Since the start of the 21st century, a series of catastrophic events - both natural and man-made - has forced decision-makers at the helm of both public and private sector organizations to more carefully consider the potential impact of disasters on the continuity of business operations.

Consider Hurricane Katrina, which flooded the city of New Orleans when it made landfall on August 29, 2005 - killing over 1300 people, displacing some 770,000 people, destroying or severely damaging some 300,000 homes, battering offshore energy infrastructure and ultimately costing an estimated $96 billion. Katrina proved once and for all that "it can happen here."

Other events, from the horrific attacks on 9/11 to the far more benign regional blackout of 2003, are sober reminders that disaster can strike often - and unpredictably.

Widely held views of a bungled government response to the tragedy forced the U.S. federal government to take a close look at what went wrong. President Bush ordered a comprehensive review of the federal government's response to Hurricane Katrina, to help us become "better prepared for any challenge of nature or act of evil men that could threaten our people."

The end-result of this review was the February 23, 2006 submission of a report titled The Federal Response to Hurricane Katrina: Lessons Learned. In its preface, Frances Fragos Townsend, Assistant to the President for Homeland Security and Counterterrorism wrote that "Hurricane Katrina was a deadly reminder that we can and must do better, and we will," and that "No matter how prepared we think we are, we must work every day to improve." At the start of Chapter 1, the report explains that "our obligation is to work to prevent the acts of evil men; reduce America's vulnerability to both the acts of terrorists and the wrath of nature; and prepare ourselves to respond to and recover from the man-made and natural catastrophes that do occur."

One September 23, 2004 - a full year before Katrina's fury flooded New Orleans and decimated the U.S. Gulf Coast - the U.S. Department of Homeland Security (DHS), in partnership with the Advertising Council and a variety of business organizations, launched its Ready Business initiative focusing on business preparedness, to "help owners and managers of small to medium-sized businesses prepare their employees, operations and assets in the event of an emergency."

Though Katrina was still a year away, the wrath of nature as well as man was on the mind of then-DHS Secretary Tom Ridge, who explained that "the terrorist attacks of 9/11 and more recently hurricanes Charley, Frances and Ivan showed that disastrous events can paralyze business operations." Developing an emergency preparedness plan, he added, would make "our nation and our economy more secure."

While having an emergency preparedness plan "can greatly improve the likelihood that a company will survive and recover from all emergencies, natural disasters or terrorist attacks," DHS noted in its media release announcing the Ready Business launch that "too few businesses are taking the necessary steps to prepare." The Ready Business website explains while "business continuity and crisis management can be complex issues depending on the particular industry, size and scope of your business," DHS believes that "putting a plan in motion will improve the likelihood that your company will survive and recover."

SecurityInnovator spoke with Marc Johnson, a principal at Cupertino, Calif.-based Symantec Global Services, the services arm of IT security solutions vendor Symantec, Corp. Johnson explained that events like "Hurricane Katrina and the Northeast regional power outage of 2003 are classic cases that illustrate the problem of business continuity: Too often, organizations believe that it will never happen to them and when it does, they will not be too adversely affected." Johnson noted that "these cases have also enlightened the fact that a piece of paper indicating that an organization has a business continuity plan - as required by Sarbanes-Oxley, Graham-Leach-Bliley, and other regulatory acts - is not enough. Actual well documented and exercised plans - with real resumption tasks - are the safeguard that key stakeholders and their organization require."

In the wake of the recent string of large-scale disasters, Johnson noted that "we learned that planning for events of this magnitude are by no means out of scope." But we also "learned that even the most well laid plans have faults, especially if they are not exercised on a regular basis. We learned that organizations cannot perform a business impact analysis, design an appropriate strategy to mitigate the risks, implement technology, and document business continuity plans once: The only constant in business is change; thus, business continuity must be a program that constantly improves upon itself."

Harprit Singh, CEO of Philadelphia, Penn.-based Intellicomm, a unified communications service firm, explained to SecurityInnovator that the "principle challenge of business continuity is lack of adequate planning by businesses and other institutions," and that "having a business continuity plan requires a significant amount of planning, identification of workflows and business processes most impacted due to disruption, and having a contingency plan in place to address them." Singh observed "the lack of adequate communications facilities during the 9/11 tragedy and Hurricane Katrina in New Orleans" illustrate the scale of the business continuity challenge: "In both cases, the traditional telecommunications facilities were severely destroyed and unavailable thereby creating a mess in managing rescue and recovery efforts." But not all business continuity problems are caused by large-scale disasters like 9/11 or Katrina.

