I.T.

Business Continuity Management in Large

Global Corporations: Insights, issues and
recommendations

By Saahil Goel, Student, Katz Graduate School of Business

Dr. Brian Butler, Head – MIS Department, Katz Graduate School of
Business

December 10, 2008

 Contents
Executive Summary
The Issue, context and motivation3
The Position and Perspective
Recommendations
References
December 10, 2008
Executive Summary
B
usiness Continuity Management
2 is defined as “the complete set of
activities and processes divided
into various stages that are necessary
to manage business continuity.
Anticipating Incidents which may affect
6 critical business functions and
processes and ensuring that the
organization is capable of responding
9 to such incidents in a planned and
rehearsed manner”i.
14 Post terrorist strikes on September 11,
2001 most corporations have realized
the importance of Business Continuity
Planning and Disaster Recovery – both
from operational and information
systems perspectives. Many companies
could not survive the terrorist attacks
of 9/11 and ceased due to poor or no
business continuity planning (BCP).
Similarly, the difference between
survival and extinction of companies
post the Katrina Hurricane was also
dependent on solid BCP and Disaster
Recovery (DR) Management.
In today’s corporate landscape, almost
all companies have some form of BCP
and DR activities going on – some to a
greater or lesser extent. The
complexity associated with BCDR
planning increases with the size of a
company, complexity of processes,
geographical span, variety of
information systems and corporate
organizational structure. In general,
the larger a company is (by turnover
and employee strength), the more
strenuous is the BCDR effort. Also, the
longer a company has been in existence
also affects the complexity associated
with BCDR planning as it can mean
re-work: to first bulldoze the existing
structure and then re-build the new
structure.
The matter being discussed in this
paper tackles the issues that large
corporations face with respect to
business continuity and disaster
recovery that are global in nature.
Since being a global company brings
along with it a host of considerations
such as local law, cultural
understanding, deployment of I.T.
systems, and value to business, size
of international market – there is no
single way to manage BCDR for such
a company. This paper describes
some of these issues more in depth,
discusses the current body of
knowledge available and then makes
recommendations.
Page 3 of 14
The Issue, context and
motivation
T
here is a drop in investment
towards BCDR by companies to
begin with as it is not considered
a critical piece of the I.T. infrastructure
by most CIO’sii. There is a lot of
information available around the “non-
acceptance of BCDR” as a core piece of
a company’s IT and operational
infrastructure. Several reasons related
to general topics such as unjustifiable
return on investment, not enough
awareness amongst management and
perceptual issues about alignment with
business goals make this a difficult
initiative to SUCCESSFULLY implement
for any company. However, it is even
harder to implement for 1) companies
that are extremely large in size and 2)
companies that are global in nature.
These two criteria – large and global –
make implementation of such an
initiative difficult even when the need
to do so is understood by top
management, when perceptions are
correct about the return on
investments into BCDR activities.
It is important for global companies to
be prepared for disaster at any cost
because of the myriad levels of risk
that they are opened up to the moment
they go global. While being in the
United States alone, a company may be
subject to risks such as hurricanes,
tornados, IT infrastructure outage, fire,
flood and power outages. But in the
global arena, there are other risks such
as terrorist attacks, bombings,
sabotage, political instability, loss of
connectivity, war, etc. These factors
make it crucial for businesses to plan
for operational continuity and
technology continuity in case of
emergencies. It is also important for
global companies to be fully prepared
with BCDR planning because local
laws mandate this. For example,
there are specific laws in place in
Canada and United Kingdom that
require certain kinds of companies to
have business continuity plans.
Global business continuity planning
can also help a company map all of its
IT processes and therefore gain a
