Lesson from 9/11: It's Not About Data
Best-laid plans abound, but will they be enough to ensure that operations always run smoothly?
By Scott Leibs

As the one-year anniversary of the attacks on the World Trade Center passed, re-evaluations of policy were as conspicuous as NYFD baseball caps. Less celebrated but no less important were the ongoing efforts of businesses to make sure that a future disaster of that magnitude, whatever the cause, proves far less disruptive to operations.

Most companies have overhauled their contingency plans, albeit not with the sense of urgency one might expect. It remains unclear whether companies are willing to spend more money to ensure that their operations can be restarted elsewhere should some form of interruption occur. That raises the question, if 9/11 hasn't prompted companies to take business continuity seriously, what will?

Certainly it is being taken very seriously in the financial services world. At the Board of Trade Clearing Corp. (BOTCC) in Chicago, which acts as a guarantor of futures and options traded on the Chicago Board of Trade and the MidAmerica Commodity Exchange, the heightened interest in business continuity has taken several forms. Foremost among them, and relevant to every company, is its ideas about just what constitutes a "disaster." Brett Paulson, senior vice-president and CIO at the BOTCC, says that prior to 9/11 his organization tested its disaster-response capabilities about eight times a year. It still maintains that schedule, but now it tests for a much greater range of scenarios. "In the past, we limited ourselves mostly to problems at our own site," he says, "but now we'll test for things like a disaster striking metropolitan Chicago, to see how we'd respond to telecom outages, disruptions in transportation - all the things that go beyond simply protecting the data in the data center."

The need to address a range of issues beyond the data center is why "business continuity" has replaced "disaster recovery" as the preferred term for post-crisis response: it's no longer enough to "recover" data at a backup site or via some other means. Businesses now understand that to weather any sort of storm successfully they must address manpower availability and productivity, financial issues such as lines of credit, public/private sector cooperation, and much more besides.
That may be why companies have spent more time and money concocting plans than arranging for traditional methods of disaster recovery, such as subscribing to third-party backup sites. Cynthia Doyle, an analyst at IDC, in Framingham, Mass., says that "spending has indeed picked up on the consultative side of the business, but in a down economy [many] are not willing to pay for outsourced business-continuity services."

That's not good news for companies like SunGard Availability Services, which would have seemed a good bet to see business boom following last year's attacks. But revenue for its most recent quarter is up only 9 percent once its acquisition of Comdisco's business-continuity services is excluded, and the previous quarter's revenues were up 11 percent. "Awareness of the issue has increased since last September," says SunGard Availability Services CEO Jim Simmons, "particularly the idea that companies must orchestrate recovery for every point along the continuum." But in the current economic climate, there has been no stampede toward backup services such as remote data centers.

SunGard and its competitors, however, believe that such services will be a priority once the economy improves. SchlumbergerSema, a leader in business-continuity services in Europe, has doubled its US capacity since 9/11 and has expanded again by 50 percent this summer. In addition to its 150,000 square feet of data center space in the New York metropolitan area, SchlumbergerSema offers services such as web-based backup of the contents of laptop computers, an acknowledgement that the loss or theft of a sales representative's machine can be just as disastrous as a flooded data center. SunGard has also expanded its services to offer more human expertise and intervention, versus a focus on facilities alone.

And customers that have signed on for those facilities are looking at ways to use them more effectively. The BOTCC, for example, now relies on its SunGard site not only for backup in the event of a catastrophe, but as a second, primary data center that mirrors all transactions and absorbs spikes in traffic or other anomalies.

Cost-conscious companies are taking other measures as well. The Philadelphia Stock Exchange is talking to other financial services firms to see if partnerships can defray the costs of responding to disasters. In the wake of 9/11, it provided space to the American Stock Exchange's options floor, which required it to handle triple its normal transaction volume. "We're a small operation, but we have large infrastructure re-quirements," says William H. Morgan, the Philadelphia Exchange's executive vice-president and CIO. "So we have to put competitive considerations aside and look for ways to leverage partnerships, mobile technologies, whatever we can do."

Having helped Amex in its hour of need, the Philadelphia Exchange was no doubt motivated to get its own plan in shape as soon as possible. "We're in the middle of our review right now," says Morgan.