Know the Drill

The federal government is unprepared to continue the business of democracy in times of national emergency, according to a recent General Accounting Office report. None of the 23 agencies GAO studied has an adequate continuity-of-

operations plan as mandated by the Federal Emergency Management Agency in 1999.

Many agencies have struggled for additional direction and funding to meet this mandate. Chief information officers and managers alike have questioned whether their agencies can afford to divert operational resources-people, facilities and budgets-to prepare for events that might not occur.

Continuity planning evolved significantly after FEMA issued its mandate. Most public and private sector plans came out of preparations for the Y2K crisis. Later, as the private sector recognized the need to minimize downtime in an increasingly digital world, continuity planning came to mean minimizing the effects of system failures or natural disasters.

Then came 9/11. Even solid plans failed to prepare organizations for such disruption.

The attacks on America revealed that re-establishing network connections or recovering IT systems is not sufficient to ensure seamless operations during a national emergency. Forward-thinking continuity planners have broadened their strategies to include the entire enterprise, viewing the agency as an integrated and dynamic whole that can adapt to evolving threats.

Colleen Murphy, director of assurance programs for the Internal Revenue Service, has been wrestling with continuity planning. At a recent gathering of private and federal planners, Murphy noted that the IRS learned more about its critical business systems and discovered potential points of failure as it began to think of bolstering the entire enterprise.

"This became the start to extensive contingency planning, with the [continuity-of-operations] plan representing one piece of the enterprise's strategy to build resilience into its business processes," she said.

In a recent Gartner Group study, 620 CIOs put business continuity among their top priorities. Federal agencies can take five practical steps to bring their plans into compliance with established standards.

• Join forces. Small agencies can rely on larger departments and agencies for help, including information-sharing and access to assets, such as backup facilities and staff. Through collaboration, small agencies can address areas where they may lack expertise or resources. In addition, agencies can enter into agreements with local law enforcement agencies-and other state and local operations-for more assistance during emergencies.
• Think bigger. Continuity planning is not just for the IT department. Comprehensive strategies must involve all critical business processes, and every employee must be responsible for ensuring continuity in a disaster. Creating an internal steering committee of representatives from human resources, operations, management and IT will ensure that vital processes are included and no contingency is overlooked.
• Commit to invest. Continuity plans must be supported at the highest executive levels and should be mandated from the top down. Executives must understand what is essential to accomplish the mission, in addition to the safety of employees, and know how to explain risk in terms of business, not just from a security perspective.
• Learn from the private sector. Adopting best practices from the corporate world, which has taken the lead in continuity planning, can help the government become more agile in handling threats to operations.
• Revise and rehearse. A continuity plan is not developed once; it is a journey without an end. Agencies must continually reassess their strategies to keep pace with ever-changing threats. Employees must feel an ongoing sense of urgency. Plans must be updated and rehearsed during emergency simulations until each process is executed seamlessly.

For the government, the benefits of continuity planning are greater than preventing lost time or revenue. Major disruptions threaten the stability of our democracy. Their effects are measured not just in dollars, but in a loss of confidence, trust-and, ultimately, in lives.