By Allan Graham (Part 3 in a 5-part series)
In previous posts of this series, we examined the business drivers and scope of business continuity planning (BCP).
Now we turn to the specifics of work area recovery, and for financial services, the most critical work area is the trading room. What happens if the building that houses your production facility becomes inaccessible for an extended period of time?
In this event, your BCP must account for how and where an alternative production facility becomes established, how the required people will reach the facility, and how the required IT infrastructure, applications, and communications capabilities will be brought to the facility.
Depending on the criticality of your production facility, your RTO/RPO, and your ROI analysis, you will need to decide among three basic options for your backup production facility.
Dedicated, Private Facility
A dedicated, private facility is the lowest-risk, fastest-recovery option. Such a facility is fully furnished, secure, and resilient. It is equipped with data and voice connections, includes a sufficient number of workstations for the number of people expected to work during the crisis and recovery, and provides access to all the mission-critical applications and materials they need to do their jobs.
For financial services firms, the a dedicated, private facility should be equipped with the latest workstation technology, including dedicated trader/dealer desks, multiple monitors, dealer boards (turrets) with voice recording, and connectivity to access to research, news and market data feeds, ticker plant, and order/trade management systems.
Because you are designing this space for people, it should include access to conference rooms, general office utilities (copiers, fax machines, printers, etc.), and pantry/lounge area.
Finally, the facility should satisfy all legal, regulatory, and compliance requirements, and be scalable to accommodate evolving needs during a prolonged crisis.
A shared facility has the same capabilities as a dedicated, private facility, but the space is contractually shared with other companies. While less expensive than a dedicated, private facility, the space must be customized to the specific needs of each business at the time of a test or recovery (applications, access to private data, selected market feeds, etc.), which means that it will take longer for the facility to come online.
In addition, in a wider-area event, another business that shares the space may occupy the facility before you, preempting your progress toward recovery. If you choose this option, look at the other companies sharing your space to assess how likely it is that they will be caught up in the same event impacting your company.
Many companies rely on temporary spaces for their recovery options; however such an approach carries with it a significant risk of a very slow time to recovery. In addition to the need to equip such a facility with the required furniture, technology, and connectivity—at a time when vendors may be overwhelmed by other requests stemming from the crisis—there may be issues related to security and meeting legal, regulatory, and compliance requirements.
Some companies’ work area recovery schemes rely on working from home or local cafes offering wifi, but such an approach carries the highest level of risk. While these sites may be sufficient for individuals needing to make phone calls and write reports, they are insecure, lack access to mission-critical applications, and especially for companies in financial services, put companies at risk of significant legal, regulatory and compliance violations.
However, it is possible to address the inherent lack of security and resiliency in the “work from home” approach if it is carefully developed to account for physical and data security, backup power, access to mission-critical applications, and legal, regulatory, and compliance requirements. Note that by the time all these aspects are managed for a sufficient number of people, it may be far more logistically complex and expensive to implement and manage than the dedicated, private approach, not to mention the inherent reduction in efficiency and ability to collaborate when taking a centralized people function and geographically dispersing it.
In part 4 of this blog series, we will continue to focus on work area recovery, taking up issues related to people, data services, and voice services.