Information Systems Management

ISSN: 1058-0530 (Print) 1934-8703 (Online) Journal homepage: https://www.tandfonline.com/loi/uism20

Business Continuity Planning: A Comprehensive

Approach

Virginia Cerullo & Michael J. Cerullo

To cite this article: Virginia Cerullo & Michael J. Cerullo (2004) Business Continuity
Planning: A Comprehensive Approach, Information Systems Management, 21:3, 70-78, DOI:
10.1201/1078/44432.21.3.20040601/82480.11

To link to this article: https://doi.org/10.1201/1078/44432.21.3.20040601/82480.11

Published online: 21 Dec 2006.

Submit your article to this journal

Article views: 3436

View related articles

Citing articles: 44 View citing articles

Full Terms & Conditions of access and use can be found at

https://www.tandfonline.com/action/journalInformation?journalCode=uism20
 BUSINESS CONTINUITY PLANNING

BUSINESS CONTINUITY
PLANNING:
A COMPREHENSIVE
APPROACH
Virginia Cerullo and Michael J. Cerullo

The risks of business interruption expand as companies become more dependent on informa-
tion technology (IT) infrastructure. A comprehensive approach to business continuity planning
seeks to mitigate against all major business interruptions of business systems. This article
analyzes recent national and international surveys to develop insights about the current status
of business continuity plans, including perceptions about internal and external information
security threats.

VERY COMPANY IS SUSCEPTIBLE TO power outages), and malicious threats from

E natural disasters, such as earthquakes,
hurricanes, and floods, which occur reg-
outsiders. The risks of business interruption
have therefore expanded as companies increas-
ularly throughout the world. The Federal ingly depend on information technology (IT)
Emergency Management Agency (FEMA) states infrastructure and become more linked to ex-
that between 1976 and 2001, a total of 906 ma- ternal networks. The threat of cyber-
jor disasters were declared in the United terrorism — including unauthorized access to
States.1 Tens of thousands of organizations of all a system, disruption or denial-of-service, unau-
sizes were affected by these disasters. Unless thorized use of a system, or unauthorized
firms prepare in advance, disasters inevitably changes to system hardware or software — can
shut down business operations. And the longer be as destructive as physical acts of terrorism.
a firm’s operations are shut down, the more Quickly recovering from any type of business
likely it will never reopen for business. A study interruption, whether from a natural disaster
by Datapro Research Company found that or a telecommunication breakdown, is critical
43 percent of companies hit by severe crises to a company’s survival as a going concern.
VIRGINIA CERULLO never reopen, and that another 29 percent fail Many companies have developed a disaster
and MICHAEL J. within two years.2 According to FEMA, of all contingency recovery plan (DCRP). Although a
CERULLO are the businesses damaged by Hurricane Andrew DCRP is vital, it is primarily a reactive approach
professors of
in 1992, 80 percent of those lacking a business (i.e., a corrective control) and not a compre-
accounting at
continuity plan (BCP) failed within two years hensive plan for risk management. In contrast,
Southwest Missouri
State University in
of the storm. a business continuity plan (BCP) seeks to elim-
Springfield. Both The potential causes of business interrup- inate or reduce the impact of a disaster condi-
authors are also CPAs tion are not only from natural disasters, but are tion before the condition occurs.
and CFEs (Certified multifaceted, including interruptions caused The Ernst & Young Global Information Se-
Fraud Examiners). by human error, utility disruptions (such as curity 2002 Survey revealed that critical busi-

70 W W W . I S M - J O U R N A L . C O M
S U M M E R 2 0 0 4
 BUSINESS CONTINUITY PLANNING

ness systems were increasingly interrupted: Disaster Contingency Recovery Plan

more than 75 percent of organizations world- (DCRP)
Many companies have developed a disaster
wide experienced unexpected unavailability.3
contingency recovery plan (DCRP), which
Thus, every firm needs a comprehensive BCP
specifies procedures to enact when a disaster
that addresses both internal and external occurs. It includes identification of primary

