With the damage caused by Hurricane Katrina still fresh in the minds of many corporate executives, more than a dozen major financial services firms and leading vendors announced this week they are devising disaster recovery and business continuity standards to help companies gauge their preparedness for future disasters.
Led by the New York-based Financial Services Technology Consortium (FSTC), the Resiliency Maturity Model Project will for the first time create benchmarks and define terms for business continuity planning across all areas of a financial enterprise -- and even for companies in other industries, according to Charles M. Wallen, managing executive of FSTC"s Business Continuity Standing Committee and the project"s director.
"Katrina is one of many large-scale events that reaffirm the need to have strong business continuity plans and to provide a road map for third-party providers to understand what"s needed," Wallen said. "We have to do a better job at raising the bar. The financial industry in particular is looking for ways to go outside the box with planning."
CitiBank and J.P. Morgan Chase & Co. in New York, Bank of America Corp. in Charlotte, N.C., and MasterCard International Inc. in Purchase, N.Y., are among the companies involved in developing the standards. The group also includes IBM, Carnegie Mellon University in Pittsburgh and the Disaster Recovery Institute International in Falls Church, Va.
Wallen said the project, which is expected to be completed by next spring, should give companies a road map to adequately plan and measure their resiliency against a set of industry standards. The project is in part a follow-up to the FSTC"s Business Continuity Compliance Project, which was completed in June and pulled together more than 100 global continuity regulations into a single set of terms and definitions. In August 2004, the FSTC also led an effort among eight financial services firms and vendors that involved comparing notes on disaster recovery schemes.
Brian Finley, chief technology officer at PSSD World Medical Inc., a US$1.5 billion medical supply equipment company in Jacksonville, Fla., said standards are good. But he knows many companies still won"t bother to use them to prepare for disasters.
PSSD"s Jackson, Miss., call center lost power and communications for a week after Hurricane Katrina pummeled the Gulf Coast on Aug. 29, and it had to be relocated to a disaster recovery facility in Atlanta owned by SunGard Availability Services. Finley said his company has tested the disaster recovery plan each of the eight years it has contracted with SunGard, but many other users don"t.
"I"ve seen and heard of customers that never test. Even if you create a set of standards, somebody"s got to buy into those standards and someone has to financially back the testing and documentation and the process and controls around it," he said. "Until you have that impetus at the business side, I don"t think a set of standards is going to fix the problem."
"Our goal is to come up with this common language and capabilities in a generic way that works for everybody. I want to emphasize that our scope is more broadly defined than just business continuity. There is absolutely a major focus around information security, change control and governance -- those types of controls essential in sustaining a business," Wallen said.
The Resiliency Maturity Model Project is being carried out in two phases, the first of which is expected to be completed this month and will identify a list of capabilities that answer questions such as: "What sort of things do I need to be good at in order to achieve my resiliency goals?" The FSTC is working with Carnegie Mellon to use some of its methodologies in maturity modeling to identify the levels and capabilities within reach of most organizations.
The second phase of the project is expected to be completed next spring and will include benchmarks and maturity models to which companies can compare their preparedness against some 40 capabilities.
Guillermo Kopp, an analyst at TowerGroup in Needham, Mass., said he"s "upbeat" about the project and believes it could lead to more business buy-in on such projects, mainly because of a framework that can prove return on investment and the need for resilience requirements. "The challenge is to keep the level of attention high. These projects are not a slam dunk. It"s more of a journey," he said.