Journal of Business Continuity & Emergency Planning Volume 2 Number 3

Building enterprise-wide resilience by integrating business continuity capability into day-to-day business culture and technology
Patrick Alesi Received (in revised form): 29th January, 2008
Lehman Brothers, Inc., 745 7th Avenue, 12th Floor, New York, NY 10019, USA Tel: 1 212 526 1734; E-mail: palesi@lehman.com

Patrick Alesi is Senior Vice President and CoManager of Business Continuity Management at Lehman Brothers. He has held this position since March 2002, but had previously worked for Lehman on its business continuity plans as Assistant Vice President from 1997 until 2000. Patricks current responsibilities include incident response management and strategic planning as well as regulatory compliance for business continuity. Between his stints at Lehman, Patrick worked at the New York Mercantile Exchange as its Director of Systems, Operations and Database Administration. He has a broad range of technology experience in systems analysis, and voice and data communications. Mr Alesi is currently Chairman of the Securities Industry and Financial Markets Association Business Continuity Committee and a member of the Futures Industry Association BCP Committee.

technology, and building exible plans. Distributing accountability for BCP to business line managers, integrating BCP change management into the normal course of business, and providing every employee with personalised BCP information breeds a culture of resiliency where people are empowered to react to events without burdensome, hierarchical response and recovery procedures. Building a strong relationship with ones application development community can result in novel, customised BCP solutions; existing systems and data structures can be used to enhance an existing BCP Even . the best plans are often challenged by events; understanding that exibility is essential to effective incident response is a critical element in the development of a proper business continuity plan. Keywords: resiliency, business continuity, BCP, incident response
INTRODUCTION

Journal of Business Continuity & Emergency Planning Vol. 2 No. 3, pp. 214220 Henry Stewart Publications, 1749-9216

ABSTRACT This paper follows the development of the business continuity planning (BCP) programme at Lehman Brothers following the events of September 11th. Previous attempts to implement a traditional form of BCP had been ineffective, but following the events, the rm began to look at BCP in a new light. This paper deals with three main themes: creating a culture of resiliency, leveraging

Change alone is unchanging. Heraclitus1 Business continuity planning (BCP), like all human endeavours, is in a constant state of change and development. Sometimes these changes are slow and almost

Page 214

Alesi

imperceptible, but sometimes change is rapid and far-reaching in its effect. When change occurs suddenly, it is often accompanied by an unforeseen, external event. Such a sudden change occurred in BCP at Lehman Brothers, and the external event was September 11th. This paper will examine the signicant changes in BCP at Lehman Brothers, as spurred on by the events of September 11th. Five years onward, the effects of that day are still being felt the new normalcy as the think-tanks and mass media outlets like to refer to it. Part of this new normal is a new way of thinking about incidents, response and recovery that has changed BCP from a tedious planning exercise, to a forward leaning activity that emphasises exibility, portability and technological integration.
A BLANK SHEET OF PAPER When asked what Lehman Brothers business continuity plan was on September 11th, the CIO answered by holding up a blank sheet of paper. While the rm had the technological foundation built redundant data centres and connectivity there were no useful plans for mustering and directing people during a disaster. What Lehman Brothers did have, however, was a group of intelligent, motivated and empowered people, and whenever a group like that is brought together to solve a problem, great things can happen. Without any playbook to work from, Lehman Brothers built two trading oors in a week, and was able to participate in all of the major nancial markets when they opened. What Lehman Brothers staff did on the days following September 11th provides a powerful lesson for any business continuity planner they simply did whatever they needed to do to get their jobs done

without lengthy approval processes, and without any micromanagement. That blank sheet of paper certainly served the rm well, and provided some lessons on how to do a better job of BCP. In early 2002, senior management began to contemplate how the BCP function could be reinvented. Although the rm had made the proverbial silk purse from a sows ear, it might not be so lucky next time. As such, it was agreed to get the BCP right this time. Three themes emerged in the process of rebuilding the business continuity group: creating a culture of resiliency, leveraging internal technology assets and creating exible plans.
CREATING A CULTURE OF RESILIENCY The empowerment of Lehmans people that enabled a successful recovery from September 11th needed to be reinforced and incorporated into the corporate culture. The traditional model of a centralised BCP group that creates and maintains plans for a select few critical recovery staff would not succeed everyone needed to have a stake in the process. Furthermore, to the greatest extent possible, Lehman needed to make BCP part of day-to-day operations. As tools for response and recovery were created, it was important for them to be exercised regularly. Obsolete content and procedures that were only dusted off occasionally for testing would be of little use during a recovery effort. A number of programmes were created to foster this culture of resiliency. A federated organisational BCP model places responsibility on the business owners A model that concentrates BCP knowledge in a centralised group is