T here is no
threats. and alternate team members and their specific
duties, including executive management roles;
single BASIC COMPONENTS OF A BUSINESS notification procedures and alternate meeting
site locations; work-around processes to keep
recommended CONTINUITY PLAN
the function operational while damaged re-
plan for A BCP is designed to avoid or mitigate risks; to
sources are being restored to a “business as usu-
reduce the impact of a crisis (i.e., disaster con-
business al” condition; a contact list of all personnel and
dition); and to reduce the time to restore con- the functions they are qualified to perform;
continuity; ditions to a state of “business as usual.”There is identification of all internal and external ven-
instead, every no single recommended plan for business con- dors and each vendor’s primary and alternate
organization tinuity; instead, every organization needs to de- contacts; and report forms (expenses, activi-
needs to velop a comprehensive BCP based on its ties, etc.). A DCRP is therefore an integral part
unique situation. A BCP should also be dynam- of a BCP.
develop a
ic, evolving as the business environment
comprehensive
changes and its dependency on advanced tech- Training and Testing
BCP based on nology changes. Training and testing includes developing a test
its unique The business continuity planning process methodology, simultaneous testing and train-
ing of the disaster recovery team, followed by
situation. should address three interdependent objec-
BCP revision and simultaneous testing and
tives:
training again. As a major component of the
1. Identify major risks of business interruption. BCP, testing is essential to determine whether
2. Develop a plan to mitigate or reduce the the BCP is adequate to address critical risks. In
impact of the identified risk. addition to ensuring that the disaster recovery
3. Train employees and test the plan to ensure team members — both primary and alternates
that it is effective. — know what to do, testing under increasingly
realistic conditions helps develop confidence
The three basic components of a BCP to and avoid panic during a disaster event.
achieve these objectives are described below.4 Senior management backing of a BCP initia-
tive ensures organizational commitment and
Business Impact Analysis (BIA) adequate funding for business continuity plan-
The business impact analysis (BIA) identifies ning. Yet even today, many executives view the
critical functions the business must perform to BCP as a way to spend money with little, if any,
stay in business (i.e., make money, provide return on the investment. Table 1 identifies
some potentially useful Web resources for busi-
mandated services); identifies risks to critical
ness continuity planning; some of these sites
business functions and rates those risks accord-
provide specific examples that may be useful to
ing to probability of occurrence and impact on companies either developing or reevaluating
the business; recommends avoidance, mitiga- their business continuity strategy. The detailed
tion, or absorption of the risk; and identifies BCP outline developed by Paul Kirvan, pub-
ways to avoid or mitigate the risk. lished in the Contingency Planning and Man-
In today’s business environment, identify- agement journal, is also a useful resource.5
ing risks has become a watchword. Recently, Several recent surveys also provide some in-
many leading firms have adopted an enterprise- sight into the status of business continuity plan-
wide risk assessment strategy and have estab- ning in companies throughout the world. The
findings published in the Ernst & Young Global
lished a framework, or database, of risks
Information Security 2002 Survey,6 based on re-
identified for their companies. Business conti- sponses from 459 CIOs and IT directors from
nuity planners should be participants in any medium- to large-sized companies worldwide,
strategic risk assessment process and help es- reveal that only 53 percent of these companies
tablish a risk awareness environment. had a BCP. Of these companies with an in-place
I N F O R M A T I O N S Y S T E M S
S U M M E R 2 0 0 4
M A N A G E M E N T
71
 BUSINESS CONTINUITY PLANNING

TABLE 1 Leading Disaster Recovery and Business Continuity Web Sites

www.itaudit.org (Institute of Internal Auditors)

www.auditnet.org (AudioNet)
www.ContingencyPlanning.com (Contingency Planning & Management)
www.drj.com (Disaster Recovery Journal)
www.disasterrecoveryworld.com (Disaster Recovery World)
www.dlttape.com/proveit/steps/plan/test/ (Quantum Corp.)
www.wa.gov/DIS/CSD/drhopage.htm (Washington State Department of Information Services)
http://helpnet.ut.cc.va.us/NOC/Mainframe/drplan.htm (Virginia Community College Utility)
www.sun.com/storage/white-papers/backup-article2.html (Sun Microsystems)
www.labmice.net/disaster.htm (LabMice.Net)
www.state.mo.us/mo/samii/projinfo/implement/techbp/tech23.html (State of Missouri and American
Management Systems)
www.state.me.us/bis/prod/Disaster.htm (State of Maine)
www.comdisco.com (Comdisco Inc.)
www.hp.com/go/recovery (Hewlett-Packard)
www.gedisasterrecovery.com (GE Capital Information Technology Solutions)
www.ibm.com/services/continuity (IBM Corp.)
www.sungardresponse.com (SunGard Recovery Services LP)
www.dri.ca (Disaster Recovery Institute Canada)
www.drie.org (Disaster Recovery Information Exchange)

Modi ed from: Michael Barrier. “Preparing for the Worst,” Internal Auditor, December 2001, p. 60.

