Introduction
The terrorist attacks of September 11, 2001, have shown the world that business continuity planning is critical to the survival of almost any company.  Additionally, local emergency response professionals must be involved and considered in the development and implementation of these plans.  However, because business leadership must be convinced of the need for and benefit of Business Continuity Planning (BCP) the first success factor for business continuity planners is intimate familiarity and integral involvement in the nature of the ‘business’, for BCP should be but one step in the overall business lifecycle (CIO – Strategic Directions).  While both small and large organizations must plan for the continuity of their businesses in the wake of disasters, the issues and challenges each faces are unique.  While the world is always presented with new and unforeseen challenges, the field of emergency management and business continuity planning must work together to ensure the survivability of businesses, their employees, customers, infrastructure, and ultimately, nations’ economies.  While September 11 brought a new focus in everyone’s mind about planning for disasters, we can only hope the focus remains as strong, and grows with every passing day.

Like many operations and procedures we have today, the concept of business continuity started with the Military and its need to continue effective operations in the event of unforeseen disasters and crises.  The 1960s saw the acceptance of the formal concept of BCP, expanding the scope past simply retaining ‘information’ in the wake of a disaster.  The 1970s and 1980s focused on disaster prevention planning for businesses to enhance their survivability, (www.GlobalContinuity.com – How did Business Continuity Develop? - 2002). 

There have been numerous attempts to define ‘Business Continuity Planning.’  For the purposes of this paper, BCP is singly focused on mitigating the effects of a disaster on an organization’s (business, public or private, government agency, committee, association, etc.) ability to perform its core functions, achieve its mission, and serve its customers – ideally with as fast a recovery time to normal operations with as little loss of unique value (e.g., knowledge, information, employees, infrastructure, customers) as possible.  A disaster is any catastrophic event (either short term or long term in development) to which normal business processes are unable to respond.  Admittedly, while Business Continuity Planning should be considered a ‘normal business process,’ it should maintain normalcy in the operations of all essential and core business functions (those functions that, if outsourced, would severely impact the organization’s ability to achieve its mission).  As with almost everything in the field of Emergency Management, the more devastating the effects of a disaster are, the more timely and motivational the incentive to ‘plan’ immediately following the disaster.

While the concept of business continuity has been around for some time and has historically focused mainly on information integrity and recovery, it is never more apparent than today that BCP is more than redundancy of information systems.  People, customers, suppliers, emergency management professionals, the government, and all local first responders must all be considered when creating and administering a Business Continuity Plan, whether for the effects of natural hazards, employee sabotage, workforce problems, economic disasters, or terrorism.  As significantly as the world’s economies rely on corporations, non-profit organizations, and organizations of any size and purpose (including governments), it is a matter of economic and humanitarian interest that companies develop and maintain effective Business Continuity Plans. 

The staggering facts of September 11 show the impact on the businesses and families of employees in lower Manhattan:
•    2,830 – The estimated number of people lost in the WTC collapse
•    14,600 –  The estimated number of businesses inside and around the WTC that were impacted by the disaster
•    13.4 Million –  The total number of square feet of space in six buildings in and around the WTC complex that were destroyed
•    36 –  The number of miles of new cable that had to be installed by Con Edison
•    652 – The number of tenants occupying 28.6 million square feet of space who were temporarily or permanently displaced by the destruction
•    200,000 – The  number of Verizon Communications lines that were knocked out by network failures
•    12,000 – The number of Con Edison customers who had their power cut (it took 1,900 Con Edison workers to restore power)
-  (Christian, Donald B – The Road Ahead: Business Continuity Planning and Risk Management Post 9/11 – PriceWaterhouseCoopers)

It is therefore no surprise that the estimated financial impact on our economy is in the Billions.  Many companies were unprepared for the overwhelming implications of these attacks: the telecommunications infrastructure, their physical office space, and even local commutation resources, ferry service, and tunnel/bridge access.  So many companies not even located in New York, with the loss of telecommunications, had access to their call centers and order processing centers disrupted.  Indeed, the impact of the FAA’s grounding of all flights had a significant impact on the economy across the globe (e.g., FedEx shipments of Atlantic Tuna (hundreds of thousands of dollars worth) to Japan sat undeliverable at docks in the US).

Relationships with emergency response professionals and local authorities is immeasurable important in successfully implementing a BCP.  Immediately following a disaster is not the time to be meeting people for the first time.  Many companies in lower Manhattan were impacted more significantly than they should have due to limited access to their office location (and surrounding areas) immediately following September 11, while those with ‘connections’ were able to communicate with the right people to recover critical resources from their offices.  New organizations, such as the National Center for Crisis and Continuity Coordination (NC4), are working hard to encourage relationships between local businesses and government agencies to ease response to disasters.  These relationships can help businesses respond to and recover from disasters more efficiently, as well as provide additional important resources to local response officials to aid them in their response (e.g., companies donated countless dollars worth of materials – boots, masks, flashlights, buckets, etc. – to the recovery workers at ground zero)

Because of the significant role of the military and government in Emergency Preparedness and response, many individuals currently involved in continuity planning for the private sector come from the military or law enforcement.  (www.globalcontinuity.com – Continuity Plans – the Staff Disconnect).  This can create both advantages and problems.  Advantageously, continuity planners and current emergency response professionals can leverage valuable relationships already developed – relationships that can prove invaluable in the event of a disaster.  However, without an intensive inculcation of the Business Continuity Planner into the nature of the business and culture of the organization, leadership may be unconvinced of the business case for creating a plan, employees can suffer from unfamiliarity with the plan, and ultimately a lack of desire to test and practice the plan.  What comes as second nature to the military and law enforcement personnel does not come naturally to individuals in the private sector. 

