Long before the anthrax scares in 2001, health maintenance organization Kaiser Permanente had begun formulating strategies to ensure business continuity during disasters and emergencies.
The Oakland, Calif.-based company was about halfway through a two-year implementation of its business continuity plan (BCP) when news broke in October 2001 of anthrax attacks in the eastern U.S. Those attacks left five people dead, including two Washington, D.C.-area postal workers who were covered under Kaiser Permanente health care plans.
Suddenly, the theoretical emergencies envisioned in Kaiser's BCP became literal tragedies, demanding an immediate response. The company's BCP team had to shift gears in midstream, said Skip Skivington, the company's national director for health care continuity management.
"I had to stop what I was doing [with] the implementation and pull together a new team of physicians and clinicians to respond to the anthrax attack," Skivington said. Among the tasks that needed immediate attention: studying the clinical aspects of treating patients infected with biochemical and radiological agents, and ensuring the health and safety of Kaiser employees. Also, "we had legal implications, public policy implications, logistics and facilities to worry about -- just a host of focus areas that we really had to concentrate on," Skivington said.
In other words, no matter what else came to a halt, Kaiser needed to be up and running to treat patients, handle their insurance claims, and continue business as usual -- even though the circumstances around the country were anything but.
Kaiser caught a break in one way, however. Like many large enterprises, the nonprofit HMO had prepared for a possible crash of its computer systems associated with the year 2000 bug. The firm breathed a sigh of relief when Y2K horrors didn't materialize as predicted. "Everybody said, 'whew' and went back to their jobs," Skivington said.
Preparing for potential Y2K outages served as the basis for a larger, more comprehensive strategy aimed at protecting data, employees, special equipment, facilities and other assets. Wisely, the firm's senior leadership insisted on sustaining the plan after the Y2K scare came and went.
With input from an executive governance team, Skivington helped engineer the "planning architecture" for extending business continuance planning across the organization, which included 30 medical centers nationwide. Individual departments within each medical center, in turn, are responsible for developing their own internal protocols for continuous business in the event of a catastrophe. Web-based tools are used to manage the sprawling enterprise.
"Each department plan rolls up into a medical center plan, which rolls up into a regional plan. Those regional plans roll up into our enterprise plan," Skivington said. "We keep them all connected through the planning architecture."
Skivington oversees a 13-member team responsible for carrying out the full-scale implementation of Kaiser's health care continuity plan, as it's called. Team members have received special training, including certification, in business continuity planning. But Kaiser isn't finished fine-tuning its plan. With help from Freehold, N.J.-based consulting firm Virtual Corp., Kaiser expects to complete a system-wide implementation of its BCP by the end of 2003. After that, it will test and update the plan annually to account for new threats.
"At last check, we had more than 14,000 individual department plans that were created, and we'll have [each department] test it, validate it and update it every year beginning in 2004," Skivington said.
Kaiser appears to be in a select group. Despite the pressure on businesses to maintain continuous uptime, business continuity planning remains a low priority for most businesses, according to Gartner Inc. The Stamford, Conn.-based research firm estimates that fewer than 25% of Global 2000 organizations have implemented comprehensive business continuity plans.
"Companies haven't dealt with this for a variety of reasons. First, many think a disaster can never happen to them. Second, a lot of this [planning] costs money," said Roberta Witty, a Gartner analyst.
Indeed, enterprises have to weigh various costs when designing a plan. Technology costs could include buying expensive new servers or data-replication software. A company also may need to rent backup space and equipment, in case the main facility is shut down or destroyed. Most important, enterprises have to take steps to secure the physical safety of their personnel.
Skivington estimates that Kaiser's first-year implementation costs were between $1 million and $2 million; that price tag covered software, consulting, equipment, training and other costs. A large company like Kaiser may be better able to absorb expenses of that magnitude. For small and midsized organizations, however, those kinds of price tags can be prohibitive, especially in the current economic climate.
Another drawback to widespread adoption of BCPs may be their layered complexity. Business continuity has been viewed as the overarching structure for a series of smaller, more targeted plans encompassing four broad areas: disaster recovery, business recovery, business resumption and contingency planning. That leads to duplication and higher costs for enterprises, said Michael Miora, CEO of Los Angeles-based consulting firm ContingenZ Corp.
"Separate teams for separate incidents don't coordinate with each other. Better coordination would decrease costs and improve [a company's] return on investment to three years, at most," said Miora, whose organization helps companies devise holistic incident-management plans.
For Skivington, 2003 is the critical final step, as the company continues to roll out individual facility plans and perfect its overall BCP. "In the business world, we tend to look for the paths of least resistance," he said. "Unfortunately, with business continuity planning, there are no shortcuts. You've just got to spend the time."
FOR MORE INFORMATION: