M A N A G I N G B U S I N E S S C O N T I N U I T Y

Tw e n t y - F i r s t C e n t u r y C h a l l e n g e s f o r C o m p e t i t i v e n e s s

A S S U R A N C E A N D A D V I S O R Y S E R V I C E S
“Information technology pervades all aspects of our daily lives, of our national lives. Its presence

is felt almost every moment of every day, by every American. It pervades everything from a ship-

ment of goods, to communications, to emergency services, and the delivery of water and elec-

tricity to our homes. All of these aspects of our life depend on a complex network of critical infra-

structure information systems. Protecting this infrastructure is critically important. Disrupt it,

destroy it, or shut down these information networks, and you shut down America as we know

it and as we live it and as we experience it every day. We need to prevent disruptions; and when

they occur, we need to make sure they are infrequent, short, and manageable.”1

Thomas Ridge, Director of Homeland Security, Oct. 9, 2001

1
The White House, Office of the Press Secretary. "New Counter-Terrorism and CyberSpace Security
Positions Announced," Personnel Announcement by National Security Adviser Condoleezza Rice and
Director of Homeland Security Thomas Ridge, Oct. 9, 2001.
 CONTENTS

2 Introduction

4 The Current Environment

8 Mapping Organizational Risks and

Requirements

11 An Approach to Managing Business

Continuity

14 Implications and Opportunities

16 Conclusion

17 Appendix: Interviews With Leaders

M a r g a r e t E . M c K e o u g h a n d Va l e r i e H o l t
M e t ro p o l i t a n Wa s h i n g to n A i rp o rt s
Authority

John Ball
Standard Chartered Bank

The following white paper was developed as part of a series by KPMG’s Assurance and Advisory Services Center.
I NT R O D U C T I O N

Faced with rising exposure to new risks and declining tolerance for disruptions to

operations, leading organizations are evaluating their capabilities to respond to

crises and mitigate future risk. These leaders embrace the moral imperative to

protect their people, and they understand that the ability to continuously perform

and satisfy customers is fundamental to sustaining competitive advantage in the

twenty-first centur y.

The case for implementing a strategy to manage the risk of disasters has always been compelling.
If disaster strikes, and an organization cannot recover in a timely way, the consequences could
include loss of revenue, defection of customers, deterioration of brand equity, and permanent
loss of shareholder value. Indeed, 40 percent of businesses that suffer a disaster go out of busi-
ness within two years.2

Today, as the economics of information, globalization, and technology continue to change the
nature of business worldwide,3 traditional approaches to business continuity no longer
address a widening array of threats. Traditionally, organizations planned for natural or
Traditional
man-made disasters disrupting production, distribution, and data processing capa-
approaches to business
bilities at a single facility. These threats are becoming more frequent, and their
continuity no longer
impact is growing.
address a widening
array of threats. Simultaneously, threats to information assets are quickly becoming significant for
enterprises of almost any size. Computer viruses, information security issues, soft-
ware quality, inadequate data storage, complex technology architectures, and ineffective
information asset management practices can open the doors to a catastrophe with the same busi-
ness impact (if not a more severe one) as that posed by a physical threat.

Moreover, traditional approaches are reaching the end of their useful life as stand-alone solu-
tions. Organizations increasingly operate in multiple locations and depend on information sys-
tems. Business processes are carried out in real time, so that a disruption has consequences along
an entire value chain. The effects of downtime (see Figure 1) are measured in hours or even min-
utes, instead of days. In this environment, preparing for disasters must become part of a larger
effort to mitigate risk. Instead of responding to particular events, organizations need to focus on
maintaining operations in spite of any event.

2
Vic Wheatman. “Aftermath: Disaster Recovery,” GartnerGroup,
September 21, 2001.
3
The e-Business value chain: Winning strategies in seven global industries.
Economist Intelligence Unit research report written in cooperation with
M A N A G I N G B U S I N E S S C O N T I N U I T Y ( 2 ) KPMG, vii. 2000.
 "How do I
manage risk so that I’m
always there for my cus-
Thus, the key question for leaders is no longer, “How do I respond in the event tomers and my other This white paper
of a crisis?” Rather, organizations increasingly need to ask, “How do I manage stakeholders?" examines the variety
risk so that I’m always there for my customers and my other stakeholders?” The of issues that organiza-
answer—and the challenge—is to implement a strategy that takes into account the totality of tions face today. It introduces a
risk, ensures the welfare of people, and balances the costs of risk management with the oppor- framework for managing the
tunity cost of not taking appropriate action. According to the experiences of leaders in a variety risk of disasters in the context
of industries, answering the challenge will result in a successful defense against disasters as well of managing the continuity of
as other benefits with strategic payoffs. the enterprise from an infor-
mation asset perspective. It
F i g u re 1 : A G row i n g , Po te n t i a l l y C o s t l y C a p a b i l i t i e s G a p also discusses a process for
implementing a chosen busi-
The gap between the cost of downtime and
ness continuity strategy, inte-
ability to deliver is widening.
grating it with organizational
strategy, and capitalizing on
Downtime in excess of two
hours is unacceptable for opportunities to achieve and
24% of organizations, and Increasing cost
an additional 48% of organi- of unplanned sustain competitive advantage.
zations cannot tolerate downtime
more than 24 hours of Finally, the Appendix provides
downtime.4
interviews with industry lead-
ers whose thoughts reflect
More than 60% of organiza-
tions do not have corporate- issues many organizations are
wide disaster recovery plans Ability to deliver
in effect. For their most through traditional
now addressing.
recent interruption, almost mechanisms
70% failed to completely
meet their disaster recovery
objectives.5

Source: KPMG, 2001.

As downtime is increasingly measured in hours and minutes, not days, organizations’ tolerance for it is
decreasing. A capabilities gap has developed, and is widening, between the cost of downtime and the effec-
tiveness of traditional response mechanisms.

4
KPMG LLP and “Contingency Planning and Management” Survey. “A Review
of Factors Influencing Business Continuity in the Next Millennium,” 2000.
5
Ibid.