better understanding of their
operations and eliminate
unnecessary bottlenecks in the
process. It also helps IT operations to
function more smoothly by bringing
about awareness of their entire IT
infrastructure. In some cases, it may
even enable huge cost savings by
identifying redundancy of IT systems
that is not required or might reveal
over-allocation of resources on non-
business critical areas of a
corporation.
Another primary reason why all
companies – global and domestic
alike are scrambling to have BCDR
planning under control is due to an
announcement by S&P to incorporate
Enterprise Risk Management (which
includes Business Continuity
Planning and Disaster Recovery) in
their ratings of public companiesiii.
What this means for organizations is
that unless their BCDR planning is
under-control, external assessment
by S&P backed consultants could
mean a poor public image, lower
ratings and hence a lower stock price.
Looking at it this way makes it
Page 4 of 14
everybody’s business to engage in
BCDR planning.
Fundamentally, the issue with
management of BCDR in large and
global corporations is difficult because
of the basic underlying organizational
structure, politics and the sheer
momentum required getting such an
initiative going. Most companies that
are fairly large in size (greater than
$25B a year) have grown by inorganic
growth – i.e. by acquisitions of
companies both at home and abroad.
This leads to a mix of several IT
platforms, organizational cultures, sub-
organizational motivations, political
postures and business priorities. To be
able to run a BCDR project at a global
level means being able to obtain “buy-
in” from all leaders in international
markets and also being able to
motivate and monitor BCDR planning
in local countries. In addition to softer
issues, there are implementation issues
of actual identification of all global
processes and IT infrastructure across
the globe. For some large companies,
the total number of processes could be
as large as 5000, while IT
infrastructure could span thousands of
servers across different data centers!
Different system dependencies also
make it difficult to analyze which
infrastructural and procedural
components are the most critical for
business.
While “selling” the concept may be easy
to some international markets, it may
be equally hard to do so in other
markets because of the different
cultural perspectives that people bring
with them. Also, there may be different
remedial measures available in
different countries, which is
impossible for any ONE country to
know – therefore without doubt
there needs to be involvement from
local counterparts in international
markets, which means they need to
share similar vision and the same
kind of motivation being shared by
the center driving the BCDR project.
This is usually hard because of the
physical distances between markets
and lack of interaction between
employees in large global
organizations. Ownership and
responsibility of maintenance also
become pressing issues the larger
and more globally spread and
organization becomes.
Repercussions of lack of BCDR may
also be different for different
countries – or perceptually different.
This is because the more business a
country or market brings in, the more
it has to lose in case of a disaster.
Therefore, a “graded” business
continuity management system
needs to be implemented. A one-size-
fits-all approach cannot be used
because different markets will have
different requirements of
preparedness. At the same time,
however, there needs to be an
interlinked and a SINGLE corporate
business continuity plan (as a whole)
for an organization for it to be
exercisable and auditable.
by department, by processes, by
business criticality, etc. It all depends
on “what works for a company”.
Therefore, there needs to be deep
understanding of what drives a
company and where the most revenue
is generated. There also needs to be a
keen understanding of which areas of a
business would be most affected and
the varying effect (or hit they would
take) of different kinds of systems
outages or natural disasters.
Even if one is successful in bringing
about awareness of Business
Continuity Management in a global
organization, there is also no simple
way around the sustenance of this
awareness. A business continuity plan
that is out of date is as good as not
having one. How can global companies
exercise their business continuity plans
to ensure that they are up to date and
they work?

To make the problem worse, there

are various ways of going about
BCDR planning and no one approach
is benchmarked as the industry
standard. BCDR can be approached

Page 5 of 14
The Position and
Perspective
W hile there is a host of
information available on
how to go about
implementing a robust business
continuity plan in a company, very
little information talks about the
global perspective that this paper
discusses. Also, there is not enough
discussion about how to manage
business continuity specifically in
large organizations.
In general business journals (such as
WSJ) very high-level considerations
are discussed such as the cost of a
power-outage to companies and the
sad current state of affairs with
respect to preparednessiv. Even
though WSJ’s main offices were
destroyed in the 9/11 terrorist attack
and they were left with makeshift
offices and a somewhat half-baked
business continuity plan.
While WSJ takes a very macro
approach to the problem, Business
Week in an article still describes the
“steps to effective business continuity
planning”v. The article describes that
companies should consider wider
possible down-time scenarios
(causes) and urges top management
to understand the impact of an
outage on the bottom line of the
company. If one is able to make that
correlation it is an easier sell within
the company. It also describes in a
nutshell what other factors a
business continuity plan entails – for
example, identification of personnel,
Page 6 of 14
processes, IT infrastructure, planning
and testing of the business continuity
plan and investigation of advanced
technologies. The article is geared
more towards informing a layman (or
top management executive, that are
not well versed with the intricacies of
BCDR management) about the
advantages and the intricacies of a
business continuity planning initiative
and is not necessarily geared towards
discussion of specific application of this
topic.
In more IT-specific publications, the
value of Business Continuity to
business is described and considered.
For example, as described in the article
“Business Continuity: To Err Is Human,
To Plan Is Divine” in Information Week,
Larry Greenemeier describes that 80%
of IT outages are caused not by natural
disasters but by human errors and the
lack of well-prepared business
continuity plansvi. The cause for
downtime could range anywhere from
simple changes (such as patch
installations on servers) or more
complicated changes (such as
application code release deployments)
on the production environments. If
there is no business continuity plan on
how to respond in case something goes
wrong, there could be significant
downtimes experienced by the IT
organization and business users
leading to loss of revenue and lower
productivity for the company. The
article also describes the added layer of
complexity that is brought about in
virtualized environments. In the
author’s words, a virtual environment
takes “you one step away from
understanding how change will affect
your apps and environment”. The
article further goes on to highlight
that not all companies see business
continuity as a top initiative and that
other issues take priority. However,
there is no discussion on how to
manage business continuity
especially on a global scale.
However, in another Information
Week article, Eric Chabrow and
Martin J. Garvey discuss why a
company-wide approach at business-
continuity and disaster-recovery are
becoming crucial to some
companiesvii. This article describes
some steps necessary to achieve
BCDR preparedness on a global level.
Also is described that only 64% of
companies extend efforts throughout
the company owing to the costs
involved and the complexity in doing
so. Lack of collaboration between IT
and business or political-blame-
gaming is also described as a prime
reason for non-initiation or failure of
business continuity planning. There
are many companies that are serious
about Global BCDR as well. For
example, Merrill Lynch & Co. created
a business post-director of global
contingency planning to oversee
business continuity across the globe
for ML’s international markets. The
way ML has approached the problem
is by “implementing a strong
technical program, a strong business
program, and a strong crisis-
management program”. Also ML has
achieved this because they have “a
mix of technical, security, facility-
management, and business people,
and everyone talks to one another”.
Page 7 of 14
This is in consistence with information
in the CIO article “ABC: An Introduction
to Business Continuity and Disaster
Recovery Planning”viii. In addition to
concurrence with the information
described by the Information Week
article, this article describes a section
of the business continuity plan for a
global manufacturing organization.
“For example, the plan at one global
manufacturing company would restore
critical mainframes with vital data at a
backup site within four to six days of a
disruptive event, obtain a mobile PBX
unit with 3,000 telephones within two
days, recover the company's 1,000-plus
LANs in order of business need, and set
up a temporary call center for 100
agents at a nearby training facility”.
The important thing to note is that in
the described circumstances, it is being
assumed that perfect knowledge about
what is needed to bring the company
back on track (or at least to operate in
“safe-mode”) is known – however, in
most large global organizations that
have NO experience with BCDR, the
first step and one of the most difficult
and complex steps is to actually
identify what areas of the business
need to be recovered the earliest (as
per the “Recovery Time Objective”
concept).
In general, there is a lot of information
available on BCDR frameworks by
several vendors in the market
explaining their approach to managing
Business Continuity in an enterprise.
Vendors also offer software systems to
manage business continuity plans (for
example: Strohl Systems offers a
software called LDRPS – Living
Disaster Recovery Planning System)
that can considerably help improve
global business continuity planning.
But again, there are several vendors
available with variations of such
products. Also commonly available
are “templates” which can be
customized as per a particular
company’s need to create business
continuity plans. However, these may
not suffice for companies of all sizes
and of differing geographic spreads.
In a whitepaper “Enterprise
Continuity Management” Strohl
Systems describes the What, How
and Why of business continuity
planningix.
This paper revolves around the usage
of LDRPS as a central repository for
all of an organization’s business
continuity plans – as a first step
towards achieving BCDR on a global
scale. Also, the access control
features, customization facilities,
interface options and robustness &
scalability of the system make it ideal
for global organizations. The vendor
offers an ECM model (not described
in white paper) that can help
companies concentrate on high risk
areas of their BCP.
committee composed of various
business and IT leaders and buy-in
from executive managers. It also brings
out an important point about the
creation of sub-projects to contribute
to the overall BCDR management
project that should be run as separate
projects. The vendor then goes on to
describe a phased approach to BCDR
planning. By considering Business
Impact Analysis activity in Phase I and
Business Continuity Plan,
Communications and Coordination
Plan, Test Plans and Metrics in Phase II.
Over all, this whitepaper does a good
job of describing how to go about a
BCDR planning effort within an
organization. No special attention is
paid to tackling the issue for especially
large organizations or for
organizations that are widely global in
nature – which is the nature of the
issue that my paper is attempting to
explore.

In another whitepaper by
Comprehensive Solutions, a certain
description for management of a
business continuity effort is
x
described . It urges companies to use
sound project management
methodologies as explained in the
PMBOK (Project Management Book
of Knowledge by Project
Management Institute). It does
mention the creation of a steering

Page 8 of 14
Recommendations
E
ven though there is no clear
answer to approach business
continuity management for
large global corporations, by
amalgamation of information
available currently and knowledge in
the field of organizational dynamics,
a certain “methodology” can be
developed. This methodology will be
described further in this section.
There are several factors to consider
when implementing BCDR within a
large and global organization.
1. Political alignment: There
needs to be complete buy-in
and understanding for the
reason why the project is
being initiated by Business
and by IT. Executive
championship and
sponsorship is a must. Being a
global project, sponsorship
and ownership at an
international level also need
to be thought about upfront so
as to avoid political power
struggles later on in the
project.
2. Project Ownership: It is useful
to create two separate groups
for managing enterprise
BCDR. One group should be
made responsible for
operational business
continuity – i.e.
communications, personnel,
etc. This will center more
around a response to a natural
Page 9 of 14
disaster situation. For example,
if a tornado was to strike the
headquarters of a company –
what needs to be done to ensure
minimum impact to the
business. The second group
should solely focus on
Information Technology
infrastructure and business
systems. The reason for this
segregation is because while
Operational BCDR is more likely
to be caused by natural
disasters and are less frequent,
IT outages are more frequent
and are more likely to be caused
by human error and therefore
need a separate governance
structure. The two groups also
need to align well with each
other so as to minimize
redundant work and to
maximize the synergistic
potential by conducting
common activities (such as
business impact analysis,
recovery time objective
classifications, identification of
business critical
processes/departments) only
once. The two groups can also
leverage the use of software
systems off each other to
minimize licensing costs.
However, for this to work
successfully, there needs to be
clear demarcation of roles and
responsibilities, as well as
ownership of “scope of work” at
the very beginning of the
project.
3. Project Organization: a steering
committee should be formed
 that has representatives from
both BCDR groups, from
international business and IT
groups and from business and
IT groups in the home office.
Membership to the steering
committee can be limited to a
few core members to drive the
project forward and then
temporary membership can
be extended to non-core
members as and when it is
required by the project
(depending on the phase it is
in).
In addition to a steering
committee, the actual project
needs to be run by the
corporate Project
Management Office with
dedication of specific
resources to the project to
enable accurate tracking and
to ensure that the project
meets its timelines.
4. Frameworks: To ensure
quality in the implementation
phase, there are industry-
standard frameworks (such as
COBIT and BS25999) that are
specifically designed for BCDR
planning. These should be
utilized at every step – right
from the corporate BIA to the
actual exercise and testing of
the BCDR plan to ensure only
the best quality work is being
done. Engagement of outside
consultants is also a good idea
to leverage their expertise in
their niche area. However, the
primary project responsibility
Page 10 of 14
should stay within the company
– that too with joint ownership
between IT and business – both
at the headquarter-level and at
an international level.
5. Project Implementation: The
project implementation stage
would be very similar to
information available currently
about BCDR.
a. That is, start with an
inventory of all
processes and business
systems within a
company, identify
dependencies between
processes and systems,
rate these processes and
systems based upon
business criticality and
recovery time objectives,
identify current support
for business continuity
and finally collate this
information into a formal
BIA.
b. Next, would be actual
implementation by
breaking down BCDR
planning into groups of
most, somewhat and
least critical applications
and then running them
as sub-projects.
c. Each of these projects
can then be tracked until
implementation with
reporting structures
