October 1999

Ten Common Business Continuity Planning Mistakes

tp6

tp17

By Dan Carson and Brian Zawada

With increasing reliance on electronic markets and the looming threat from noncompliant Year 2000 media, companies are becoming more and more concerned about business continuity planning (BCP). Statistics taken from recent natural disasters (large and small) are enlightening and lead even the most fearless business executive to think twice about running a business without a plan addressing the unexpected.

A recent Disaster Recovery Journal article summarized some of the dangers resulting from the lack of a BCP: Thousands of businesses went bankrupt during last year's UPS strike; computer downtime costs U.S. businesses approximately $4 billion a year; 43 percent of U.S. companies never reopen after a disaster and an additional 29 percent close within two years.

Yet, simply having a business continuity strategy is not enough. Common mistakes include:

  • Reliance: Relying on a BCP can lead to a false sense of security and potential business failure if the plan is not regularly updated and fully tested. In addition, recovery personnel must be trained on plan execution and employees must be aware of the plan's provisions.

  • Scope: Companies often limit the scope of their efforts to systems recovery. Business continuity planning requires consideration of both business process and systems recovery.

  • Prioritization: A formal plan prioritizing key business processes is a critical step that often does not get its due attention by senior management. Without prioritization, a plan may recover less-than-critical business processes rather than the ones crucial for survival.

  • Plan Update: Formal mechanisms are not in place to force a plan update on a regular basis or when significant systems or business process change occurs.

  • Ownership: Senior management often appoints the wrong person to manage the BCP process; someone with the power to lead, influence, support, prioritize, and organize the project should be named.

  • Communications: Communications issues are often overlooked. Formal plans to contact employees, vendors, business partners, and clients often lack specific communications strategies. Strategies to address how these groups obtain recovery status updates are often inadequate.

  • Security: Information systems security controls are often disregarded during plan development, resulting in a greater risk exposure during recovery operations.

  • Public Relations: Practitioners often fail to plan for public relations and investor considerations, therefore missing the opportunity to limit perceived impact by the public and investors.

  • Insurance: Many BCPs fail to adequately plan to support the filing of insurance claims, resulting in delayed or reduced settlements.

  • Service Evaluation: Many companies poorly evaluate recovery products (hot site, cold site, and planning software), relying on vendor-supplied information. This often leads to a solution that may not adequately address a company's needs.

    Companies that avoid these 10 common BCP pitfalls significantly increase their odds of a successful and timely resumption of business and information technology operations. As an example, one single-site business located in the Murrah Federal Building in Oklahoma City lost 18 of its 33 employees in the blast. With the implementation of its BCP, the business not only survived but recovered quickly.

    Dan Carson and Brian Zawada are with Arthur Andersen LLP's Computer Risk Management practice. They also are associate business continuity planners.


    • Home     | About Us | Continuing Education | Future CPAs | Government Affairs | Professional Resources | Publications | Sound Advice | Tax Resources
    Chapters | Committees | Member Center | Events Calendar | Classifieds | Careers | E-zine Subscriptions | The Trusted Professional | The CPA Journal



    Search | Site Map | Become a Member | Jobs | Press Room | Contact Us | Feedback

    ©1997 - 2009 New York State Society of Certified Public Accountants. Legal Notices