Preparing for the Worst

Business Continuity Planning (BCP) offers companies a compact process for anticipating and responding to business interruptions. It defines what a company will do to restore normal operations as quickly as possible –with minimal losses- after catastrophic events, breakdowns in process, or business setbacks that threaten a company’s viability. Business continuity plans cost relatively little in comparison to what a company could potentially lose from a major business disruption.

Business owners and managers do not like to dwell on the  negative. Disaster recovery planning tends to be regarded at best as a time consuming distraction. Recent events remind us, however, that businesses can be swept away in the wake of a multitude of happenings. In addition, virtually every type of organization today is under increased pressure from government, boards of directors, auditors, large corporate customers and investors to demonstrate that they have a plan to mitigate risks.

Creating a disaster survival plan need not be an overwhelming task for companies. In fact, regulators, investors and customers are demanding they do it.

A survey of 1300 executives responsible for planning and cyber security at small and large companies, revealed that:

à  one-third did not have a business continuity plan

à  nearly 40 % did not consider continuity planning a priority

à  more than 40% have not established redundant servers or backup sites for critical  business functions

à  16% (over 200 companies) had experienced a disaster that required them to shut down operations for some time

If one's business depends heavily upon IT systems and datacenters -as most businesses do today- one has probably made arrangements to shift operations to a remote site in case of system failures. One may even have business interruption insurance. What most do not have however, is a well-designed and regularly tested plan to recover from events that could not only cost them money, but put them out of business alltogether.

Business Continuity Planning (BCP) addresses the spectrum of threats to critical functions, facilities, and personnel, so that management can decide what risks they are willing to accept, and design ways to eliminate or mitigate unacceptable risks.

PLANNING BEGINS AT THE TOP

To be taken seriously, continuity planning is ideally initiated at the board or CEO level. Much of what passes for continuity planning,however, bubbles up from below in response to an accident or some other event that disrupts operations.

Logically, it would seem that BCP should be done by top management as an adjunct to strategic planning. Senior executives should participate in the first phase of planning, which involves  strategic issues and an overall blueprint of how the process will unfold. Only a company's leaders are empowered to make decisions about how much risk the firm is willing to accept. Detailed plans for how the company will react, should be worked out at the operational level.

In practice, BCP is usually driven by the IT department, the CFO, or an operations chief who sees the need and takes the initiative. Each of these may have only a limited perspective, however, when what is needed is a broad strategic and cross-functional view of the whole company.

DEPENDENCY IMPLIES RISK

That brings us to one of the key elements of a sound BCP:  safeguarding business continuity through technology  escrow.

Securing sourcecode of critical software, or depositing essential documents, formulas, plans, blueprints is generally not even known to be a possibility, although many organizations are dependent in their day-to-day activities on third party technology. Dependency implies risk, and it is crucial for technology users to minimize their exposure to such risks.

An escrow arrangement is the common and effective tool to protect the interests of all parties, the technology owner as well as the end user. It is a legal agreement between the Supplier, the End User and the TTP (Trusted Third Party) or Escrow Agent, detailing the escrow procedure:

à  Supplier deposits with a neutral third party, his know-how on behalf of the User

à  The Escrow Agent verifies and holds the deposited material in escrow

à  Under specific and strict conditions in the escrow agreement, the agent is authorized to release the material to the End User, thus  enabling his business continuity

Only an "active" escrow arrangement which handles all vital aspects (as opposed to a "passive" concept) can lead to an effective release whereby the deposited know-how can be used to secure the End User's business continuity. The Escrow Agent should perform thorough verification of materials received, and initiate follow-up of updates and new releases according to the desired or agreed upon frequency, so as to keep the deposit up-to-date.

BETTER SAFE THAN SORRY

In a passive escrow deposit, there is always a chance the escrow  deposit might be incomplete or incorrect when released to the end user, thereby making the whole arrangement ineffective.

In order to mitigate this risk and be more assured of the quality of the deposit, it needs to be verified at different levels to filter out any problems in the deposited material. It has been detected that 95% of all new deposits are either incomplete or incorrect, and that additional material needs to be provided.

Therefore, a technical verification of the deposit is a crucial step in a quality escrow  arrangement, next to the fact that the legal rights of the End User to use the released materials whenever a release of the deposit occurs, should be protected while respecting and also protecting the Supplier's intellectual property rights.

With an escrow arrangement, Suppliers take a positive and  pro-active approach towards meeting  growing customer's needs while protecting their most valuable know-how on both sides. It is a  definite win-win situation and a valuable step in preparing for the worst. Hiding one's head in the sand is not an option.