Business continuity planning (BCP) has been on the top of most financial services companies' agendas since Sept. 11, 2001. However, recent fears about an Avian flu epidemic and other possible disasters natural or otherwise have some financial services firms revisiting those plans. How can a financial services firm remain in operation if a large portion of its workforce cannot get to the office for an extended period of time? And how does a firm operate if everyone must work remotely? Are employees even equipped to work remotely? These are the questions that many CIOs are struggling to answer as they try to prepare for the next big business disruption.
One firm that is taking a hard look at its BCP is American Century. The asset management firm's strategy is to divide its planning operations into two subcategories: business and technology. It first works with business units on possible disaster scenarios they may face, such as the abrupt unavailability of systems, staff and buildings. It then practices various strategies for working through these events remotely, says Gudrun Neumann, SVP of IT at the firm. Simultaneously, American Century's technology group has established an emergency response team that works on plans to restore affected technology should such a disruption occur.
But enabling large numbers of staff to work remotely or from home is one of the biggest challenges facing financial services firms today. American Century relies on two solutions to provide employees with a secure remote connection through which they can tap into company applications. First, the firm provides key staff with laptops and remote access to the company network through a virtual private network (VPN) from Juniper Networks (Sunnyvale, Calif.). And for employees who have home computers, American Century uses a solution from Fort Lauderdale, Fla.-based Citrix to provide remote application access (but not access to the company network). About half of American Century's employees currently are equipped to connect to the firm's network remotely, Neumann notes, but American Century is looking to expand its work-from-home program using both of these methods.
Caution: Traffic Ahead
The fact remains, however, that while financial services firms may have faith in their internal business continuity plans, they still are dependent largely on their telecom and Internet service providers (ISPs) to remain functioning throughout a crisis. If large numbers of people suddenly begin working from home, all the network traffic that firms currently run on their private networks would be moved to external ISPs, which could affect response time. "It is definitely something we will be addressing with telecom providers what are they going to do about dealing with all the private traffic now on the Internet?" Neumann says. "That is the biggest fly in that ointment." She adds that American Century is looking into placing dedicated ISDN lines in some employees' homes to mitigate the risk of clogged Internet connections.
Executives at Eaton Vance also are preparing for such an occurrence. The firm is equipping key employees with wireless personal digital assistants (PDAs), such as BlackBerry devices, that can work without the Internet being available. It also has entered into agreements with two of its key IT service providers to use their facilities remotely if necessary, according to Eaton Vance CIO Ra'ad Siraj.
BKF Asset Management is dealing with the possibility of high phone and Internet traffic in the event of a disaster by maintaining relationships with several telecom and ISPs at once. BKF uses at least two different Internet providers on a day-to-day basis, notes Mark Sanders, CTO at the money management firm. "The key is diversity," he remarks. "Hopefully, by using several vendors that provide similar services, we won't get knocked out of the water."
No Firm Is an Island
But no matter how well architected a firm's infrastructure, BCP often requires cooperation with outside technology providers, many of which offer products and services to help financial services firms continue to do business remotely if the need arises. One such vendor is BT Trading Systems.
In the event of a pandemic disaster such as the Avian flu, for example, it may be necessary for traders to trade from remote locations, explains Pete Skoglund, director, product management and systems engineering, at the communications solutions provider. So BT has developed its ITS Anywhere family of products, which provides an individual trader with access to the trading environment from anywhere that Web access is available, as though he or she were sitting on the trading floor, Skoglund claims. Originally designed in conjunction with Canadian bank Scotia Capital in response to the SARS outbreak, the ITS Anywhere family of products can be run in conjunction with a Cisco phone environment or PDX (private branch exchange) telephone environment, as well as on a mobile device, he notes.
Of course, any BCP must first begin with notification. The ability to alert employees and their families if some sort of emergency were to occur still remains a challenge. Before 9/11, department heads at Eaton Vance were responsible for contacting employees. "But after 9/11, it became evident that this would not work, especially if a large number of employees were affected," says the firm's Siraj. "Now, we have a call-in tree, which gives employees a means through the Internet or phone system to declare their whereabouts."
However, as all CIOs have experienced, a plan may seem solid in theory, but until it is carried out, there always will be unknown variables. That's why American Century took advantage of the crowds in New York City during the Republican Convention to give its BC plan a try. "We actually closed the office," recalls the firm's Neumann. "It was a chance to test our disaster recovery plan, where people worked from home and met at hotels outside of the Manhattan area."
American Century also tested components of its plan during the MTA subway workers' strike in New York during December. Some of the problems the firm discovered during those tests were specific to employees' home computer setups, as well as less-than-desirable availability of telecommunications at hotels. "By trying different hotels, we found that there was a big variation of telecommunication skills available at those locations, and that was a big differentiator in terms of deciding who to go with," Neumann says. Ultimately, the firm settled on a hotel that was both central to most of the critical staff and that offered the best technical amenities, she says.
Clean Bill of Health
There also are some practical health precautions that many firms are starting to take in order to help avoid the spread of disease. American Century, for instance, is purchasing sanitizing wipes to place in kiosks and other public areas in its buildings. And BKF is working with the building maintenance staff to disinfect the firm's offices once a week.
Eaton Vance even has a process in place to deal with threats such as the arrival of Anthrax in the mail. "We are trying to understand the implications of what it would take to cleanse the building that we are in, ... so we are clearly in communication with the property managers," the firm's Siraj notes.
Clearly, no firm can be 100 percent prepared for the next unexpected disaster, and as threats change, so will solutions. Still, most firms certainly are trying to take the necessary steps to keep their businesses up and running, if and when a disaster should occur. "We are now coming up with the questions, [but] some of the answers have yet to arrive," American Century's Neumann states. She couldn't be more right.