The History of Business

Continuity and Disaster Recovery

THE ROOTS
of our industry.
Understanding the Roots of Business Continuity and Disaster Recovery.
The world of Emergency Response, Business Continuity, Disaster Recovery
and general end of the world as we know it products and services are full of
facts, fctions, and fux; and the noise on this channel is louder than ever as
vendors jockey for position and highlight surveys and analyst quotes to justify
their position and gain market share.
Business Continuity and Disaster Recovery have not always been about risk.
In fact, the roots of Business Continuity and Disaster Recovery can be found
in contingency planning and scenario planning. In early incarnations of war
gaming, the ability to spring forth from adversity with determination and will
was viewed as the reward of good planning. Early practitioners of creative
foresight saw good planning as a rigorous means to an end protecting what
they valued most along the way.
Understanding the roots of Business Continuity and Disaster Recovery will
help us to distinguish a key difference in where we are today as an industry
and the difference we could make tomorrow in the world.
To understand this position, we have to look back towards the future.
Contingency as a Strategic Concept 6th Century BC
Sun Tzus The Art of War is the frst known writing on the subject of strategic
thinking, and to this day is considered to be one of the greatest infuencers
on the topic among both military and business thinkers in the world. Sun Tzu
introduced the concept of scenario based planning and contingency to military
thinking over 2600 years ago. Several of these military strategies included
simple concepts such as backups (weapons caches,) scenario planning
(unforeseen events,) and competitive advantages based on planning for
the unknown. He taught that strategy is about responding swiftly and
appropriately to changing conditions, not that planning was working
through a to-do list. Planning works in a controlled environment,
however in a competitive environment, competing plans collide
to create situations that no one plans for. Strategy is foreseeing
what is possible, and being prepared.
Scenario Planning as a Military Concept 1950-1970
The scenario planning concept emerged as a method for military planning
again following World War II. The basic method of scenario planning uses
game theory (the simulation of military scenarios that combines
known facts with plausible variables based on social, technical,
economical and political trends). The concept of scenario planning
using applications such as systems and game theory was frst
introduced by Herman Kahn during the Cold War Era. In the
1960s, Kahn founded the Hudson Institute and refned scenarios
as a tool for business prognostication. He became one of Americas
top futurists.
1950
Through
1970
6th
Century
B.C.
Scenario Planning and Contingency as a Business Concept: 1970 - 1973
Scenario planning reached a new dimension in the early 1970s with the work
of Pierre Wack, who was a planner in the London offces of Royal Dutch/Shell.
Wack and his planning team realized that the Organization of Petroleum
Exporting Countries (OPEC) could demand much higher prices and disrupt
Shells business. The only uncertainty was when. Wack described the full
ramifcations of possible oil price shocks and warned management that the
oil industry might become a low growth industry.
This was when scenario planning for businesses was born. It helped
Shells managers imagine the decisions they would have to make as a
result of an unlikely event occurring. In October 1973, after the Yom Kippur
war in the Middle East, there was an oil price shock-wave felt around the
world. Of the major oil companies, Shell was the only company prepared for
the change. The companys management responded quickly and, in the
following years, Shell moved from one of the weaker oil companies to
becoming the second largest oil company in the world, and the most proftable.

To operate in an uncertain world, managers need the ability to question their
assumptions about the way that world works, so that they can see things
more clearly. The purpose of scenario planning is to help Executives
change their view of reality, to match it more closely with reality
as it is, and to propose other possible realities that might come to
be. The end result is not always an accurate picture of tomorrow,
but leads to better decisions about how to operate in the future.
1970
Through
1973
Based on Mr. Wacks insights into future market dynamics, corporations stood
up and took notice. Later, the Shell scenario planning group envisioned a
future in which Shell would not have access to the data which controlled
oil prices and sales housed on their mainframe computers. Because Mr.
Wack had been accurate in the past, Shell readily invested in the creation
of Information Technology backups. The use of an offsite storage facility,
previously used for Government documents only (the original Iron Mountain)
by a commercial user, was the direct result of Mr. Wacks scenario planning.
Thus was the industry of Business Continuity and Disaster Recovery born.
Remarkably, these early practitioners saw these efforts at Business Continuity
and Disaster Recovery as a true competitive advantage.
Scenario planning is a discipline for rediscovering the
original entrepreneurial power of creative
foresight in contexts of accelerated
change, greater complexity, and genuine uncertainty.
Pierre Wack,
Royal Dutch/Shell, 1984
Early Years: 1973-1980
In the mid-1970s, SunGard began as a subsidiary of the oil giant Sun Co.,
providing remote-access data processing for Suns Information Services
(SIS). The pivotal moment came in the late-1970s when Suns business had
become heavily dependent on computer systems and the company realized
that they could lose up to $3 million by the third day if their computer
system failed. SIS President, John Ryan, had his division develop a
disaster recovery plan and business contingency plan for Sun Co.,
which included daily backups to tape that were stored at an off-site
location that could be loaded onto an alternate mainframe should
Suns mainframe computer fail.