built into them.
6. Socialization: Being a project
that spans the entire
organization and even
international boundaries, it is
important that the concept of
BCDR is well socialized within
the organization. In most
cases the project team will
discover what needs to be as
they go along. This makes it
crucial to have buy-in from
EVERYONE in an organization.
This kind of buy-in cannot be
achieved by a top-down
approach alone. Though that
is critical, an awareness and
socialization campaign is also
a must. This will ensure that
every employee in the
company understands why
corporate business continuity
planning and management is a
priority for the company.
Salient features of the project
which have direct benefits for
the company’s employees
should be highlighted so that
the project is accepted faster
and so that employees are
willing to extend any help that
is in their power. For example,
by explaining that a poor
BCDR rating for a company
can mean a lower stock price,
employees would be
motivated to help in any way
they can since typically a
majority of employees in large
organizations have
investments in company stock.
Therefore, a well thought out
marketing campaign along
with the support from top
management can help remove
obstacles in the path of a
BCDR planning team and
Page 11 of 14
make the process flow much
smoother.
7. Exercise and Testing: Detailed
exercise and test plans need to
be created as part of each of the
sub-projects which seamlessly
integrate with other such sub-
project plans. These plans
should also extend to
international systems (hosted
on international soil, or hosted
domestically by serving
international markets). This is
to ensure that when BCDR
exercises are conducted all
scenarios as considered and
effective testing can be
conducted.
Testing is a crucially important part of
BCDR for any organization. Unless
plans are tested and results measured,
a BCDR plan is useless. Since it is very
difficult (and disruptive) to test each
and every possible outage scenario in
large organizations, it is extremely
useful to have testing in mini-steps.
The entire IT infrastructure can be
divided (by application support teams,
hardware support teams, IT
infrastructure teams) and then specific
test plans which are scheduled to run
at a certain frequency should be
executed to ensure that the mini-plans,
which roll-up to the corporate business
continuity plan, indeed work. Testing
exercises can also be easily
administered by ensuring
inexperienced system administrators
to conduct change management on the
production environment using disaster
recovery documentation. This will
ensure that the document is up to date
and is correct. This can be enforced
by way injecting certain steps into
the change management process at
an organization.
Since it may be difficult to initiate a
BCDR project in a global company, a
project methodology for enabling this
interaction may be defined as
follows:
1. Establish Framework
a. Establish Project Scope
and Objectives
b. Create collaborative
work spaces
c. Setup an evaluation
framework to roughly
assess current global
BCDR preparedness
level
2. Human Resources
a. Identify key
international
stakeholders by mass
emailing any corporate
IT infrastructure
distribution list
b. These resources will
then be included on the
“implementation” team
for ensuring
cooperation from
international markets
c. Maintain all
information related to
these personnel on a
common shared
workspace. The
workspace should also
serve the purpose of
increasing interaction
amongst these
individuals.
Page 12 of 14
3. Informational Resources
a. Hold conference calls
with individuals in
international locations
and build relationships
b. Obtain all relevant
information – current
state of affairs, existing
BCDR plans if available,
information about
relationships with
external vendors, key
findings, other relevant
documentation
c. Share these resources
within the company and
with other BCDR teams
across the company’s
global workforce
d. Analyze documented
information and prepare
evaluation report based
on framework created to
increase awareness
within the company and
also to identify the
current starting point for
the BCDR project on a
global scale
4. Sustenance of relationship
a. Establish a good working
relationship with
international teams to
ensure on-going support
from them despite
physical distances and
cultural differences
b. Hold monthly conference
calls to report updates
on the project and also
discuss project
roadblocks and
breakthroughs
 c. Create best practices
across the world
d. Help leverage maturity
of a certain market by
enabling knowledge
transfer to countries
that may not be as
mature