BCP, many had also not gone through the ex- For those with in-place BCPs, these survey find-
pected activities to develop a comprehensive ings on actual and potential causes of business
plan. For example, more than 40 percent of the interruptions can be used to help direct man-
companies claiming to have a BCP had not car- agement attention to areas of a BCP that need
ried out a business impact analysis (BIA) and enhancement.
prioritized their critical business processes. In
addition, 21 percent of the survey respondents INTERNAL AND EXTERNAL CAUSES
had not tested their plans and less than 50 per-
OF BUSINESS INTERRUPTIONS
cent of the responding firms had not estab-
The CPM and Strohl Survey 2002 found that 50
lished recovery timelines with the business,
percent of the responding continuity planning
which could mean a wide expectation gap be-
professionals were most concerned with acci-
tween what the business needs and what the
dental failures (i.e., internal causes, such as
plan provides for.7
power outages, equipment failures, software
A survey of business continuity planning
errors, and operational errors). The threat of
professionals conducted in mid-2002 revealed
natural disasters (i.e., earthquakes, floods, and
that 38 percent of the 855 responding compa-
hurricanes) ranked as the second-greatest
nies had activated their BCPs (CPM and Strohl
cause of concern with 29 percent. Intentional
Survey, 2002). This has led Brian Turley, Presi-
externally caused disasters (i.e., such as hack-
dent of Strohl Systems, to conclude that:
ers, terrorism, acts of war) ranked third with
“It is no longer a matter of ‘if’ you have 21 percent.10
to activate your plan, but ‘when’ you The existence of multiple causes of busi-
will have to activate your plan.”8 ness interruptions is also documented in the
Business Continuity Benchmark survey results
“Managers of a company may be morally
published by CPM/KPMG in 2002.11 Based on
and ethically bound to make decisions
624 respondents, the results shown in Figure 1
and plans that will ensure that the busi-
provide comparisons over four years for business
ness continues to operate.”9
interruptions due to both internal and external
The next section provides a review of re- causes: human error, power outage, service pro-
cent empirical data concerning the internal vider failure, communications failure, natural di-
and external causes of business interruptions. saster, facilities moves, hardware failure, and
72 W W W . I S M - J O U R N A L . C O M
S U M M E R 2 0 0 4
 BUSINESS CONTINUITY PLANNING

