BUSINESS CONTINUITY PLANNING
BUSINESS CONTINUITY PLANNING: A COMPREHENSIVE APPROACH
Virginia Cerullo and Michael J. Cerullo
The risks of business interruption expand as companies become more dependent on informa- tion technology (IT) infrastructure. A comprehensive approach to business continuity planning seeks to mitigate against all major business interruptions of business systems. This article analyzes recent national and international surveys to develop insights about the current status of business continuity plans, including perceptions about internal and external information security threats.
VERY COMPANY IS SUSCEPTIBLE TO natural disasters, such as earthquakes, hurricanes, and floods, which occur reg- ularly throughout the world. The Federal
Emergency Management Agency (FEMA) states that between 1976 and 2001, a total of 906 ma- jor disasters were declared in the United States.1 Tens of thousands of organizations of all sizes were affected by these disasters. Unless firms prepare in advance, disasters inevitably shut down business operations. And the longer a firm's operations are shut down, the more likely it will never reopen for business. A study by Datapro Research Company found that 43 percent of companies hit by severe crises never reopen, and that another 29 percent fail within two years.2 According to FEMA, of all the businesses damaged by Hurricane Andrew in 1992, 80 percent of those lacking a business continuity plan (BCP) failed within two years of the storm.
The potential causes of business interrup- tion are not only from natural disasters, but are
power outages), and malicious threats from outsiders. The risks of business interruption have therefore expanded as companies increas- ingly depend on information technology (IT) infrastructure and become more linked to ex- ternal networks. The threat of cyber- terrorism - including unauthorized access to a system, disruption or denial-of-service, unau- thorized use of a system, or unauthorized changes to system hardware or software - can be as destructive as physical acts of terrorism. Quickly recovering from any type of business interruption, whether from a natural disaster or a telecommunication breakdown, is critical to a company's survival as a going concern.
Many companies have developed a disaster contingency recovery plan (DCRP). Although a DCRP is vital, it is primarily a reactive approach (i.e., a corrective control) and not a compre- hensive plan for risk management. In contrast, a business continuity plan (BCP) seeks to elim- inate or reduce the impact of a disaster condi- tion before the condition occurs.
VIRGINIA CERULLO and MICHAEL J. CERULLO are professors of accounting at Southwest Missouri State University in Springfield. Both authors are also CPAs
W W W . I S M - J O U R N A L . C O M
S U M M E R 2 0 0 4
multifaceted, including interruptions caused by human error, utility disruptions (such as
The Ernst & Young Global Information Se- curity 2002 Survey...