An evaluation framework to assess

international markets on their BCDR
preparedness can be created which
consider the following parameters:

1) Awareness of BCDR
Information
2) Availability of BCDR Plans for
review
3) Conductance of a formal
Business Impact Analysis
4) Existence of dedicated
personnel/department for
BCDR
5) Deployment of software for
BCDR plan distribution and
maintenance
6) Deployment of critical system
components in highly
available mode
7) Existence of a disaster
recovery site
8) IT BCDR plans are exercised
9) All critical application data is
backed up
10)External/internal auditing and
assessment is performed

Page 13 of 14
References
i
http://staff.uow.edu.au/audit/termsandconcepts/i
ndex.html
“Key Terms” by University of Wollongong,
Internal Audit
Contains definitions and key terms related to
Business Continuity Planning and Management
ii
http://www.computerworld.com/managementto
pics/management/story/0,10801,91998,00.html
“Business Continuity Planning Is a Challenge
for CIOs” by Vandana Mangal
This article quotes stats and describes the need
for enterprises to adapt BCDR measures and
also explains why they don’t.
iii
http://www.financialweek.com/apps/pbcs.dll/art
icle?AID=/20071022/REG/71019027/1005/TO
C evidence of companies moving towards robust
“S&P wants to bring enterprise risk into its
ratings” by Marine Cole
The article describes S&P’s move towards
integration of Enterprise Risk Management
assessment of companies in their ratings and
what this could mean for companies.
iv
http://blogs.wsj.com/biztech/2008/08/13/celebra
ting-the-anniversary-of-the-big-blackout/
“Celebrating the Anniversary of the Big
Blackout”
The blog entry describes the dismal
preparedness rate of businesses in case of an
emergency power failure. It also describes the
effects on businesses of such outages.
v
http://www.businessweek.com/smallbiz/tips/arc
hives/2008/12/steps_to_effect.html?campaign_i
d=rss_blog_todaystip
“Steps to Effective Business Continuity
Planning”
This article describes in a nutshell why it makes
business sense to engage in business continuity
planning effort and what the steps entailed in
doing so are. It is aimed at raising awareness of
a top management executive, who can be
Page 14 of 14
considered a layman in terms of understanding the
specific of BCDR management.
vi
http://www.informationweek.com/news/security/s
howArticle.jhtml?articleID=201311255
“Business Continuity: To Err Is Human, To Plan
Is Divine” by Larry Greenemeier
This article describes the “realities” of BCDR in
companies – that most “disasters” are not caused
by flooding, fires or earthquakes but by human
errors. It also describes that companies that have
adequate planning efforts in place will be able to
respond to these human errors.
vii
http://www.informationweek.com/news/managem
ent/showArticle.jhtml?articleID=6507804
“Playing for keeps” by Eric Chabrow and Martin
J. Garvey
Describes how companies reacted after 9/11 and
that cites several facts and figures related to
continuity and DR efforts. There is also some
global business continuity planning.
viii
http://www.cio.com/article/40287/ABC_An_Intro
duction_to_Business_Continuity_and_Disaster_R
ecovery_Planning
“ABC: An Introduction to Business Continuity
and Disaster Recovery Planning”
This is a primer document by CIO that describes
the process of business continuity management in
depth and also discusses some examples of BCDR
management by global adopters.
ix
http://www.strohlsystems.com/Consulting/_files/
ConsultingECM.pdf
“Enterprise Continuity Planning” by Strohl
Systems
This whitepaper describes Strohl’s LDRPS
product and how it be beneficial for large
organizations in establishing business continuity
planning effectively.
x
http://comp-soln.com/BCP_whitepaper.pdf
“Business Continuity Planning Description and
Framework” by Comprehensive Solutions
This white paper contains detailed steps on
enabling a BCDR planning project within a
company.