Taken together, these surveys provide clear

FIGURE 1 Business Interruption Risk (Source: CPM/KPMG evidence that companies now appear to con-
Business Continuity Benchmark Survey, Witter Publishing Corp., 2002.)
sider internal causes of business interruption
to be multifaceted, from operational disrup-
tions due to human error, to technical disrup-
80
tions due to hardware and software failures.
70 However, companies must recognize that to
60 prevent business interruption, it is necessary
to address all the complexities of internal oper-
50
ations to support their business, as well as a
40 wide range of external causes of business inter-
30
ruption.
Below we discuss additional survey results
20 for internal causes and external causes sepa-
10 rately.
N/A N/A
0
Human Error Power Outage Service Provider Communications
Internal Causes
Failure Failure
Understanding the key internal causes of busi-
80 ness interruptions will assist firms in enhanc-
ing their BCPs. The traditional focus for BCPs
70
has been the impact of hardware or software
60 failure on maintaining and processing critical
50 data. Clearly, this continues to be a major con-
cern.As seen in Figure 2, the top two causes for
40
the unavailability of critical business systems
30 cited in the Ernst & Young Survey 2002 were
hardware or software failure (56 percent) and
20
telecommunications failure (49 percent).13
10 However, Figure 2 also reveals that a high num-
0 ber of failures were due to system capacity is-
Natural Disaster Facilities Move Hardware Failure Software Failure
sues and operational errors. These internal
1998 1999 2000 2002 causes of failure could be the result of poor
management of operational basics, such as
sound operational procedures for loading new
software failure. It is interesting that the only software, change management, and capacity
actual or perceived risk that decreased be- planning.
tween 1999 and 2002 was the risk from natural Further, the possibility of an internal attack
on systems is often overlooked or underempha-
disasters. Although natural disasters were still a
sized. Only 41 percent of the organizations in-
significant threat, the recent survey respondents,
cluded in the Ernst & Young Survey 2002
who included contingency planners, identified
expressed concern about the potential for in-
power outages, hardware and software failures,
ternal attacks on systems, despite overwhelm-
and communications failures as more common
ing evidence of the high number of these
business interruption risks. attacks.14 In another 2002 report, Vista Re-
The Ernst & Young 2003 Survey also reveals
search estimated that 70 percent of security
a heightened recognition of information secu- breaches — causing losses of more than
rity threats. The threat to information security $100,000 — were perpetrated internally, often
perceived as the highest intensity (recognized by disgruntled employees.15 The 2003 CSI/FBI
by 77 percent of respondents) was a major vi- Computer Crime and Security Survey reports
rus or worm. However, employee misconduct insider abuse of network access as only slightly
with information systems was rated next high- below virus attacks as the most cited form of at-
est (by 57 percent of respondents).12 These tack or abuse.16 In addition, although virus and
two types of attack or abuse were also listed worm attacks are discussed under “external
the highest in the 2003 CSI/FBI Survey based causes” (see below), these attacks could origi-
on reported incidents. nate internally.
I N F O R M A T I O N S Y S T E M S
S U M M E R 2 0 0 4
M A N A G E M E N T
73
 BUSINESS CONTINUITY PLANNING

FIGURE 2 Causes for Unavailability of Critical Business Systems (Source: Ernst & Young,
Global Information Security Survey, 2002.)

Hardware/software failure

Telecommunications failure

Third-party failure
(e.g., IT service provider)

System capacity issues

Operational errors
(e.g., wrong software loaded)
Malicious technical acts by outsiders
(e.g., hacking, viruses, worms)

None occurred, do not know

Other

0 10 20 30 40 50 60

The Ernst & Young Survey 2003 found that computer crime among survey respondents
senior managers still focus more on the publi- was denial-of-service ($65,643,000). Although
cized external attacks than potential internal at- not the most expensive, virus incidents were
tacks. As shown in Figure 3, when respondents the most frequently cited forms of attack.17
were asked to rate the relative intensity of The BCB 2002 Survey, designed after the
threats expected over the next 12 months, em- 9/11 terrorist attack in the United States, added
ployee misconduct with information systems a question to determine the extent to which
was rated as a much lower threat than a major companies had been affected by, or at risk of,
virus or worm. threats of (1) information security breaches
and (2) terrorist activities. More than two
thirds of companies surveyed still did not re-
External Causes
gard either malicious activity as a threat to their
In the 1980s and early 1990s, many firms estab-
company. While it may be understandable that
lished a DCRP primarily to address natural di- companies could not imagine an event similar
sasters. In fact, many waited until a natural to those of 9/11 happening to their company, it
disaster actually occurred to their company be- is surprising that less than a third of the compa-
fore developing a DCRP. Unfortunately, too few nies did not perceive at that time a threat from
firms have updated their business continuity an information security breach. In contrast, the
strategy to recognize man-made external disaster recovery coordinator at the Johns Hop-
threats. A major challenge today is to manage kins Hospital, Bill Rider, has commented:
the growing threat from these external risks
due to recent changes in the IT environment. “While we continue to be at risk of
As seen in Figure 3, for example, the highest physical terrorist attacks, I think the risk
threat perceived over the next 12 months was of an electronic terrorist attack via deni-
a major virus or worm attack. als of service, worms, etc. is becoming
Based on responses from 530 computer se- much greater, given our ever-growing
curity practitioners in U.S. corporations and dependence on the electronic infra-
government agencies, the findings of the 2003 structure.”18
CSI/FBI Computer Crime and Security Survey The Information Security Surveys conduct-
reveal that 56 percent of respondents reported ed by Ernst & Young over three years (2001,
that unauthorized use and theft of proprietary 2002, and 2003) provide some additional in-
information caused the greatest financial loss sight into managers’ perceptions of these secu-
($70,195,900). The second-most expensive rity risks and their firms’ capabilities to manage
74 W W W . I S M - J O U R N A L . C O M
S U M M E R 2 0 0 4
 BUSINESS CONTINUITY PLANNING

FIGURE 3 Perceptions of Threat Levels 2003 (Source: Ernst & Young, Global Information
Security Survey, 2003.)