Page 215

Building enterprise-wide resilience

inefcient from a planning perspective and could be dangerously ineffective during an actual disaster. Many organisations seed their business lines with dedicated continuity planners that have a matrix reporting relationship with the business manager and the BCP manager. Depending upon how this model is actually implemented, the solution may be adequate. Nonetheless, there are inherent risks: line managers in the business now have an excuse to ignore their responsibility for BCP because there is someone who serves as the BCP expert in the business; there may be a tendency for the business line BCP professionals to hoard information; business line BCP staff are accountable for creating plans, but do not necessarily have the authority to make decisions during an incident. It is this last point that is perhaps the most important. Both the accountability for planning and the authority to execute plans (or perhaps more importantly, deviate from plans) during an incident must reside with business line managers. As of the writing of this paper, there are 15 dedicated business continuity employees globally, for a rm of roughly 28,300. That works out to one dedicated BCP employee for every 1,887 employees. Across the rms business lines, however, the planning software has well over 200 regular users, and the owners of the plans are the chief administrative ofcers (CAOs) for each business. The CAO is responsible for resource planning and allocation, and works with senior business management on a daily basis. This close working relationship can be easily and effectively leveraged in the creation,

maintenance and activation of businessspecic continuity plans.

Continuity plans must be revised as part of the normal course of business Creation and maintenance of business continuity plans is not done twice yearly or every quarter it takes place pretty much all the time. If plan owners and members look at and update their plans only occasionally, they will soon forget what they entail once they return to their day job. One of the more notable ways that Lehman Brothers has increased the maintenance cycle and incorporated it into daily operations is the mechanism by which it maintains accurate contact information for employees. Every 75 days, when an employee opens a web browser, they are automatically redirected to a page with their contact information and asked to review it. Users cannot navigate to a site until they respond to the request. Maintaining reliable contact information cannot be underestimated when responding to a disaster. In addition, the continuity planning tool uses a system of listeners to nd missing or changed data, and alert plan owners via e-mail that something in their plan needs to be updated. For instance, this happens when an employee who has a dedicated recovery seat leaves the rm. Every employee must be part of the business continuity plan In some traditional business continuity plans, only critical employees are actually documented as part of the recovery plan. All of Lehmans employees are considered critical, and they all need to be communicated with during an incident. As a result, the rm has created a business rule in its internally-developed continuity planning software that ensures that all employees are assigned to a plan. If an employee

Page 216

Alesi

moves from one department, and therefore BCP, to another, the system automatically moves them, so they are never without a plan.
Remote access tools can enhance resiliency While many rms have a mechanism for remotely accessing their data and have incorporated this into their BCPs, Lehman places great emphasis on this capability, and has implemented a full suite of virtual workplace technologies, including:

Citrix server-based access to critical applications; remote desktop capability to allow full access to a users work PC; remote voice capability that allows calls to be received and placed from any phone, while appearing as though they are made from the users desk. Lehman has even piloted remote trading turret (dealer board) applications that allow traders to access their private lines remotely. A critical element of this virtual workplace is that it does not rely on a virtual private network (VPN) connection. VPN connections typically require specialised software to be pre-loaded on a PC (usually company-supplied). Lehmans solution only requires an authentication token. Therefore, any internet-connected PC or Mac can be used for remote access, substantially increasing resiliency. A virtual workplace environment is a wonderful tool in the continuity planners arsenal, but people must be comfortable with using it during an incident. In keeping with the rms desire to incorporate good business continuity practices into its day-to-day culture, there are a number of additional efforts that have been undertaken to ensure that remote access is a viable part of the plan.

Lehmans business continuity management (BCM) group has partnered with colleagues in the corporate diversity group, which is responsible for promoting, among other things, exible work arrangements and the virtual workplace for employees who may wish to work from home all or part of the time. The two groups conducted a virtual workplace awareness fair, demonstrating virtual workplace tools in the cafeterias of major buildings in New York and New Jersey (similar efforts were later repeated in other ofces globally). The results of the fair were evident in some of the statistics generated afterwards: hits on the virtual workplace intranet page increased 13-fold during the fair and requests for remote voice capability increased by the same proportion. Lehman Brothers had generated a great deal of interest in these technologies, but in order to make them a viable part of BCP, the rm had to be sure that people knew how to use them, and used them regularly. To do this, the BCM group implemented a biannual tickler that puts a reminder on every employees desktop to test their remote access capability. Employees are then asked to answer a single question on whether the test has been successful. The reminder has a due date, and will not go away until the task is completed. With so many employees working remotely and testing this capability regularly, the rm can depend on a remote workforce to signicantly augment dedicated workspace recovery seats.
LEVERAGING INTERNAL TECHNOLOGY A sophisticated development team has built web-based applications for the rms numerous divisions. This extensive intra-