( 3 ) T W E N T Y - F I R S T C E N T U R Y C H A L L E N G E S F O R C O M P E T I T I V E N E S S
T H E C U R R E NT E N V I R O N M E NT

Efforts to manage unforeseen circumstances that render assets useless and disrupt

operations have been a management priority at leading organizations for decades.

For example, in the 1960s when American Airlines developed SABRE, the widely

used airline reservations system, engineers took great care to ensure the system’s

reliability. They also kept a standby computer in the event that an outage affected

the primary computer running the system. SABRE succeeded while competing ser-

vices failed in large part because of American Airlines’ innovation, but the reliability

of the system also played a role. 6

Prudent organizations maintain and test plans for responding to likely catastrophic events.
However, the effects of numerous global trends, and the risks that arise from them, are prompt-
ing leaders to question the adequacy of their current capabilities. At the same time, emerging
technologies are enabling new risk management strategies that were cost prohibitive just a few
years ago. Appreciating these forces will lead to a wider view of risks and ultimately a broader
approach to managing business continuity.

T h e E m e rge n c e a n d G row t h o f I n fo rm a t i o n A s s e t s a n d R e l a te d R i s k s
Organizations are rapidly evolving from manually operated stand-alone entities to information-
dependent extended enterprises. For these new entities, information facilitates competitive posi-
tioning, value chains depend on the timeliness of service, and supply chains are technology-
dependent (see the sidebar on the next page). Trends contributing to this evolution include ini-
tiatives common in most industries—enterprise resource planning, customer relationship
The flow management, supply chain management, mergers and acquisitions, outsourcing,
of information is no alliances, and e-commerce. Internet-based service suppliers and the globalization
longer connected with the
of business models are also key factors.
distribution of physical
An important consequence of these changes is that the flow of information is no
objects.
longer connected with the distribution of physical objects. As a result of immense
capacity to share information electronically—across the Internet, wide-area corporate
networks, wireless networks, and other media—the linkage between information-based or vir-
tual processes and physically based processes is dissolving and becoming more complex.
Consequently, value chains are dividing into two interdependent streams—one consisting of
processes in the physical world and the other made up of information flows in the virtual realm.

6
Martin Campbell-Kelly and William Aspray. “Computer: A History of the
Information Machine,” New York: Basic Books, 1996, pp. 169–176.

M A N A G I N G B U S I N E S S C O N T I N U I T Y ( 4 )
T h e E m e rge n c e o f I n fo rm a t i o n - D ri ve n E x te n d e d E n te rp ri s e s

Tr a d i t i o n a l B u s i n e s s M o d e l V i r t u a l E x t e n d e d E n t e rp ri s e

Product origination and packaging Mutual

(loans, insurance, investments, Fund Auto Other Primary
Suppliers: Lender Banks Bank
checking and savings accounts) Manager

Transaction processing and

account origination
(mainframes) Morningstar CarPoint Motley
Fool
Navigators:
Lipper
Yahoo!
Retail sales and distribution e •Trade Financial
(ATMs, 800 numbers, tellers) Advisor

SchwabOne
Bank
Browser Software

Quicken Phone
Bank customer AOL Call

C U STO M E R

Source: Adapted from Philip B. Evans and Thomas S. Wurster,

"Strategy and the New Economics of Information,” Harvard
Business Review, September-October 1997.

Virtual extended enterprises are an emerging feature of e-business and collaborative commerce, as this
financial services industry example illustrates. Whereas customers traditionally dealt with their banks
through human-operated channels or ATM networks, they can now gain access through online as well as
offline channels, and several players have a hand in delivering services.7

Extended enterprises present special challenges to how leaders will manage business continuity.
Traditionally, an organization would write disaster recovery plans for critical processes and applications. As
infrastructure becomes more complex, however, organizations need to consolidate and streamline their con-
tingency planning practices. Moreover, they need to focus on mitigating risk— assuring customers, partners,
and other stakeholders of the availability of information assets.

Many agree that information assets, and the complex extended enterprises they enable, are changing the
nature of competition. Leaders increasingly appreciate that these assets are also exposing organizations to
a new set of risks in the virtual world.

7
Philip B. Evans and Thomas S. Wurster, “Strategy and the New Economics
of Information,” Harvard Business Review, September-October 1997, p. 78.

( 5 ) T W E N T Y - F I R S T C E N T U R Y C H A L L E N G E S F O R C O M P E T I T I V E N E S S
 As business
processes move
closer to real-time, the
Leaders responsible for evaluating and develop- T h e Pa ra d i g m S h i ft
cost of downtime
ing future business continuity strategies will need
goes up. The links between physical and virtual assets will
to focus on this division and its potential implica-
have ramifications for how leaders assess the true cost
tions. Ensuring the usefulness of both physical assets and
of unplanned downtime, evaluate their exposure to risk, and set
information assets—as well as protecting the people that are
an agenda for management action. Unplanned downtime is
central to both—will be critical to creating and sustaining com-
estimated to have cost businesses worldwide some $1.6 trillion
petitive advantage and business continuity. Figure 2 shows how
in lost revenues alone in the year 2000.8 That number will cer-
organizations can map themselves based on the value and
tainly climb as downtime is increasingly assessed in terms of
complexity of their information assets, their organizational
how it affects both physical and virtual links in the organiza-
complexity, and their linkages with business partners.
tional value chain.
F i g u re 2 : T h e I n fo rm a t i o n - D e p e n d e n t E vo l u t i o n
o f E n te rp ri s e s Emerging approaches to business continuity have to take into
account the extent to which organizational value is now embod-
ied in information (and information-based, real-time processes)
Virtual Extended
Enterprise as well as physical assets. Real-time capabilities make processes
Value and Complexity of Information Assets

e-Business more efficient and predictable, increasing an organization’s

I n te g ra t i o n
capacity to take on new value-adding activities and improve cus-
Integrated
Enterprise
tomer satisfaction. As business processes move closer to real-
Functional
Automation on ing
ati w
time, the cost of downtime goes up—in part because its direct
o r ro
ab nd g
l
o a
r c es,
l
financial consequences become greater. But the more significant
a te e s s
gre roc
Manual
Operations g
lin e p issue is the impact of downtime on customer satisfaction, effi-
ab im
en al-t
y are s, re
g ise ts .
ciency, reputation, and shareholder value, and the domino
olo pr se
h n te r a s
d te c d e n t i o n
e a
effect that problems in these areas can have on profitability and
n d
n a en orm
tio xt nf market share.
za h e f i
b ali oug lue o
o r
Gl th va

Low
Organizational Complexity and Degree of Collaboration
High Assessing the cost of downtime in a broadened context often
Source: KPMG, 2001. leads to a new appreciation of the risk of disaster—and
Information assets are driving organizations toward networked business whether an organization should measure its exposure in terms
models. Such models let organizations create and sustain increased of its tolerance for downtime or its need for availability.
value, but the risk of unplanned downtime becomes more significant.

8
“It’s Time to Clamp Down,” Informationweek.com, July 10, 2000.

M A N A G I N G B U S I N E S S C O N T I N U I T Y ( 6 )
Traditional approaches to managing business continuity emphasize recovering from a disaster
before a predefined amount of time elapses. The availability-based perspective (see Figure 3)
focuses instead on ensuring that the organization will always be able to produce an output or
reach some desired conclusion when it needs to do so. How an organization can determine what
degree of availability is most appropriate within its business model is an important step, as dis-
cussed in the next section.

Figure 3: The Evolution of Business Continuity Management Practices Toward an

Availability-Based Perspective

TRADITIONAL EMERGING
FOCUS Minimizing the financial impact Ensuring financial continuity, customer
of disasters satisfaction, and productivity despite a
catastrophe

APPROACH Recovery from single episodes Business-driven continuous availability

of prolonged downtime through management of information
and operational risk

RISKS Low-frequency, high-impact dis- Traditional threats to physical assets and

asters emerging threats to information infra-
structure

BENEFITS Recovery of degraded service Up to 99.999% availability of critical

levels 12 to 72 hours after a dis- infrastructure as well as performance
aster event improvement

ENABLERS Documented plans relying on Emerging technologies and operational

after-the-fact recovery excellence

( 7 ) T W E N T Y - F I R S T C E N T U R Y C H A L L E N G E S F O R C O M P E T I T I V E N E S S
M A P P I N G O R G A N I Z AT I O N A L
R I S K S A N D R E QU I R E M E NT S

In managing business continuity, leaders evaluating their own organizations need to

ask, “How much protection is enough?” Such an evaluation will require examining the

organization’s current exposure to the risk of downtime as well as the effectiveness

of its strategy for managing that risk.

A useful way to assess the current state, as well as estimate future needs, is to benchmark or map
current risk exposure (see Figure 4). An organization can gauge the usefulness of its cur-
rent practices by mapping exposure, on the one hand, and the commitment required to
Mapping can
manage risk and value achieved, on the other hand. Such an effort can also help lead-
reveal opportunities ers evaluate alternative scenarios as they weigh future courses of action. Quantifying
and risks. risk, however, is not the ultimate goal. Rather, this effort is intended to help managers
understand the value propositions that alternative strategies will support, the commitment
needed, and the opportunity costs of inaction (see the sidebar on the next page).

F i g u re 4 : Va l u e L aye r s i n a B u s i n e s s C o n t i n u i t y Fra m e wo rk

How I manage information

supports value chain excellence
among all stakeholders.
STRATEGIC USE

The performance of
my information assets
RISK EXPOSURE

exceeds my stakeholders'
expectations.

I'm always there for ALWAYS THERE

my customers.

I can resume my
automated processes
in the event of a disaster.

I can recover my TIMELY RECOVERY

physical assets and
data in the event of
a disaster.

COMMITMENT and VALUE

REACT CONTROL TRANSFORM

Source: KPMG, 2001.

M A N A G I N G B U S I N E S S C O N T I N U I T Y ( 8 )
I d e n t i f y i n g a n d U n d e r s t a n d i n g O rga n i z a t i o n a l R i s k s a n d R e q u i re m e n t s
REACT
Manual
E n te rp ri s e
VALUE I can recover my
PROPOSITION physical assets and
data in the event of a
disaster.
ORGANIZATIONAL Manual operations
CHARACTERISTICS characterized by
limited use of infor-
mation technology.
TYPICAL Stand-alone plans for
OUTCOMES limited recovery of
critical assets.
KEY QUESTIONS ● ●
Is downtime in
excess of 72 hours
tolerable?
● ●
Are business process-
es highly manual?
● Are facilities lo-
cated in a disas-
ter-prone area?
( 9 ) T W E N T Y - F I R S T
Fu n c t i o n a l
Au to m a t i o n
I can resume my
automated processes
and protect my peo-
ple in the event of a
catastrophe.
Automation of busi-
ness processes and
inc r ea si n g l y dis-
tributed information
technology.
Contingency plans
for restoring computer
systems and resum-
ing operations.
Is downtime in ex-
cess of 24 hours
tolerable?
Do manual alterna-
tives to automated
processes exist?
● ●
Will resolution of a
crisis depend on a
formal plan?
C E N T U R Y
CONTROL
I n te g ra te d
E n te rp ri s e
I’m always there for
my customers in
maintaining infor-
mation availability.
Integration of auto-
mated processes
into complex infor-
mation systems and
reliance on informa-
tion for timely per-
formance and cus-
tomer satisfaction.
Infrastructure for
maintaining availa-
bility of information
assets, monitoring
risk in real-time, and
managing routine,
non-routine, and cata-
strophic events.
● Is downtime of
minutes or hours
intolerable?
● Is technology high-
ly distributed and
complex?
Does customer
service depend on
proactive resolu-
tion of unexpected
events?
C H A L L E N G E S
e-Business
I n te g ra t i o n
The performance of
my information as-
sets exceeds my stake-
holders’ expectations.
Integration of busi-
ness practices with
the Internet and on-
line collaborators.
Integration of infra-
structure for main-
taining availability
with systems for
managing operational
risk to enhance oper-
ational excellence and
improve flexibility.
● Will the perform-
ance of informa-
tion assets deter-
mine success or
failure?
● Is the organization
leveraging the
Internet?
● Do services de-
pend on the per-
formance of out-
sourcers?
F O R C O M P E T I T I V E N E S S
TRANSFORM
Vi rtu a l E x te n d e d
E n te rp ri s e
How I manage infor-
mation supports value
chain excellence among
all stakeholders.
Integration of informa-
tion assets with a net-
work of organizations
focusing on core com-
petencies and collabo-
rating through extended
enterprises.
Integration of stan-
dards for managing
business continuity
across collaborating
enterprises with busi-
ness intelligence sys-
tems used to capitalize
on information.
● Are strategies based
on real-time, infor-
mation-driven busi-
ness models?
● Will the integrity
and availability of
information deter-
mine success or
failure?
● Does the organiza-
tion depend on in-
formation to res-
pond to changing
market needs?
 Trust between
entities will become
more important in
When assessing business continuity risk expo- S c e n a ri o 3 : Tra n s fo rm a t i o n S t a ge
managing business
sure, both present and future, organizations’ strate- Trust between entities will become more impor-
continuity.
gies will typically address one of three scenarios: tant in managing business continuity as trends driv-
● React: Is it sufficient to react to a disaster? ing economic change take root and become a part of
everyday life. As the sidebar on page 5 describes, one organi-
● Control: Is mitigating risk and controlling the availability of
operations necessary? zation’s actions will increasingly affect another’s success. To
cope, organizations that depend on collaboration with third
● Transform: Should business continuity capabilities be provided
across an extended enterprise to assure the reliability of col- parties should extend business continuity capabilities to these
laborative commerce? components of their value chains. In addition to better stability
of a value chain, the benefits may also encompass improved
S c e n a ri o 1 : R e a c t i o n S t a ge
customer service, marketplace responsiveness, and mutual trust.
Reacting to disasters is an adequate risk posture if an organiza-
tion can live without business processes, applications, and
P u tt i n g S t ra te gy i n C o n te x t
other capabilities for 24 hours or longer. Contingency plans
These strategies—reacting to crises, controlling the availability of
that focus on reacting to a disaster are less expensive to develop operations, and providing availability across the extended enter-
than proactive business continuity measures. Such plans, how- prise—are not mutually exclusive. One approach builds on the
ever, are inherently focused on single catastrophic events rather next in an evolutionary manner, and leading organizations’ strate-
gies will blend elements of all three. A large data center, for exam-
than the cumulative impact of downtime. ple, might have contingency plans to restore computer hardware,
redundant telecommunications services to prevent a network
S c e n a ri o 2 : C o n t ro l S t a ge
outage, and service-level agreements to ensure the productivity
Controlling availability is advantageous or necessary for of outsourcers. Differences among organizations will be revealed
organizations that cannot tolerate: 1) downtime in excess of by the tactical decisions that lead to action plans and processes
for managing risk.
a few minutes or hours or 2) failure to deliver adequate ser-
vice levels across the value chain. While the commitment
required is higher in many cases, the indirect benefits can The next section describes an approach to managing the risk of
include better vendor management, productivity improve- disasters that applies to all three of these scenarios and can also
ments, better responsiveness to stakeholders, and lower total help organizations continuously improve their practices in
cost of ownership for technology infrastructure. keeping with changing risks.

M A N A G I N G B U S I N E S S C O N T I N U I T Y ( 1 0 )
A N A P P R OAC H TO M A N AG I N G
B U S I N E S S C O NT I N U I T Y

Once an organization understands its current state and determines how it should

evolve, it can develop a practicable strategy for managing business continuity in the

future. An effective approach may be depicted in an ongoing “life cycle” encompass-

ing four phases aligned with the organization’s business strategy (as illustrated in Figure 5

and described below). A life cycle approach enables risk management, and it can also

facilitate an organization’s evolution from reacting to a disaster, to controlling avail-

ability by mitigating risk, to ensuring the reliability of the extended enterprise.

Figure 5: An Approach to Managing Business Continuity

ASSESS RISKS

inuity Man
Cont ag
CE

ss em
ne
AN

s i

en
RM

Bu

DEV
t
AND PERFO

ELOP STRATEGY
Organizational
Strategy
R I SK
RE

t
en
Bu
SU

ne
si

ge
EA

ss
Con na
M

tin uit y M a

IM P E
LEM ENT CHANG

Source: KPMG, 2001.

1. A s s e s s R i s k s
Achieving effective business continuity starts with assessing organizational risks and require-
ments for managing them in the future. An organization needs to understand how it relies on its
people, processes, and technology as well as its relationships with customers, suppliers, and other
contributors to its value chain. This knowledge will help the organization understand its toler-
ance for downtime so that it can define the requirements that a business continuity strategy, once
developed and implemented, should satisfy.

( 1 1 ) T W E N T Y - F I R S T C E N T U R Y C H A L L E N G E S F O R C O M P E T I T I V E N E S S
 Tackling
cultural issues is critical
to implementing
A structured assessment can help model the dis- change. In some cases, organizations can use the strategy
ruptive impact of downtime and reveal the organiza- to drive other organizational improvements. Such
tion’s vulnerabilities. Such an assessment should provide benefits can include improving the reliability of out-
detailed information about the configuration of information sourcers and other vendors, phasing out dependence on com-
assets and effectiveness of operations. It should also facilitate mercial hot sites, and consolidating and automating technology
development, implementation, and continued use of risk meas- management practices. Organizations may also be able to
ures, controls, and contingency plans. improve the payoffs from alliances and lower the cost of com-
pliance with industry regulations.
Phase 1 Critical Outcomes: Requirements for managing…
Phase 2 Critical Outcomes: Strategy for…
REACT …crises and priorities for restoring
critical operations REACT …responding to crises and restoring
critical operations at an alternative
CONTROL …operational risk and priorities for location
improving availability in critical areas
CONTROL …maintaining continuous availability
TRANSFORM …risks associated with collaborative and resolving non-routine events
arrangements and the availability of
shared infrastructure TRANSFORM …continuous availability across the
extended enterprise and for optimiz-
ing the value of information flowing
2 . D e ve l o p S t ra te gy across the value chain
After an organization defines a set of requirements for improv-
ing business continuity capabilities, the next step is to define a 3 . I m p l e m e n t C h a n ge
strategy that will integrate business continuity as a risk man-
The organization makes the Phase 2 strategy effort an ongoing
agement program into the fabric of the organization. The strat-
reality by investing in a structured program to apply risk man-
egy will focus on the complementary elements of monitoring,
agement standards, tackle cultural issues, and improve technol-
mitigating, and responding to risk; and these issues will encom-
ogy and processes.
pass people, processes, technology, and, increasingly, the inter-
dependence of organizations. If its focus is on recovering from a catastrophe, the organiza-
tion will establish arrangements for storing data at an offsite
If the organization’s focus is on reacting to disasters, its strat-
location, secure an alternate location where restoration of
egy will primarily address the structure and enablers of contin-
computer systems and operations will take place, document
gency plans. Organizations focused on continuous availability
contingency plans, and establish an employee awareness and
will look at the resiliency of technology infrastructure, the per-
training program.
formance needs of stakeholders, and the reliability of processes.
When an organization is focused on transformation, this scenario When the focus is continuous availability, leaders will seek to
will also encompass steps for maintaining trust between collab- improve critical infrastructure, consolidate and automate infra-
orating parties and the integrity of their mutual infrastructure. structure management processes, and implement real-time

M A N A G I N G B U S I N E S S C O N T I N U I T Y ( 1 2 )
monitoring capabilities. Continuous availability, especially in
an extended enterprise, will also depend on establishing an
event management shared service that is responsible for pro-
viding strategic leadership and coordinating interdependent
risk management activities.
Phase 3 Critical Outcomes
REACT Develop and test contingency plans
CONTROL Ongoing delivery of continuously avail-
able internal infrastructure
TRANSFORM Continuous availability of infrastructure
shared across the extended enterprise;
strategic use of information assets
P u tt i n g P l a n s to t h e Te s t
Organizations that develop emergency response, crisis man-
agement, and disaster recovery plans need a mechanism to
determine if they are effective. In the absence of an actual dis-
aster, testing is the best tool. Testing helps leaders answer such
questions as:
1. Are assumptions about threats and vulnerabilities
correct?
2. Is the risk management strategy adequate and
comprehensive?
3. Will crisis management processes handle all relevant
contingencies?
4. Is the business continuity strategy effectively integrated
with the people, processes, and technology it supports?
5. Is the organization maintaining the integrity of its
information?
6. Is the organization aligned to maintain its desired risk
posture?
Since more than 40 percent of organizations do not test their
disaster recovery plans, and fewer than 30 percent use per-
formance reviews,9 testing practices literally will separate the
winners from the losers in the race to manage risk and protect
the enterprise.
9
KPMG LLP and “Contingency Planning and Management” Survey. “A Review
of Factors Influencing Business Continuity in the Next Millennium,” 2000.
( 1 3 ) T W E N T Y - F I R S T
4 . M e a s u re R i s k a n d Pe r fo rm a n c e
As tolerance for downtime diminishes, organizations must be
able to measure risks and performance as well as monitor both
in real time. These efforts should be part of an ongoing contin-
uous improvement effort—one in which the organization main-
tains an adequate risk posture and improves the effectiveness of
its risk management program.
If the organization is focused primarily on disaster recovery,
efforts to measure risk and performance will involve testing
and updating contingency plans. These efforts will also encom-
pass the execution of emergency response, disaster recovery,
and business resumption plans in the event of a catastrophe.
In the context of continuous availability within an organization
or across its extended enterprise, the focus of measurement
will address the operational risks that threaten the organiza-
tion’s ability to accomplish its goals efficiently and effectively.
Monitoring in this context will link and integrate incident
response, crisis management, disaster recovery, and other
processes. Monitoring will also encompass real-time perform-
ance measurement from a customer’s perspective.
The technology-driven benefits of measuring performance can
be significant. Organizations will likely see improvements in
security management and end-user support as well as greater
scalability and flexibility of critical infrastructure. They will
also enjoy better alignment of business and technology.
Phase 4 Critical Outcomes
REACT Maintainability and timely execution
of contingency plans
CONTROL Real-time monitoring and ongoing
improvement of critical infrastructure
availability and customer service levels
TRANSFORM Continuous measurement and im-
provement of the extended enterprise
and information asset capabilities
C E N T U R Y C H A L L E N G E S F O R C O M P E T I T I V E N E S S
I M P L I C AT I O N S A N D
O P P O RT U N I T I E S

Efforts to manage business continuity can enable organizations to respond appro-

priately to crises as well as improve their ability to mitigate the risks of such events.

Such achievements can help organizations build and sustain continuous competitive

advantages—including lasting customer service, ongoing productivity, employee

welfare, and asset integrity.

Efforts to improve competitiveness are more important than ever as the cost of downtime
increases while the value of traditional response mechanisms decreases. Faced with this grow-
ing capabilities gap, organizations need to consider whether their current approaches to risk
management and business continuity remain appropriate.

As shown in Figure 6, choosing solely to achieve timely recovery from unplanned downtime
(react) may be appropriate for certain organizations; for others, seeking to maintain information
availability so that they are always there for their customers (control) may be the better alterna-
tive, depending on the degree to which information assets drive value in the organization. When
organizational strategies rely heavily on information assets and begin to leverage extended-enter-
prise scenarios, embedding availability throughout critical areas of the value chain (transform)
will help ensure the sustainability of competitive advantage.

F i g u re 6 : Fu n d a m e n t a l D ri ve r s o f B u s i n e s s C o n t i n u i t y S u c c e s s

Competitiveness
Transform: improve information
asset performance and sustain
competitive advantage across the
extended enterprise

Availability Recoverability
Control: design, implement, React: achieve timely
and maintain 24x7 information recovery from unplanned
availability infrastructure downtime

Source: KPMG, 2001.

Addressing the three fundamentals helps leaders manage risks and improve competitiveness across the
value chain.

M A N A G I N G B U S I N E S S C O N T I N U I T Y ( 1 4 )
As entities evolve into extended enterprises they will rely
increasingly on information assets. As they transform, they
must ensure that their business continuity strategies evolve
along with them. To leverage the opportunities inherent in
business continuity management, organizations must ensure
that such efforts are aligned and integrated with their overall
organizational strategies.
Managing business continuity within organizational strategy
promotes a variety of benefits, which can include operational
excellence, scalable technology platforms, cost-effective
technology management, and improved vendor management.
L e ve ra g i n g Y 2 K I nve s t m e n t s
When the world ushered in a new millennium, it also concluded a
$600 billion effort to correct the Y2K computer glitch. As part of
these efforts, many organizations developed sophisticated contin-
gency plans to respond to potential Y2K-related crises. An unex-
pected payoff: “Companies including 7-Eleven, Amgen Inc. and
drugstore-chain CVS Corp. activated emergency plans after [the
September 11th] terrorist attacks halted air traffic, threatening to
cut off supply channels for many goods nationwide. Those plans
had been designed to address the effects of potential shutdowns
in the year-2000 transition.”10
When assessing and improving business continuity practices,
Y2K-related contingency plans are often an excellent repository.
For leaders they reflect thoughtful, comprehensive methodolo-
gies, as well as capture detailed knowledge of critical infrastruc-
ture. Determining where organizational change and new
technology assets invalidate knowledge is a challenge, but lever-
aging Y2K can help leaders achieve efficiency and effectiveness.
10
Joe Richter. “Companies Say Y2K Steps Got Goods to Market When Flights
Halted,” Bloomberg News, September 17, 2001.
( 1 5 ) T W E N T Y - F I R S T
Te n Q u e s t i o n s fo r L e a d e r s
As leaders assess their contingency plans and other busi-
ness continuity efforts, they should consider a number of
critical questions, including:
● Is our business continuity strategy event-driven or
risk-driven and stakeholder-focused?
● How critical is information availability to our success?
● Are capabilities for managing business continuity
aligned with organizational strategy?
● Who are our stakeholders and what is their tolerance
for unplanned downtime?
● Does the risk management program address people,
processes, and technology as well as the extended
enterprise?
● Does the business continuity strategy eliminate single
points of failure?
● How do we reinforce key management disciplines to
ensure reliable service delivery to all stakeholders?
● Does the risk management program support real-
time service monitoring and reporting with predictive
capabilities for critical infrastructure?
● How do we optimize the value of information flowing
across the value chain?
● Does management have timely, independent assurance
that its business continuity capabilities are adequate?
C E N T U R Y C H A L L E N G E S F O R C O M P E T I T I V E N E S S
C O N C L U S I O N

As risks have evolved and multiplied while tolerance for downtime has declined,

leading organizations are taking new steps to implement business continuity pro-

grams that protect their people as well as the information and physical assets on

which they depend (see Figure 7).

A program for business continuity can influence business strategy by facilitating the compet-
itive advantage that evolves from continuous availability and customer satisfaction. Moreover,
it can help organizations shift their focus from crisis response, to proactive crisis management,
to improved risk and performance measurement, and, ultimately, to enhanced and sustained
customer satisfaction.

F i g u re 7 : B u s i n e s s C o n t i n u i t y M a n a ge m e n t S c e n a ri o s

REACT CO NTRO L TRA NSFO RM

VALUE Re coverability Availability Competitiveness

RISK Physical Assets Information Assets Competitive Position

Customer Extended
IMPACT Facilities/Processes
Satisfaction/Productivity Enterprise/Value Chain

FOCUS Event Cus tomer All Stakeholders

DOWNTI M E
Da ys Hours/Minutes Zero Downtime
TOLERANCE

M A N A G I N G B U S I N E S S C O N T I N U I T Y ( 1 6 )
A P P E N D I X : I NT E RV I E W S W I T H
L E A D E R S

Margaret E. McKeough and Valerie Holt, Metropolitan Washington Airports Authority

Margaret E. McKeough is vice president–business administration and Valerie Holt is vice

president–audit at the Metropolitan Washington Airports Authority (MWAA), an independent
entity established in 1987 to operate the two federally owned airport systems in Washington,
D.C.—Ronald Reagan National Airport and Dulles International Airport. They talk here of the
wide variety of business continuity issues they have faced, and will face, as their industry evolves
in the wake of the events of September 11, 2001.11

D e s c ri b e t h e m i s s i o n a n d s e r v i c e s o f t h e Au t h o ri t y.
Margaret E. McKeough: The Authority is responsible for operating and maintaining Ronald
Reagan National Airport and Dulles International Airport. The Authority is a self-sustaining cor-
poration. We must generate revenues to cover expenses and secure financing to construct new
facilities and needed infrastructure. Our priority in 1987 was to build a new terminal facility at
National, which was completed in 1997. Now growing demand requires significant capital
investment at Dulles. A year ago the Authority began a six-year, $3.4 billion expansion program
at Dulles that includes a fourth runway, a new air traffic control tower, gate facilities on midfield
concourses, two new parking garages, an underground passenger train system, and various infra-
structure improvements.

Valerie Holt: An airport requires services similar to a city. To support the aviation operations, the
Authority operates bus systems, fire and police departments, retail businesses, and licensing and
permits functions. The Authority itself employs 1,200 persons. The total employment base at
National is approximately 10,000 people, while Dulles Airport provides employment to over
15,000 people.
H ow d o e s m a n a g i n g t h e ri s k o f d i s a s te r s f i g u re i n t h e d ay- to - d ay wo rk o f
t h e Au t h o ri t y ?
McKeough: The aviation business requires a great focus on safety. Every airport is obligated by
federal regulation to have an emergency response recovery plan. Safety issues also extend to our
corporate functions. The stability of the Authority impacts regional transportation and the
regional economy.

Holt: An unfortunate example is the three-week closure at National Airport after September 11.
The temporary closure sent ripples throughout the regional economy, and we are still experienc-
ing its effect.

McKeough: When National Airport was closed for an extended period of time after the
September 11 terrorist attacks, countless people advocated the need for the airport to reopen.
Those dramatic responses vividly demonstrated how tied the two airports are to the health of the
regional economy.

11
Telephone interview with Margaret E. McKeough and Valerie Holt,
October 24, 2001.

( 1 7 ) T W E N T Y - F I R S T C E N T U R Y C H A L L E N G E S F O R C O M P E T I T I V E N E S S
W h a t i m p a c t i s te ch n o l o gy h av i n g o n ri s k m a n -
a ge m e n t a n d o n t h e o p e ra t i o n a l s i d e , s p e c i f i -
cally as a business enabler?
McKeough: Technology is a key factor in efforts to heighten
security and baggage screening processes. For example, we
had new, highly sensitive CTX baggage screening equipment
in limited deployment before September 11. The initial plan
was to have one machine at each airport. We now plan to have
multiple machines at both airports.
Holt: Regardless of the industry, management is always look-
ing to technology to improve efficiency. For example, the high-
est source of profit revenue for airports is usually parking
operations. Traditionally, airports have used staff to manage the
lots and to track the huge sums of revenue associated with
parking operations. We are completely changing the technol-
ogy that supports our revenue controls systems, to improve its
efficiency and accuracy, thereby reducing loss. We’re also
implementing technology that will read license plates electron-
ically, documenting how long a car has actually been in the lot.
This will eliminate the need for manpower to take manual
inventory of the vehicles parked in the lots. We’re also planning
to eliminate the exit lane personnel by using the automated
payment technology employed in transit systems.
W h a t t h o u g h t s d o yo u h ave fo r a i rp o rt s a n d
o t h e r i n d u s t ri e s t h a t m ay b e l e s s we l l p re p a re d ?
McKeough: I certainly can’t say we’ve got all the answers. We
reopened both airports, but we’re not fully back in business yet, and
clearly, with every day of not being back, our challenges mount.
Holt: When the revenue flow into your business is impacted,
you need to manage costs and, in our case, the hundreds of
third-party contracts that support our operations. Security, for
example, could represent a tremendous cost. If the federal gov-
ernment adjusts the way that’s handled, it could also adjust how
it’s funded. The business challenges are enormous.
McKeough: Every airport relies on its retail and food and bev-
erage concessions to generate a certain amount of revenue. In
some cases, those revenues help reduce the rents charged to the
airlines. So, higher food and beverage and retail revenues mean
M A N A G I N G B U S I N E S S C O N T I N U I T Y ( 1 8 )
lower square footage rates on leased space for the airlines.
Until recently, industry standards suggested revenue from these
services would be maximized if facilities were located near the
airline gates, past security, where people wait to board aircraft.
With the change in airport security regulations, however, it may
now be better to locate those venues pre-security, where more
people have access to them. We don’t know how the economic
model will actually be affected. With the market dynamics con-
tinuously changing, the business decisions made to generate
revenue are going to need to be reevaluated. It’s way too soon
for clarity on these issues.
R e c e n t e ve n t s a re c e rt a i n l y a ffe c t i n g h ow a i r -
p o rt s a n d t h e a i rl i n e i n d u s t r y p l a n fo r c a t a s t ro -
p h e s . W h a t i s s u e s a re a t t h e fo re f ro n t fo r yo u ?
McKeough: Airports and airlines will continue to work closely
in planning for and responding to disaster. Clearly, the
September 11 incident identified vulnerabilities at airports
throughout the country. Aviation security is highly regulated.
Improvements to the passenger and bag screening processes
will require greater attention, too.
Catastrophe planning is ingrained in airport systems. If there is
an aircraft incident on the airfield, a response plan clicks into
activation. When we evacuated National on September 11, we
had to look at the ripple effects. What do you do with the
checked luggage that is left behind? What do you do about the
cash registers that were left in open stores? Our focus has
always been on the “air side” of airport operations, but we rec-
ognize the need to reconsider the land side implications of dis-
aster planning and the impacts on corporate functions.
I’ve joked with Valerie that the development of a formal busi-
ness continuity plan used to be at the bottom of a large stack of
priority projects. Well, after September 11, the needs flow out
of your head a lot quicker because you’re experiencing them
right now. You don’t have to predict the response plan; you’re
living the response plan.
 John Ball, Standard Chartered Bank

Based in Singapore, John Ball is head of markets operations in the global markets division of
Standard Chartered Bank. With facilities in 57 countries, U.K.-based Standard Chartered pro-
vides risk management services to local and multinational companies, including investment and
financial institutions and central banks. It has 150 years’experience in emerging markets—espe-
cially in the currencies of Asia, the Middle East, and Africa. Ball talks here about how new tech-
nology is enabling improvements in disaster recovery and business continuity.12

H ow d o e s yo u r o rga n i z a t i o n a p p ro a ch t h e i s s u e o f b u s i n e s s c o n t i n u i t y ?
Simplistically, we view disaster recovery (DR) as loss of software and systems and business con-
tinuity (BC) as loss of premises. Each of our locations has to have its own standalone DR and BC
plans that they test on a regular basis. For locations in our core markets, where we operate main-
frame applications, we outsource the maintenance to a third-party service provider that guaran-
tees DR. Each location is also required to have identified an alternative BC plan (BCP) site. In
London, for example, that site is in a separate building altogether.
Within markets operations we are centralizing the transaction processing for 10 sites, including
U.K., U.S., and our Asian core markets, into two processing centers. In addition, we are replacing
the mainframe applications with scalable solutions that we are moving into a single global data
center in the United Kingdom. The 10 sites and two processing centers access the applications in
the data center remotely. There are considerable risks associated with such a facility. Consequently,
for DR purposes we operate a second data center in a separate building that is a real-time image
of the first and connected via a fiber-optic cable.
Each data center has been designed to operate the complete set of markets’ applications at full oper-
ating capacity. In practice, the applications are split between the two data centers with data mir-
rored to the non-active site for fail-over operations. Therefore, if the primary center goes down, the
failure will not be apparent to the users because its mirror image will already be operating.
W h a t a re t h e b u s i n e s s d ri ve r s o f yo u r a p p ro a ch ?
We decided in 1999 that we needed to reduce our unit operating cost. We operate in some fairly
expensive places—Hong Kong, London, Singapore—and we wanted to create economies of
scale. Our mainframes weren’t scalable, and they had no Internet technology, which is going to
be a number-one requisite going forward.
To minimize cost, we realized that we needed to move off the mainframe, use common applica-
tions in all locations, create economies of scale for processing, and apply standardized procedures
and controls. That meant consolidating all our software into a single location, thereby reducing
not only mainframe charges but also support costs and future upgrade costs. We also addressed
the issue of DR through the creation of the split data center concept. Obviously, there is a risk with
operating the data centers in the same city, if both buildings go, but that is a business risk we are
comfortable with.

12
Telephone interview with John Ball, November 7, 2001.

( 1 9 ) T W E N T Y - F I R S T C E N T U R Y C H A L L E N G E S F O R C O M P E T I T I V E N E S S
H ow d o t h e s e b u s i n e s s i s s u e s a ffe c t yo u r b u s i -
n e s s c o n t i n u i t y p ro g ra m ?
We operate from the time the markets open in Japan until they
close in New York. In creating our BCP, we knew we would
need processing capabilities that could enable us to support
locations in all time zones. We decided on a two-center strategy.
We built our first processing center in Singapore in November
2000, and it is now handling transactions for Singapore, Hong
Kong, and Japan. In May 2002, our second processing center
will be live in India, where we will process transactions gener-
ated from Mumbai through to New York close. The implemen-
tation of two processing centers gives us built in business
continuity. However, until both centers are live, Singapore oper-
ates a standalone BCP.
In the longer term, we intend to roll out this model in Africa as
well as in the Middle East/South Asia (MESA) region. The
Africa project is well advanced in creating two processing cen-
ters to support the region. We hope to start the MESA project
next year, the objective of which will be to consolidate applica-
tions into a single data center and a single processing center to
support the region. The ultimate goal will then be to consolidate
all the regional processing centers so that there are just two sup-
porting the whole of global markets.
W h a t a re t h e m o s t wo rri s o m e t h re a t s to t h e c o n -
t i n u i t y o f yo u r e n te rp ri s e ?
The answer depends on the country. In the United Kingdom,
our biggest threat has been due to terrorism. In Indonesia,
where we are a foreign bank in a country that’s had considerable
political and economic troubles in recent years, our problems
arise due to rioting and changing attitudes.
In Singapore and Hong Kong, on the other hand, our main
threats are fire or natural disasters. We would have said the
same of New York prior to September 11. We housed our pay-
ments systems and cash management operations in 7 World
Trade Center, where we were tenants.
When we evacuated 7 World Trade Center, some of the IS and
IT support teams were able to get to New Jersey and initiate the
critical back-up applications there. Like everyone else, we had
problems getting the right people to the right location, but fortu-
nately, our U.S.-dollar (USD) clearing was not significantly
M A N A G I N G B U S I N E S S C O N T I N U I T Y
affected due to the ability of staff to invoke the DR at our BCP site.
The fact that we made 98 percent of our payments on September
11 is testament to the quality and commitment of the people and
the fact that it is critical to have a viable DR and BC plan.
H ow w i l l o rga n i z a t i o n s ch a n ge t h e i r b u s i n e s s
c o n t i n u i t y p ra c t i c e s i n t h e f u tu re ?
I think we will all be better prepared. Like everyone else, we
have become much more aware of the importance of BCP.
People used to pay a lot of lip service to BCP and consider it a
necessary evil. It is time consuming and can be expensive. But
our experience on September 11 showed us just how beneficial
having properly prepared BC and DR plans can be. I know some
institutions struggled after September 11—institutions I would
have expected to have been better prepared. I think to a large
extent complacency had set in. As a U.K. bank, we have seen the
impact on business of terrorist activity in London, and that
made us much more aware of the associated issues. I think peo-
ple’s awareness has certainly changed now, especially with
regard to areas previously considered reasonably safe.
A l t h o u g h b u s i n e s s c o n t i n u i t y p l a n s h ave b e e n
re ga rd e d a s a c o s t , t h ey h ave o bv i o u s l y p rov i d e d
va l u e . H ow d o yo u fo re s e e t h e i m p l e m e n t a t i o n o f
B C P ch a n g i n g i n t h e f u tu re ?
In the short term, people have chosen temporary BCP solu-
tions—one in which, for example, you rent space in an empty
building that you hope never to use. But I think they will even-
tually move toward in-built business continuity, as we are doing,
and new technology makes that possible.
There is no longer a requirement for big mainframes that are
expensive to operate; with new technology you can mirror data
remotely, operate live back-up sites, and add processing power
fairly easily. Take us, for example. We operate a single data cen-
ter in London that essentially functions as our DR site. So, whilst
we may have spent a little bit more on putting the necessary hard-
ware in place, it’s not that much more of an incremental cost over
what it has been to upgrade our applications.
Changes in technology enable people to change the way they
view DR and BCP. The new technologies will be incorporated
into the organizational infrastructure as companies upgrade
from mainframes to the next generation of technology.
( 2 0 )
KPMG’s Risk and Advisory Services
KPMG’s Risk and Advisory Services (RAS) practice focuses on the fundamental business issues—
managing risk, increasing revenues, controlling costs—that all organizations, in all industries, must
address in order to flourish. RAS encompasses a wide array of advisory services designed to help
companies deal with these issues and to better manage the financial and operational functions of their
organization. RAS professionals help companies identify and manage risks, including the risks inher-
ent in the technology systems used to support business objectives, and provide them with informa-
tion to help them meet their strategic and financial goals.

KPMG’s Assurance and Advisory Services Center

KPMG’s Assurance and Advisory Services Center (AASC) provides assistance to KPMG member firms
in creating, enhancing, and supporting KPMG member firms’ assurance products worldwide. Staffed
by client service and technical professionals recruited from KPMG member firms around the world,
the AASC is a center for assurance research and innovation, product development and support, knowl-
edge management, and technology tool integration.

Major KPMG Contributors

Stuart Campbell

Felipe Alonso

Charles McKinney

Rick Cudworth

Jeanne Edwards

Sally Hales

David DiCristofaro

John Boucher

Robert A. Litt

Sarah Wise

Colleen Drummond

Diane K. Nardin

Visit us on the World Wide Web at www.kpmg.com.

The information contained herein is of a general nature and is not intended to address the circumstances of any par-
ticular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guar-
antee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.
No one should act upon such information without appropriate professional advice after a thorough examination of
the particular situation.
©2001 KPMG LLP, the U.S. member firm of KPMG International, a Swiss association. All
rights reserved. Printed in the U.S.A. on recycled paper. 23522atl