Mean
Low Med. High
Relative Intensity of Threats over the Next 12 Months 1 2 3 4 5
Major virus or worms
Employee misconduct involving information systems
Distributed denial-of-service (DDoS) attack
Loss of customer data privacy/confidentiality
Amateur hackers or "script kiddies"
Theft of proprietary information or intellectual property
Consultants/vendors who have access to info systems
Former employee misconduct involving info systems
Natural disasters
Business partner(s) misconduct involving info systems
Competitor espionage
Political "hacktivism" or cyber protest
Cyber-terrorism: foreign-based
Cyber-terrorism: domestic-based
Non-nuclear terrorist attack
Cyber-war
Foreign government espionage

them. In the Ernst & Young Survey 2001, security Benny D. Taylor (Disaster Recovery Insti-
breaches by external parties were the biggest tute International) predicted in early 2002 that
concern, inhibiting development of E-com- an increased dependence on E-business would
merce for 66 percent of respondents; only also increase the need for spending on disaster
33 percent of respondents were confident that recovery to reduce the risk of short-term inter-
they could detect a hacking attack.19 In the ruptions; he estimated these costs to be from
Ernst & Young Survey 2002, a somewhat higher an average of 3 percent to 7 percent of data
40 percent were confident they would detect a center budgets. Published estimates of the
systems attack, but another 40 percent of re- costs of systems downtime for company Web
sponding firms did not even investigate infor- sites include the following:23
mation security incidents.20 In the 2003 survey,
❚ Downtime is costing major Internet players
90 percent of respondents said that informa-
an estimated $8000 per hour (Forrester
tion security was of high importance for
Research).
achieving their overall objectives. However,
❚ Downtime costs $1400 per minute on aver-
more than 34 percent still rated their organiza-
age (Oracle).
tions as less than adequate in their ability to de-
❚ Typical medium-sized business downtime
termine whether their systems are currently
costs average $78,000 per hour; these sites
under attack, and more than 33 percent of re-
typically lose more than $1 million annually
spondents reported an inadequate capability to
due to downtime (see Table 2) (IDC).
respond to information security incidents.21
While external disasters have the potential These types of published costs emphasize the
for unlimited destruction, the damage from vi- importance of identifying business environ-
ruses and other computer threats can often be ments that are increasingly exposed to external
quantified. For example, Computer Economics IT-related risks; an example of a questionnaire
(Carlsbad, California) estimates that corpora- to assist in identifying these technology risks to
tions spent more than $12 billion in 2001 to corporations can be found online at the Contin-
clean up virus damage. The Code Red virus gencyPlanning.com Web site.24 Every year, the
alone was estimated to have caused $2.6 billion list of sophisticated external threats to IT envi-
in damages and infected 300,000 computers.22 ronments becomes longer. Therefore, informa-
I N F O R M A T I O N S Y S T E M S
S U M M E R 2 0 0 4
M A N A G E M E N T
75
 BUSINESS CONTINUITY PLANNING

