Major corporations, especially in the financial and securities industries, have long been aware of the business impact of an unplanned interruption to business operations, most probably including an outage to computer and communications based systems. The events of September 11th raised those concerns to a fever pitch, and highlighted a number of previously under-considered aspects of contingency planning, including:
In addition to the above, many organizations now realize that an event like 9-11 requires that companies not only focus on their own individual recovery plans, but that they must also consider how the recovery efforts of other companies in their industry, or supporting industries must be coordinated so that normal, or near normal operations could resume.
First and foremost, there is a need for cross-industry government regulation that requires companies to have an auditable and testable continuity plan that matches either industry or individual company recovery time (the elapsed time between the event and resumption of business operations) and recovery point (how current the computerized data is when recovery commences) objectives. Currently, only the financial industry has had this regulation via the Office of the Comptroller of the Currency’s Banking Circular.
Second, the events of 9-11 are bringing about a clear need for a business continuity blueprint that firms can follow to ensure that, not only is their plan adequate, but that it fits into an industry recovery framework that ensures all like, and dependent / complimentary firms can recover with similar recovery points and recovery times. That framework also needs to address the non-information technology requirements of companies, such as facilities issues, personnel loss, paper records protection and communications / public relations requirements.
The past history of the industry, primarily since 1979, and carried on even today, is one where all of the current vendors focus on discrete contracts for individual companies that are not synchronized, in almost any way, with those of other firms that could be required in order for an industry segment to recover. Essentially, the industry leaders offer services that provide recovery facilities, network connectivity and equipment for individual companies to use, assuming no conflict with another customer that prohibits use (use is not guaranteed, available on a first come – first served basis only). 9-11 has renewed a focus on this industries’ solutions and the need for complimentary, dedicated solutions in many cases.
The overall mission of the Security Board is to ensure that, in the event of an unanticipated interruption to corporate and governmental business operations, due to a terrorist, natural disaster or localized infrastructure interruption, that critical business operations, most probably dependent on computers and telecommunications, can resume in a timely manner, supporting not only the individual organizations, but industry-wide and cross-industry relationships to ensure that national and local interests and security are safeguarded.
To support the overall mission, a number of key objectives have been defined: