BUILDING ON THE SUCCESS OF Y2K

By Cole Emerson

For several years companies have invested many millions of dollars preparing for Y2K. Never in the world’s short technical history have so many people invested so much time in fixing a common problem. The total expenditures on "Y2K" may actually exceed the entire financial cost of WWII!

This article assesses the residual value of the Y2K effort for business continuity planners. The tremendous effort was needed to correct the problems caused by the so-called "Y2K bug". Without the successful remediation effort, planners would have had their hands full handling both the external and internal failures that undoubtedly would have occurred. Since there were no major failures, few companies had to actually use the developed contingency plans. Detractors immediately questioned the value of the effort when no major crisis actually happened. It is similar to the plight of the information security professionals who, if they do a great job preventing the hackers from attacking their companies, have nothing tangible to show management. The thousands of staff responsible for fixing the problems did excellent work; major problems were prevented and contingency plans not needed! The author offers the following insights as some of the benefits from the Y2K efforts.

MOTIVATION
It takes crisis conditions for management to devote sufficient resources to get plans completed in a reasonable time frame. Without the impetus of Y2K, the volume of work could not have been done.

ASSESSMENT
Now that the organization knows more about its systems, applications, infrastructure and workstations, we need to continue to use that foundation of knowledge before it becomes obsolete. Never before have this many companies so thoroughly inventoried their equipment. For the first time in the history of many companies, they know where all their desktop computers are located and what applications are on each system. If a planner had proposed five years ago to inventory all the PCs in the company and identify all applications on each machine, he would have been run out of town!

CHANGE IN PLANNING—PROCESS ANALYSIS
Business continuity planning has been revolutionized by recognizing processes are the basis for planning. Processes, not business entities, should be the focus of planning. Processes extend across multiple business entities with each entity performing some necessary function within the process. Planning by individual business unit does not provide the understanding of the interdependencies either within or outside of the organization.

PROJECT MANAGEMENT
Allocation of the appropriate resources at the beginning of the project and orientation of the participants can expedite the planning process. Good front-end preparation will minimize a lot of re-work. Sending a "fill in the blank" planning template without a front-end discussion will almost always fail. That’s because very little about continuity planning is intuitive. It may be common sense once the problem is properly described to the participant, but without that basic understanding of the problem to be solved and the process and methodology, even the brightest participants are lost. Information exchange, recognition and acknowledgment of dependency by groups is important.

PLAN DEVELOPMENT
Y2K typically assumes a short-term system outage. Many companies have been forced to develop manual work-arounds to cope with the loss of a system and discovered that there are still some temporary manual mode candidates.

Y2K forced organizations to assign priorities to applications, hardware, and processes in order to meet an immovable deadline. Many organizations started late in the game and had to focus on what was most critical to survival of the core business. While these were painful decisions, the resulting product provided the priorities required by the business continuity program. Even though these priorities were not based on a formal business impact analysis, they are known to be essential to the core business functions.

VENDORS AND MATERIALS
Y2K forced organizations to more carefully scrutinize their critical vendors’ level of preparedness. Prior to the Y2K effort, many companies had not recognized or addressed the loss of the vendor and its potential crippling impact on the company. Raw material inventories were reviewed and contingency levels established to ensure adequate supply if the vendor was not able to provide the material. This then raised the issue: What if the vendor had an incident and its manufacturing was interrupted for an extended period?

Alternate vendors were identified after the response, or lack thereof, from vendors providing critical time sensitive services or materials. Some suppliers were put on the hit list for 2000. Vendors with uncooperative attitudes or those failing to provide for continuity of their own operations will be replaced.

Hard questions related to the reality of the vendor plans were finally asked. In the past, vendors never had to demonstrate they had a viable, tested and proven plan. Many vendors were caught lacking and not able to back up statements of recoverability made over the years to their customers.

COMMAND AND CONTROL
Many companies have never had to handle multi-site, multi-time zone planning and exercising. They found the task significantly more difficult to plan for and execute. Fortunately multi-site, multi-time zone incidents are extremely rare.

Command centers designed for managing single site incidents were not adequate for multi-site across multiple time zones. Again, having to deal with this requirement is rare. Many organizations may have to manage multi-site incidents but not over multiple time zones. However, it did point out the difficulty of centrally managing information provided by coordinators with different accents, unfamiliar names and from unfamiliar cities.

Staffs trained on telephone protocol are significantly more proficient at taking information than volunteers or persons without a background of heavy telephone use.

Each country has different constraints and regulatory requirements. Assumptions made based on US trained staff may not have been accurate.

EMERGENCY POWER
Y2K caused companies to assess their emergency power systems and fuel supplies. Companies who had as part of their planning scenario the potential loss of diesel fuel supply completed surveys of their emergency power systems. The surveys determined in many cases, that the fuel tank was not always kept topped off. Also the potential run time could be extended by a pre-planned power shutdown scheme with a clear picture of what could be turned off to preserve power and extend the fuel supply. Many companies discovered they had never completed such a survey and did not have a prioritized plan for an orderly shut down or start up of power. The sequence procedures for the power shutdown had always been in place. What functions could remain off the emergency power system had not.

Y2K caused some companies to ask themselves the question: ‘If there were only one thing I could protect in my site, what would it be?’ With an assumption of limited resources, it forced "Alamo" approaches that if failures did occur, how could the company centralize and protect core functions?

About the Author
Cole Emerson is President of Cole Emerson & Associates, Inc., a consulting firm specializing in assisting domestic and international companies develop and exercise their business continuity plans. For more information on this subject call (916) 797-6272 or visit www.bcpconsulting.com