In Case of Emergency, Activate Business Continuity Plan

Making business continuity a CEO concern, not just for the CIO or CSO

Finding these dependencies requires a lot of discussion, collaboration among people with different functions, and input from an IT expert who understands the underlying systems. "An oil exec may say that it's really critical that we have this data warehouse up because we can't analyze exploration areas without it," Walch says. "Someone from IT can then say, 'Well, it's the systems that feed the data warehouse and the process control mechanisms that are really critical here.' "

It's also important to clarify business process goals. If the help desk's goal is to ensure that no client is on hold for more than 30 seconds, then it's important to look very closely at the phone system and redundant routing to various switch stations, says Tim Leech, principal consultant and chief methodology officer at Paisley Consulting.

Often it's best to prepare business unit reps by distributing a survey or questionnaire before the workshop to get the thinking going. "We gave the business unit people information and questionnaires to answer in advance and then got together in a workshop approach with a team from SunGard to do the workshops and data collection," TV Guide's Sullivan says.

The Business Model Challenge The hard part, particularly from a technology standpoint, is identifying all the layers of dependency. Business units may know about the payroll system, but it takes a lot of IT participation to get down the stack, layer after layer. Applications such as payroll run on operating systems and adhere to system configurations, which in turn integrate with an application infrastructure of back-end systems, identity management systems, and protocols. All of this sits on a physical infrastructure of server platforms, networking, and routing infrastructure, which in turn depends on an underlying critical infrastructure of cooling, power, communications, local and regional government services, and, perhaps most important, people. And, as obvious as it may seem, people depend on food and shelter and, perhaps less obvious, a perception of a certain amount of safety. "You may have a disaster situation in which the people didn't die but the families panicked and forced them to quit," Burton's Henry says.

The other challenge is identifying dependencies that come from BPO and supply-chain arrangements. "If you're outsourcing HR, you probably want to keep backups of everything you send to that company," says Fred Cohen, CEO of Fred Cohen & Associates, information security specialists.

Mobility is another potential stumbling block. "Many people are surprised at how much data is on peoples' PCs and laptops," Unisys' Dillman says. "If they can't use them, which occurred after Katrina, the business may not be able to operate." And finally, it's important not to overlook information lifecycle issues tied to regulations such as HIPAA and Sarbanes-Oxley.

Several vendors -- including Fred Cohen & Associates, IBM, Paisley Consulting, PricewaterhouseCoopers, Protiviti, SAIC, SunGard, and Unisys -- provide services to help companies through this process.

What should this modeling exercise produce? In some cases it's simply a spreadsheet or database that lists different processes and their dependencies. In other cases it may be a large diagram or several diagrams that map out these dependencies through the various layers using icons and colored arrows or process flows. In other cases, the diagram may be linked to a database. "We find that Excel spreadsheets are a major tool for this purpose," Burton's Henry says. Tools are also available from Paisley Consulting, Proforma, SunGard, Strohl Systems, and Triaster to help with parts of this process, as well as the final result. Protiviti and Unisys have their own tools that they use with customers.