1973
Through
1980
Boom Years: 1990-2000
During the decade from 1990-2000, the industry was comprised of 31
companies, which represented the majority of the hot site providers,
who collectively generated subscription fees in excess of $620
million annually. The industry had seen substantial consolidation
since 1989 and ultimately created a situation in which 2 companies
dominated the market: IBM and SunGard. These companies
controlled over 80% of the market in both revenue and subscriber
base in the hot site arena.
Financially oriented frms tend to utilize hot sites more frequently due
to the critical nature of their operations. In fact, over 65% of all hot site
recoveries involved these types of frms. Over the past thirty years, the
majority of recoveries have occurred at Comdisco, IBM and SunGard. These
three vendors alone have supported over 67% of all disaster recoveries at
hot sites.
In the early 1990s, Business Continuity was positioned mainly in terms
of Disaster Recovery. In the event of a major disaster, technology assets
(e.g., systems, networks, applications and data) were to be recovered at
an alternate location. The typical recovery time objective (RTO) i.e., the
desired time to recover applications or acceptable transaction loss was
24 hours. Most of the enterprises that implemented disaster recovery plans
did so because they were in highly regulated industries (e.g., banking and
other fnancial service sectors). In most enterprises, however, business
continuity and disaster recovery planners spent their time trying to raise
awareness of the need to protect enterprise assets (often unsuccessfully)
In 1978 SIS was approached by a group of Philadelphia businesses searching
for a similar disaster recovery solution, which lead to SunGard Recovery
Services becoming a Commercial Hot-Site Provider. By the end of 1979
there were over 100 providers of computer backup services located across
the U.S.

