consensus during the chaos of a disaster. It can also result in clear top-down direction to each department regarding the sequence of steps to be taken after a disaster. Finally, the testing experience is able to expose problems in restoration at a point in time when they can be easily corrected, rather than trying to correct them during the aftermath of a disaster.
Steven Lewis is a Certified Information Systems Auditor (CISA) with a Masters and Bachelors in Engineering from Cornell University. He is the President of The Systems Audit Group, Inc (www.Disaster-Help.com) During the last twenty years, he and his organization have developed dozens of comprehensive disaster-recovery/business-continuity plans for complex networked-based organizations. The bulk of these plans were subject to regulatory review, and all were approved by clients’ Regulatory Agencies. Mr. Lewis can be reached at [email protected].