these firms appear to remain focused on tradi-

TABLE 2 Average Hourly Effect on
tional recovery of hardware and software.25
Businesses of Web Site Downtime
However, the BCB Survey 2002 shows an
encouraging trend (see Figure 4): BCP is inte-
Average grated with several functions. Although about
Type of Hourly 45 percent considered IT as the primary own-
Business Impact er, approximately 35 percent of respondents
Retail brokerage $6,450,000 cited corporate/general management as the
Credit card sales authorization $2,600,000 primary owner of the business continuity pro-
Home shopping channels $113,750 grams.26
Airline reservations centers $ 89,500
Package shipping service $ 28,250
The results of a 2003 CPM readership sur-
vey also indicated a clear relationship between
BCP and information security: 70 percent of re-
tion security must be considered a critical spondents indicated that IT security was very
aspect of a comprehensive BCP. important to the overall business/contingency
planning process. However, the exact terms of
INTEGRATING BCP AND IT the relationship between BCP and information
SECURITY PLANS security remain unclear: 13 percent of the busi-
ness continuity/contingency planners stated
As discussed, information security threats in-
that they had total responsibility for IT security,
clude both internal and external risks of busi-
29 percent had significant responsibility for IT
ness continuity. As firms become more
security, and 43 percent said they had periph-
dependent on IT, there is an increased need to eral responsibility for IT security.27
integrate business continuity planning with IT Rich Corcoran, Eastman Kodak’s manager
security planning. of business recovery and information systems,
Many companies have included both BCP predicts that:
and security measures as a part of their IT bud-
“Over the next three years, I see the
get. The Ernst & Young Survey 2002 found that
main focus of the BCP driven out of [IT]
only 29 percent of responding firms treated
and placed in a corporate position. This
BCPs as a business unit expenditure, and 45 will be true for the largest banking and
percent said it was within the IT budget. These financial institutions, with some creep
percentages indicate that too many firms still into large manufacturing corporations.
perceive business continuity as the responsibili- Clearly, a well-designed BCP will be
ty of the IT function alone. Instead of addressing deeply integrated into the business
the multifaceted risks to business continuity, units and business function.”

FIGURE 4 Integration of the BCP (Source: 2002 CPM/KPMG Business Continuity Benchmark
Survey, Witter Publishing Corporation, 2002.)

2000 2002
Corporate/
General Management

Risk Management

Facilities
Management

Information Technology/
Disaster Recovery

Information Security

Other

0 10 20 30 40 50 60 70 80

76 W W W . I S M - J O U R N A L . C O M
S U M M E R 2 0 0 4
 BUSINESS CONTINUITY PLANNING

However, Corcoran also predicts that the BCP CONCLUSION

for small and medium-sized companies will Recent surveys indicate that the majority of
continue to be closely aligned with IT.28 firms recognize natural disasters as a significant
To ensure that the BCP is corporatewide, a threat and may have an in-place disaster contin-
high-level staff position that is independent of gency and recovery plan (DCRP). However,
IT or other existing organizational functions such DCRPs only address one class of threats,
N ew
might need to be created. For example, manag-
ers might wish to follow the lead of some com-
while ignoring other serious threats, both in-
ternal and external.This article provides guide-
technology can panies that have established the position of lines for developing and improving a firm’s
make testing “Chief Continuity Officer.” business continuity plan (BCP), which has
three components: (1) a business impact analy-
easier; and
TESTING THE BCP sis that takes into account a wide variety of po-
perhaps in ten tentially serious internal and external threats,
As described, Training and Testing is a major
years, BCP component; it is essential that a BCP be (2) a DCRP, and (3) a training and testing com-
intelligent thoroughly tested and that employees be ponent.A large number of firms are minimizing
trained. Evidence abounds concerning the the importance of testing and maintaining the
BCP software BCP, yet testing is critical to developing an ef-
number of IT-dependent companies, without
will be tested BCPs, that have failed to survive a disas- fective BCP and to assess the effectiveness of
available to ter. BCP testing will provide the firm with the the BCP before an actual disaster occurs.
assurance that all necessary steps are included There is clear evidence that a company
automatically without a BCP has a low probability of survival.
in the plan.
update and However, recent surveys reveal that too However, even after the 9/11 terrorist attacks
maintain many firms are ignoring or minimizing the im- in the United States, only 53 percent of the
portance of the Testing component as part of firms surveyed in 2002 by Ernst & Young had a
plans.
the development of a comprehensive BCP. In a BCP. Further, based on an analysis of data re-
2001 survey by Ernst & Young, only one third ported in several major published surveys,
of the responding companies claimed to have many of the existing BCPs are seriously defi-
tested their plans.29 The E&Y 2002 Survey re- cient and outdated, as they do not address
ports a much higher percentage of firms test- many of today’s major risks of business systems
ing their plans: only 21 percent reported that interruption. The overwhelming conclusion is
they had not tested their BCP.30 Similarly, the that firms must periodically reevaluate the
CPM and Strohl 2002 survey found that 60 per- comprehensiveness of their business continu-
cent of respondents tested their plans either ity strategy to avoid catastrophic consequences
yearly (37 percent) or every six months (23 from a wide variety of serious internal and ex-
percent); only 10 percent did not test their ternal threats, including increasing information
plans at all. security threats.
The CPM and Strohl 200231 survey also pro- Current trends are to transfer the primary
vides additional insights into the different ownership of the BCP to corporate or general
types of BCP testing with different levels of in- management and to integrate business continu-
tensity (a breakdown on the type and level of ity and IT security planning. Some companies
testing was not provided in the other studies): have given this responsibility to a new corpo-
rate position, a Chief Continuity Officer. While
❚ 15 percent performed only IT-specific tests
no amount of security measures can provide
❚ 8 percent performed tabletop walk-throughs
absolute protection from all potential intru-
❚ 8 percent performed call list tests, business
sions and disasters, a comprehensive BCP will
unit tests, or enterprisewide, full-scale tests
❚ 58 percent used a combination of these dramatically increase a company’s defenses
and reduce the impact of any business
methods
interruptions. ▲
New technology can make testing easier;
and perhaps in ten years, intelligent BCP soft-
Notes
ware will be available to automatically update
1. http://www.ferma.gov/library/lib01.htm.
and maintain plans. In the meantime, firms 2. Jan H. Schut. “Insurance: Lessons from
must evaluate their testing procedures to en- Disasters,” Institutional Investor, October 1990,
sure that they are practical, cost-effective, and p. 297.
appropriate. Thorough testing will ensure a 3. Ernst & Young LLP. Global Information Security
high level of confidence and recovery capability. Survey, 2002, p. i.
I N F O R M A T I O N S Y S T E M S
S U M M E R 2 0 0 4
M A N A G E M E N T
77
 BUSINESS CONTINUITY PLANNING

