Three CIOs discuss how a successful business continuity plan requires prioritization, awareness and testing
Prioritize What You Protect
Michael Rosello, SVP & CIO, Alliance Data: To really assess the effectiveness of a business continuity and disaster recovery plan, you'd need to invoke it, but you'd never want to do that. We've spent a lot of time over the past five years crafting every aspect of our plan--from making the process, methodology and technology investments that support business continuity to testing it in mock exercises.
As a mid-market company, we have established many partnerships, and our partners have their own business continuity and disaster recovery processes, so we are continually revamping our plans to work with theirs. Our partners are just as critical to our continuity processes as our own business units. Ultimately, a plan is only as good as all the people who go along with it.
We conduct a business impact analysis on our environment to prioritize the most critical components and test those. When you work with multibillion-dollar enterprises that have lots of moving parts spread over the country, you can't test everything.
Even though we do quarterly tests and feel as an organization that we have accounted for everything, there is always going to be a level of uncertainty. The only way to know you are prepared is to go through an actual disaster.
Raise Awareness and Manage Expectations
Scott Carl, CIO, Parsons: Our engineering and construction business focuses on what we call business resiliency services. With the types of infrastructure projects we design and build, climate change will affect our customer assets.
Some failures will result from a catastrophic event like Hurricane Sandy, and others will be caused by wear and tear due to chronic adverse weather conditions. Our objective is to incorporate resiliency into the assets that we design, build and operate for our customers.
We maintain data in the field as well as in our data centers, and we do a lot of engineering and CAD work with customers through joint ventures. Our business continuity efforts support those services so that we can recover and continue to work on projects just as we can with our enterprise services.
Our external customer focus informs what we do for our internal IT services. We work directly with the business on recovery expectations, as some areas are more critical than others and require faster recovery.
Emphasizing awareness and education with business leadership is essential. We established a business continuity governance team with representatives from all of our business units and corporate leadership ranks. Through regular meetings, we plan business continuity efforts that factor in the safety of our personnel and the continuity of IT and business services.
Don't Make Business Continuity a One-Time Event
Darren Dworkin, CIO & SVP of Enterprise Information Systems, Cedars-Sinai Medical Center: We are rapidly moving toward electronic systems, and a particular challenge for us as a 24/7 healthcare facility is not unplanned downtime so much as planned downtimes to perform upgrades and to do routine maintenance.
We very rarely have the luxury of turning systems off the way that some other industries do; it's just not the nature of our work. At the core of our IT operations are redundant systems that function both as fail-safe backups in case something goes wrong and as full working versions of production systems. By leveraging these copies, we can give ourselves maintenance windows.
The key is to not approach business continuity as a dreaded one-time, unplanned event. We weave business continuity into our planning by using our backup systems as often as we can. Very recently, we upgraded one of our core systems, and rather than present our users with downtime, we performed a planned failover to our backup and disaster recovery platform so our users could continue to operate while we upgraded the primary nodes. This is really what business continuity is about--integrating business continuity plans into our operations so that we are not relying on them solely when we need them.