Harprit Singh, CEO of Intellicomm

As Singh explained, "Such large scale disasters usually get all the attention and are typically the driving force behind business continuity planning. However, companies face similar situations every once in a while even when unrelated to major disasters on company premises. For example, do companies have an alternate way to manage their incoming phone calls if the local carrier has a fiber cut, power disruption or fire? Most would answer No. Having a contingency plan for larger natural disasters affords companies the luxury of invoking them in unanticipated or unforeseen business disruptions," regardless of their scale.

Singh believes business continuity can best be addressed "by distilling business continuity to smaller, manageable challenges that can be addressed with limited resources with the intent of building a holistic approach over time." He has found that "too many companies want to address everything but don't have the resources available, thereby abandoning even smaller implementations." Singh observed that "larger companies tend to have plans in place for relocating their people and processes in case of disasters" while "small to mid size businesses find that task largely daunting and expensive." But, he pointed out, "not all aspects of a business continuity plan are expensive if carefully researched and evaluated" - so that "small to midsize companies can start planning in smaller increments with an eventual goal of a more comprehensive plan."

Singh noted that current trends in business continuity "are still largely confined to business continuity plans in terms of data protection and management," and while "telecommunication business continuity planning is an extremely important aspect of any contingency plan - but surprisingly, it gets very little attention, even though a command and control structure collapses when there is no communication." He has found that "the telecommunications business continuity issues still remain largely ignored and unaddressed - whether by telecom carriers, vendors or business owners."

Singh believes businesses "should establish external backup systems, phone numbers, fax numbers, voicemail or announcement lines as alternate sources of communication for employees as well as customers should the primary phone systems be unusable. Even a voice message left by a customer and employee is far more useful in a disaster recovery situation than no communication with them at all." Indeed, Singh explained "it does no good if you have another location for people and processes if there is no communication between various parties." He added that "it is critical that customers know you are still in business and plan to keep them posted about the progress of recovery."

In addition to ensuring continuity of business communications, Jim Gildea, vice president of marketing at Brno, Czech Republic-based Grisoft, a software company specializing in computer-virus solutions, told SecurityInnovator that the issue of network continuity is also important to consider within the context of business continuity. He observed that "by and large business continuity is defined by the ability of organizations to quickly recover from major interruptions, either technological, man-made or acts of God." He added that "typically this has been held within the realm of data backup, secure offsite archiving and geographically dispersed redundant data centers." But more recently he's found that "organizations are now regarding business continuity as the ability to avoid an interruption to their businesses by hardening their defenses against hackers, viruses and malicious code."

One of the greatest challenges for business continuity is the unpredictable nature of disasters, whether natural or man-made. When and where the next disaster will strike is impossible to know; but not being prepared when it does can spell doom for any business and its stakeholders.

SecurityInnovator spoke with Sunil Cherian, director of product management for Array Networks, a provider secure VPN remote access solutions. He explained "the fundamental premise is that disasters/disruptions are unpredictable," and one thing large-scale disasters like Hurricane Katrina and the 9/11 attacks taught us is that "we can't predict disasters." Cherian added: "We don't have solutions for all disasters, but we can be better prepared to deal with the aftermath of such a disaster, when it happens. Organizations that are better prepared face less loss and are up on their feet quicker." He pointed out that "if you are a small business, one disaster will kill you" - whereas "if you are a large business, you are probably hurt - but you can likely afford the loss of a limb or two."

Sunil Cherian, director of product management for Array Networks

Cherian believes that "we need to take our collective heads out of the sand, and start thinking about 'what if' scenarios and how to address it. Organizationally, it starts with education and awareness that it is indeed a problem." He added that organizations "need to identify the critical elements and start costing the damage associated with not being able to do a specific function& Depending on the prioritization, and the criticality, you can spend significantly more to get complete online redundant data centers, or spend less, but take a little bit of downtime by taking an offline approach to data recovery or restore." Cherian defined "a true solution to business continuity" as one that "needs to address the productivity issue, needs to address the issue of a large number of typically wired users who now become remote users, needs to address the issue of having backup data and applications that can be brought online and accessed without taking too long. It needs to address processes and communication mechanisms used in the event of a disaster or disruption."

Cherian pointed out that "technology is available today to provide multiple data centers, to provide data backup and recovery, and to provide scaleable remote access," and that "leading edge organizations are putting in plans to have scaleable remote access, data backup/recovery, redundant data centers, emergency communication mechanisms, etc."

Ensuring business continuity requires leadership both within the organization and without. As Grisoft's Gildea explains, "responsibility for a comprehensive business continuity best practices must be driven from the executive level, validated and executed by the IT organization, and adopted as practice company-wide."

Cherian agrees, explaining that "business continuity is about the survival of the company. It needs executive leadership." Singh concurs, noting business continuity "certainly requires the executive leadership's involvement as the champion and chief visionary of any business continuity plan." IT departments are an important part of the solution, but can not solve the problem on their own. As Cherian explained, "IT is a significant component of it, but processes, procedures and planning are just as important."

Singh noted "IT and other departments can help implement a business continuity plan, but it needs to be initiated at the top." And, as Johnson explained, "IT is only one business unit within an organization and subsequently cannot bear the burden alone."

Addressing the challenge of business continuity internally may prove difficult for some companies, especially smaller ones. Fortunately, there are external vendors willing to share their expertise. Singh explained that "depending on the level and sophistication of a business continuity plan, it may be prudent to involved external specialists as companies can leverage the collected experience, wisdom, and resources of an external vendor specializing in it."

As Cherian noted, "vendors can help with pieces of the solution - but what you spend, how much you spend and where depends on your business and a keen understanding of the elements that make up your business and the problems that need to be addressed."

Symantec's Johnson has found that "many organizations need external specialists to assist in the building of consensus. Left as an internal initiative only, many organizations fail to see the business objectively and effectively question the priorities associated with the risks and threats. It is often thought to be too monstrous a task when an organization tries to tackle it alone. Specialists are practical educators that provide expertise from many industries and organizations as well as practical experience. This helps businesses get to recovery quicker through that practical experience and objective perspective."

In addition to executive leadership, government has an important role to play in encouraging business to prepare for the worst. Johnson observed that "government has taken distinct action in the form of regulatory requirements such as BASEL II, Sarbanes-Oxley, and other domestic acts." He reflected, "Are these perfect in purpose and execution? No. Are these regulations detailed enough to explain what to do and not do? No. Is it the government's responsibility to protect the business? No." He commented that "unfortunately, the existing regulations are quite vague and open to wide interpretation," and he believes that "the government should help companies meet their business continuity challenges by being more specific in the requirements that organizations must meet for compliance with regulations meant to protect stakeholders."

Cherian believes "government needs to raise awareness about the need for business continuity," and that "it can probably help by approving financial/tax incentives for organizations to be prepared for business continuity" and "perhaps encourage insurance companies to offer programs similar to earthquake insurance - but more general, disaster insurance policies."

Singh believes government needs to do more, and that so far, it "has done very little in terms of helping companies meet their business continuity challenges." While "there is usually an up tick in discussion right after a disaster happens," this "quickly fades away without any concrete plans." Singh proposes that, "at the very least, governments can establish a set of best practices and educate companies, especially small to midsize companies with limited resources, in addressing the business continuity challenge."

However, Grisoft's Gildea takes a contrarian view on the role of government in business continuity. He believes "legislation and regulation are not the answer to technological business interruptions." He recalled how "the CAN-SPAM Act, for instance, has not reduced the amount of unsolicited email users receive," and that "in fact, research has shown spam levels have risen 33% in 2006. Furthermore, industry focused regulations, such as Sarbanes-Oxley, have put such an administrative burden on companies that it has actually decreased productivity."

Gildea believes the best approach is through self-help: "Organizations must take it upon themselves to protect themselves from technological threats as they evolve. To that end, a thoughtful, documented best practices policy must be crafted taking into considerations all aspects of activity within the organization. Relying on governmental legislation and regulation will not address these threats because they evolve too quickly."