4. The basic components are modified from: 17. 2003 CSI/FBI Computer Crime and Security
Glenn, John. “BCP 103: Business Continuity Survey, pp. 3–4.
Defined,” www.ContingencyPlanning.com/ 18. Ernst & Young, 2002., p. 3
article_index.cfm?article=380. 19. Ernst & Young, 2001, p. 6.
5. Kirvan, Paul.“Essential Ingredients of a BC Plan,” 20. Ernst & Young, 2002, pp. 7–8.
Continuity Planning & Management, April 21. Ernst & Young, Global Information Security
2003, pp. 16–17. Survey 2003 (Issues at a Glance).
6. Ernst & Young LLP. Global Information Security 22. Carl Herberger,“Integrating Business Continuity
Survey 2002. and Information Systems,” www.
7. Ernst & Young, 2002, p. 11. ContingencyPlanning.com.
8. “Study Reports on Plan Activation, Testing,” 23. Benny D. Taylor. “Evaluating and Selecting the
Contingency Planning & Management Most Appropriate Continuity Strategy for Your
(September/October 2002), Vol. VII, No. 6, p. Organization,” Disaster Recovery Institute
12. International, February 2002.
9. Emergency Response Planning, http://www. 24. Anthony Scrimenti.“Corporate Technology Risk
erplan.com/index2.htm. Assessment: A Questionnaire,” www.
10. “Study Reports on Plan Activation, Testing,” ContingencyPlanning.com/article_index.
Contingency Planning & Management cfm?article=422.
(Sept./Oct. 2002), p. 12. 25. Ernst & Young, 2002, p. 3.
11. Hagg, Andy. “Benchmark Report: BCP in 2002,” 26. Hagg, Andy, p. 9.
Contingency Planning & Management (July/ 27. Matt Migliore. “Business Continuity and
August 2002), p. 8. Information Security,” Contingency Planning &
12. Ernst & Young, 2003, p. 7. Management, July/August 2003, pp. 26–27.
13. Ernst & Young, 2002, p. 11 28. Ibid.
14. Ibid, p. 8. 29. Ernst & Young, 2001, p. i.
15. Cited in The Economist, October 24, 2002,“The 30. Ernst & Young, 2002, p. 11.
Weakest Link.” 31. “Study Reports on Plan Activation, Testing,”
16. 2003 CSI/FBI Computer Crime and Security Contingency Planning & Management,
Survey, p. 4. Sept./Oct. 2002, p. 12.

78 W W W . I S M - J O U R N A L . C O M
S U M M E R 2 0 0 4