Page 217

Building enterprise-wide resilience

net architecture has been leveraged to create customised incident response and planning tools that connect in real-time to authoritative, up-to-date sources of data, using the same look and feel familiar to users. To ensure that technology is at the core of the new BCP model, it was decided that the BCM group would report to the chief information ofcer. This structure has allowed the group to implement some novel BCP solutions.
Internally develop the continuity planning tool Although there are many capable thirdparty BCP software packages on the market, most require signicant customisation. The decision to build its own tool allowed Lehman to create plans that followed its business model. Lehman Brothers primary planning tool, BCPlans, is web-based, and adheres to all of the rms internal standards for how web applications should look and behave. This signicantly reduces the learning curve. As plans are maintained by managers and staff in the business line rather than dedicated continuity planners, this is a major consideration. In addition, the tool connects to production databases for people, systems and assets, making all of the plan information as accurate as possible. When development began ve years ago, the ability to update plan data in real time using application programming interfaces was uncommon. Give everyone their own business continuity plan As it is the rms philosophy that every individual should be part of a recovery effort and a member of a continuity plan, BCPlans was extended to create customised BCPs for each employee by parsing out key elements of the business lines recovery plan and formatting it as a simple

web page that is accessible from anywhere, even wirelessly. The page provides key contact information and phone numbers, tasks, recovery seat assignments and other critical data that are unique to that person. The information is brief typically one or two pages long, and is ideal for getting everyone through the rst 2448 hours of an incident. After such a period, it is reasoned that the recovery strategy will change drastically depending on the event. In keeping with goals to decentralise accountability and integrate BCP into corporate culture, Lehman again leverages technology to ensure that employees understand their individual plan. On a regular basis, a reminder is placed on every employees default browser page asking them to read their plan. A conrmation button is placed on the plan page so that people can attest to having read and understood it.
CREATING FLEXIBLE PLANS

No plan of operations reaches with any certainty beyond the rst encounter with the enemys main force. Helmuth Karl Bernhard Graf von Moltke2 This quote has morphed over time to the more familiar No plan survives rst contact with the enemy, and is a favourite of mine when discussing BCP strategy. Lehmans response to the events on September 11th showed that a smart, empowered and exible organisation can be more important than a thoroughly detailed but unworkable plan. This is not to say that one should not plan on the contrary von Moltke, being a career military ofcer, understood the importance of planning and preparation. But

Page 218

Alesi

what he also knew, and what all good BCP professionals must know, is that every incident is different and one must be prepared to change ones response to events as they occur. The importance of exibility begins with response to the incident itself. Like most rms, Lehman has a number of teams that are activated to respond to an incident, including: incident management team: BCM, security, facilities and IT this team is the rst to respond to incidents; business management team: senior management of the rm, including all administrative ofcers and divisional BCP contacts; crisis communications team: corporate communications, employee relations and investor relations; technology response team: self-explanatory. This is all standard stuff until one considers how this structure is employed. The response process is designed from the start to have the BCM group as the primary incident manager for all incidents.3 BCM is closely aligned with corporate security, and has a matrix reporting relationship to the global head of corporate security. In fact, the New York BCM ofce is colocated with the corporate security command centre. Securitys role is of course to protect the human and physical assets of the rm; this is done by the 24/7 monitoring of video, sensors and external information sources. BCMs co-location with this group means that, during the business day, it is informed immediately of incidents that may affect the rm. After hours, the employees who staff the security console are trained to contact the BCM group directly and have access to all of their contact information. If the incident were to affect the security console

itself, counterparts in London would take responsibility. There is no complicated owchart of when and how to notify BCM of an incident; there are no green, blue, yellow or red alarms. There is just a simple notication. It is then up to BCM to escalate and trigger the incident response process in whatever way is deemed appropriate; again, there is no rigid structure or colour-coded diagram, just measured response. There is of course an incident response document (35 pages at last count), but it is used as a reference rather than being used to dictate how to react. If escalation to the business is required, teleconference bridges would be used to quickly communicate and decide on a response strategy. Each business is then responsible for communicating this strategy to its employees, who can then employ their personalised plans and remote access tools for a rapid and effective response.
CONCLUSION To summarise the main points:

Seek to create a culture of resiliency, where accountability is co-located with authority and BCP components are integrated into day-to-day operations. Make every employee part of a plan, and make the plan accessible to them. Leverage the technology infrastructure. Bolster remote access solutions through constant awareness and training. Look for internal technology competencies that can integrate the BCP model with corporate data. Be prepared to improvise. Creating a culture of resiliency where employees are able to respond quickly to incidents using familiar tools containing real-time data creates a model that lends itself to the required exibility.

Page 219

Building enterprise-wide resilience

Lehman Brothers is not the sole owner of this new perspective on business continuity. Indeed, many nancial services industry workers are adopting some of the same new strategies and tactics. But many, especially those who have not recently faced a catastrophic event, are still diligently creating the big red BCP binder, and putting it on the shelf to collect dust. By describing the sea change that occurred at Lehman, it is hoped that readers will look at business continuity from a fresh perspective and glean some ideas for improving their own programmes; and maybe start throwing out their red binders.

REFERENCES (1) Heraclitus (c. 535475 BC), in Davenport, G. (trans.) (1976) Herakleitos and Diogenes, pt. 1, fragment 23, Grey Fox Press, Eugene, OR. (2) Shafritz, J. M. (1990) Words on War: Military Quotations from Ancient Times to the Present, Prentice Hall, New York, NY. (3) In this paper, the term incident is used to refer to an event that does or may have the ability to signicantly affect business operations. It is not used to describe typical operational incidents involving system failures or routine outages.

Page 220