Among additional challenges for continuity planning is the importance businesses place on financial efficiency.  Success in maintaining operations during times of disaster, in many ways, is dependent on duplicative or redundant services, redundancy that many consider a waste of money.  For this reason, it is important to gain the advocacy and support from executive leadership prior to implementing and maintaining a business continuity plan.  The continuity planner must be persuasive in his/her arguments for planning, and must clearly show the direct and undeniable business link to organizational success and survivability.  The well designed plan can help to mitigate the problems associated with disastrous results, such as lost customers, reduced public perception, distraught employees, and significant costs associated with returning to business – all challenges that could render an ill-prepared or small company helpless.

Employee confidence that they and their families will be taken care of in the event of a work-related disaster is a significant part of the BCP equation.  Whether an organization is product, service, or information driven, its employees are crucial to its success.  Employees must be prepared for disasters, and feel confident that their employer is prepared, as well.  Given that Americans spend such a significant amount of time (almost 1/2 of our waking hours), organizations must be prepared to deal with the psychological and sociological impact on their employees and their families.  Certainly, a good plan must consider disastrous events that happen away from the workplace that may emotionally affect a large population of its employees (a company may have a large percentage of employees from a specific region or country that could be hit by an earthquake – these employees’ productivity, focus and attention would obviously be hurt by concern for their loved ones and may need to excuse themselves from work for a while).

Another important part of BCP is the frequency and reality of testing the plan.  In times of crisis, individuals can have no question or doubt as to what to do – reaction must be second nature, due to the severity of the situation and the timeliness and importance of an effective response.  Hesitation and uncertainty (as with the evacuation debacle of one of the WTC towers after the initial attack – tenants were told to return to their desk) can cost lives.  Unfortunately, of the few organizations with enterprise-wide continuity plans, even fewer actually tested their plans with their employees.  According to a recent survey by globalcontinuity.com, not only were few organizations testing their plans prior to September 11, even fewer organizations are testing their plans today.  In the year before September 11, 78.9 % of organizations surveyed conducted some form of testing for their BCPs.  After September 11, that number fell to 70.7%, illustrating the obvious disconnect still in many companies’ minds that simply having a plan does not ensure success (www.globalcontinuity.com – Testing Goes in Reverse).  Of course, the significant economic impact of September 11, the overall economic climate, and the financial and economic costs associated with testing affect these numbers.  While ‘a’ plan is better then no plan at all, without testing, the return on money spent on a BCP is marginal at best.

Prior to September 11, many firms would look only to the immediate cost savings in insurance premiums for having a business continuity plan, rather than the overall mitigation and savings as a result of being able to recover quickly from a disaster; this because the possibility of any specific disaster was elusive to business leaders, at least until the events of September 11.  Even today, not everyone is convinced that ‘it could happen to me.’  According to NUA, many firms (including those in the NYC lower Manhattan area) were prepared for everyday types of threats to their information systems, such as power outages, software viruses, and server failure.  Gartner’s survey “Business Continuity Readiness” (December 17, 2001) surveyed companies’ readiness for disasters and showed the vast majority of organizations had prepared for the everyday threats of:
•    Power Outages (90% completely or mostly covered);
•    Single Server or Host Failure (90% completely or mostly covered);
•    Operational Error (81% completely or mostly covered);
•    Application Failure (80% completely or mostly covered); and
•    Software Virus (90% completely or mostly covered).
 
Unfortunately, firms were not as prepared for the vast majority of threats posed by September 11, 2001:
•    Major Loss of Life (13% completely or mostly covered);
•    Physical Attack (28% completely or mostly covered);
•    Complete Loss of Physical Assets and Workspace (36% completely or mostly covered);
•    Transportation Infrastructure Delays/Unavailability (38% completely or mostly covered); and
•    Complete Loss of Telecommunications (42% completely or mostly covered).


According to this survey, a majority of organizations pay for Business Continuity Planning out of their IT/IS budget (61%).  Other cost centers include individual business units (20%) and corporate overhead (17%).  September 11 and other recent disasters (local, national, and global) have reemphasized that people, customers, and organizational knowledge must all be considered, included, and tested in the BCP.  Anything critical to the operations of an organization must first survive a disaster, and second, return to as-close-to-normal operations as quickly as possible.  Without planning for and understanding the necessary actions to take, the unprepared business can die an untimely death.

Additional studies have shown that smaller companies are less likely to develop, maintain, and test business continuity plans for many reasons:  small-business leaders rely on the limited scope of their business, their few locations and employees, the costs associated with planning, coordinating, and testing.  Unfortunately, these smaller companies are those most at risk for decimation by a significant disaster – with fewer resources and a higher concentration of those resources in fewer locations.  While equally tragic, the total loss of one office in a 100 office firm is less disastrous to its survival than to a one or two office firm – the percentage impact is more severe.  Additionally, when business continuity plans are developed, these smaller firms are less likely to adequately test their plans and educate their employees about it.  “The Survey found that 52% of businesses with less than 49 employees; 40.6% of companies with between 50 and 499; 44.7% of companies with between 500 and 999; and 21.5% of companies with more than 1000 employees did not test plans in the year following September 11” (www.globalcontinuity.com – Testing Goes into Reverse).  The number of small businesses that no longer exist as a result of the September 11 attacks is hard to determine, but certainly mind-boggling, as many are not even located in NYC (those that lost customers, employees traveling, or supplies during the FAA grounding of airplanes)

Other significant events have increased the focus on Business Continuity Planning prior to September 11, 2001.  Certainly, the Y2K issue put the continuation of business and financial services in the forefront of people’s minds.  While inherently an IT issue, everyone had significant and drastic speculations as to how life could be affected by this ‘bug’ (as far-fetched as nuclear weapons being launched as fail-safe against false attacks, financial markets crashing, etc.).  Specifically in lower Manhattan, the 1993 Bombing of the World Trade Center resulted in many of these businesses and people planning for significant disasters.  In fact, that bombing is credited as a significant reason so many people (and businesses) are alive today for having tested (in a realistic situation) and planned for a similar disaster to happen again.

Unfortunately, there is no federal mandatory legislation requiring companies and organizations to develop and maintain an enterprise-wide continuity plan.  While there are certain items of legislation under consideration that will focus on continuity issues, organizations can still eschew their responsibilities to their employees, shareholders, customers, and local economies.  By claiming ‘it won’t happen to me’ or ‘BCP is an unnecessary expense’, companies are putting their survival and future at risk.

Because September 11 had shown us that we truly cannot plan for specific events (while the thought of planes being flown into the WTC towers had been around for a while, they were the thoughts of fictional movies), business continuity planning must be results (or impact) driven, not event driven.  Businesses must plan for problems with their suppliers, their customers, and their employees – anything that can have a drastic impact on its business outside of normal operations.  Relationships with local and federal emergency response professionals are, for this reason, so important.  Given the ever-changing nature of the workplace and business (new technologies, telecommuting, increasing globalization), Business Continuity Planners must be more in-tuned with the business, its people, and its environment than ever before.
 
References
CIO Advertising Supplement. “The Secure Enterprise - Staying Alive: Business Continuity Planning.” Strategic Directions.
Compaq White Paper – “Business Continuity: The New Imperative.”  www.compaq.com
Deloitte & Touche.  “Business Continuity Management: Unique Perspectives from Ground Zero” (2002)
Foley, Kathy.  “NUA Analysis: Be Prepared.” 1/28/02. Available at www.nua.ie
Gartner Group Survey “Few Firms Have Continuity Plans” (1/24/02) Available at www.nua.com
Gartner, Inc. and Society for Information Management /Information Civil Defense Task Force. “Business Continuity Readiness Survey Results” (12/17/01)
Jones Lang LaSalle. “The Impact of September 11 on Corporate Real Estate”  Available at www.joneslanglasalle.com
McKinsey & Company.  “Featured Article: Impact of Attack on New York Financial Services” (11/01) Available at www.McKinsey.com
National Academies. “9/11 highlighted Net’s Resilience.” Available at www.nua.com
The Council on Foreign Relations. “America Still Unprepared – America Still in Danger” (2002)
The Foreign Exchange Committee.  “Contingency Planning: Issues and Recommendations.”
Wilkerson, Robert.  “When Labor Conflict Turns Into a Crisis.”  www.marshcrisisacademy.com
www.GlobalContinuity.Com – “Considerations When Choosing a BCM Consultant” (11/5/02)
www.GlobalContinuity.Com – “Continuity Plans – The Staff Disconnect” (10/3/02)
www.GlobalContinuity.Com – “Disasters – Plan For Your People Above All Else” (8/30/02)
www.GlobalContinuity.Com – “How did Business Continuity Develop?” (7/20/00)
www.GlobalContinuity.Com – “Project Initiation and Management” (8/15/02)
www.GlobalContinuity.Com – “Shifting Sands” (11/26/02)
www.GlobalContinuity.Com – “Survey Results: Consulting with Local Authorities”
www.GlobalContinuity.Com – “Testing Goes into Reverse” (9/20/02)
www.GlobalContinuity.Com – “What are the Ten Key Disciplines of Business Continuity” (7/20/02)