Growth Years: 1980-1990
Over the next ten years, the industry grew to generate $240 million in annual
subscription fees. Vendors marketed their services as hot sites which were
designed to provide stand-by computer resources, in the event that one or
more subscribers required an alternative computer center to process critical
applications.
This requirement was usually prompted by an actual or perceived event that
could render a subscribers computer systems inoperable. The activation of
the hot site services was initiated through the formal declaration of a disaster.
The defnition of disaster varied by client and; subsequently, hot site
providers allowed broad interpretation. For example, clients have activated
their hot site subscriptions to provide backup during a planned relocation of
their data center.
1980
Through
1990
1990
Through
2000
The Internet Changes Everything
The Internet and e-business achieved critical mass in 1999 and
caused fundamental changes in the way enterprises thought about
Business Continuity and Disaster Recovery. Enterprises began re-
engineering their business processes yet again, this time aligning
them with those of customers, suppliers and business partners.
As a result, RTOs and RPOs were being reduced still further, in
some cases reaching zero. (A zero RTO means zero downtime,
or 24x7 continuous systems availability.) Furthermore, scenario
plans broadened to take on new e-business-specifc risks, including
downtime caused by:
1. Operational risk (e.g., the three-day Microsoft Web site
outage in January 2001)
2. Security risk (e.g., the denial-of-service attacks against
Web sites and networks)
3. Lack of capacity (e.g., the spikes in business volumes
caused by Victorias Secrets Internet fashion show)
4. Application failure (e.g., the full-day London Stock
Exchange outage in April 2000)
5. Partner/outsourcer unavailability (e.g., the Internet
Service Provider network failure or failed links between
an enterprises Web site and its partners sites)
6. Loss of physical structures (e.g., the facilities lost to
wildfres at the Los Alamos National Laboratory)
In the new e-business world, enterprises became deeply concerned about
any risk of downtime. Today, any downtime results in negative media
coverage, which can severely impact the enterprises image and reputation
as well as its continuing viability.
September 11th Attacks
The events of September 11, 2001, had a major impact on the requirement
for sound planning. Many of the organizations with offces in the World Trade
Center (WTC) had Business Continuity and Disaster Recovery plans in place
as a result of the bomb attack on this facility in 1993. There were a number
of stories on the news that weekend (September 15th and 16th, 2001) about
organizations that were located in the WTC that were operational at their
contingency locations.
By September 14th, Comdisco had felded 73 disaster declarations from 36
companies, primarily fnancial services frms in the New York area. Comdisco
clients fling disaster declarations included 20 security frms, 12 banks, two
insurance companies, and the New York Board of Trade.
and fghting organizational apathy toward recovery planning.
By the mid-1990s, business continuity initiatives had expanded to include
the recovery of critical work processes. For example, many enterprises
recognized that recovering their call center technology was pointless if they
lacked personnel to staff the call center itself, or a workplace in which to
locate it. Business Continuity Planning and disaster recovery scenarios
remained largely unchanged; however, as did RTOs and RPOs.
The trend toward an expansion of Business Continuity Planning initiatives
gathered momentum in the late 1990s. This trend was driven in part by
preparations for a potential year 2000 crises. One result of the year 2000
re-mediation effort was a massive enterprise investment in re-engineering
business processes (e.g., implementing integrated enterprise resource
planning systems).
As they prepared their year 2000 contingency plans, many enterprises
began to understand that if their critical systems and applications failed, their
business processes would fail along with them (e.g., orders could not be
taken and products could not be manufactured or shipped).
The inevitable result would be a severe negative impact on the
proftability and possible survival of the enterprise. With this new
understanding of their vulnerabilities, enterprises invested heavily
in Business Continuity and Disaster Recovery between 1997 and
2000. RTOs for mission-critical business processes were reduced
to less than 24 hours and sometimes much less; RPOs were often
set as up to the point of disaster (i.e., no loss of work or transactions).
Moreover, the growing interdependencies among internal processing systems
and external service providers began to increase the complexity of recovery
solutions. Nonetheless, scenario planning remained largely unchanged.
1990
Through
2000
1990
Through
2001
By September 14th, SunGard had felded 70 disaster alerts and 22 companies
took the more severe step of fling disaster declarations. SunGard
clients included 16 fnancial services frms, two providers of business
services, and one each in law, health care, transportation, and
telecommunications.
Comdisco indicated their largest number of declared disasters
(32) was logged two years prior to the September 11th attacks,
when Hurricane Floyd hit the East Coast.
The damage a disaster causes to an enterprise may not necessarily be
physical, as the troubling increase in systems-and operations-disrupting
cyber attacks shows. These activities are certain to increase in response
to any reprisals, including military action. On 911, many enterprises lost key
executives; therefore, key management decision-making had been disrupted
at precisely the time it was needed most. Some enterprises had lost their entire
IT organizations or disaster recovery teams, compromising the enterprises
ability to recover according to previously determined procedures. Moreover,
unlike the 1993 bombing, this disaster completely destroyed physical facilities,
records, systems and other enterprise assets. The secondary effects (e.g.,
loss of communications, delays in mail and courier services, limitations in
airline travel) had also been unprecedented. Today, comprehensive, domino
effect disasters are more commonly understood than had been in the frst
twenty years of Business Continuity and Disaster Recovery planning.
In a way, the terrorist attacks of September 11th completed the 20-year
evolution in contingency planning, but they also changed everything. The
dramatically heightened recognition of the importance of Business Continuity
and Disaster Recovery means increased budgets for dedicated, non-shared
recovery solutions for business applications and systems of all types.
Planners will have the opportunity to integrate business continuity and disaster
recovery into the project life cycles of business processes and applications.
Old and new risks can be addressed where they should be in the business
requirements phase of a project, not as an afterthought when production has
been completed. Most important, there will be newfound business continuity
planners. After 911, enterprise decision makers understand why business
continuity is important: The very survival of the enterprise depends on it.
Point Solutions and Data Abstraction: 2006-2007
Surprisingly, the period immediately following 911, did not accelerate business
continuity, disaster recovery, or proactive planning as expected. Business
Continuity and Disaster Recovery planners continued to struggle upstream
against corporate apathy, lack of executive support, and perhaps, even
shock. Realizing an opportunity existed in ad-hoc point solutions and
hardware sales, many organizations moved into the BC/DR space
offering easy fxes for a fearful world.
Storage Area Networks, Virtualized Hardware Abstraction, and
Business Continuity and Disaster Recovery planning software
products abounded, and through 2007 these products continued
to act as disruptive one-time solutions to long range corporate
Business Continuity and Disaster Recovery challenges. Promised
return on investments (ROI) and the major failure at 365
Mains primary colocation facility highlighted the lack
of comprehensive Business Continuity and
Disaster Recovery capabilities at even the
most hardened facilities, and customers
realized, simultaneously with the Business
Continuity and Disaster Recovery market, that more had to be done.
Sept. 11,
2001
2006
Through
2007
P.25
Read
Cloud
Computing
The Turning Point: Back to the FutureThe Trend Toward Optimized
Business Continuity and Disaster Recovery
Today, customers are turning back to the roots of Business Continuity and
Disaster Recovery and looking to use scenario planning, business intelligence
and strong Business Continuity and Disaster Recovery as value multipliers.
In a simple way, Business Continuity and Disaster Recovery is becoming
more important to customers than ever as they look to gain an edge in the
competitive landscape.
Many customers realize that advanced technologies that assist the IT
organization in delivering rapidly scalable resources (Virtualization, SANs,
etc.) require advanced process methodologies to ensure that the alignment
between the business and IT is stronger than ever.
Today Tomorrow
Tomorrow: The Future of Business Continuity and Disaster Recovery:
Tomorrow, as gen X and Y move into managing and decision making roles in
the private and public secors, Business Continuity and Disaster Recovery will
be more holistic, more visual, and more socially consious than ever.
P.92
Read
Losing Your
Cool
Re:Think...
the industry. Understand where the industry has been and where the industry
is now in order to make informed decisions to improve our approach.
Contact
Kevin Burton
kevin@thinkbam.com
480.239.9724
Angela McGee
angela@thinkbam.com
480.239.5647