In the weeks following September 11, 2001, the New York Board of Trade (NYBOT) was praised, in these pages and elsewhere, for having invested in a disaster recovery plan that proved nearly priceless. The commodities exchange had been spending $300,000 annually for a backup facility that sat idle for years, an expense that had been questioned but that paid off: the exchange not only used the site in the days after 9/11 but continues to use the site as its de facto headquarters as it transitions to a new one in lower Manhattan this month.
That was the kind of success story that was supposed to galvanize the business-continuity market, highlighting as it did the vulnerability not only of computer systems but also of phone, power, and transportation grids. What had been seen as an issue affecting primarily a company's data center was now framed as a strategic imperative affecting every aspect of infrastructure.
Now almost fully ensconced in its new headquarters, NYBOT will maintain some operations at another Manhattan site as well as its backup site in Queens, an approach that COO and senior executive vice president Patrick Gambaro says provides "triangulation, because we conduct business in one location, run our data center in another, and back it up to a third." Even though all three facilities are in the New York metropolitan area, NYBOT was careful to ensure that each is on a separate phone and power grid. "All of our business, all of our people, are in New York," says CIO Steve Bass, "so it didn't make sense to invest in facilities a thousand miles away."
But in making a good business-continuity plan even better, NYBOT faced one obstacle that it may not be able to surmount: complacency on the part of business partners and service providers. As companies become ever more connected to and reliant on other companies, they are not in sole control of their business-continuity destiny. "After 9/11," says Gambaro, "our biggest problem wasn't in getting our end up, it was in connecting to others. I'm not sure the situation is better today."
The failure of 9/11 to inspire a sustained focus on business continuity doesn't surprise those who follow the field. "Unfortunately, BCP [business-continuity planning] spikes up after a disaster and then fades when things are going well," says Colleen Niven, vice president of research at AMR Research in Boston. A survey conducted this year by polling firm Harris Interactive on behalf of SunGard Availability Services found that two-thirds of the large corporations asked believe they are better prepared to access critical data in the wake of a disaster than they were two years ago. Yet the companies queried gave themselves an average score of only C+ in this regard.
Jim Simmons, CEO of SunGard Availability Services, says that while awareness of the issue has increased, "that awareness has been countered by the weak economy." The result: no huge uptick in spending, although certain areas, such as consulting services and "high-availability" services (such as E-business functions that must be kept running around the clock), are doing well. AMR says a company typically spends about $2 million to develop and implement a business-continuity plan, although that figure varies greatly by industry.
Niven says business continuity often suffers from a perception problem: companies believe that creating a plan and signing on for backup sites and the like are one-time events and thus not worthy of a full-time employee, let alone a department. She argues that since businesses change continuously, BCP is also a continuous, and demanding, job. Companies seem willing to take that under advisement. Whether they do more will become all too evident the next time disaster strikes.