This time around, inadequately prepared companies had few to blame except themselves and the power companies. But the picture could be significantly different as utility computing becomes widespread. Which raises the question – who is responsible if a business suffers losses because its utility computing provider experiences a shutdown, and how can utility computing customers protect themselves?

To analyze the issue, let’s start with an understanding of what experts are suggesting their clients do to protect in-house resources – precisely the focus of a recent Ernst & Young webcast entitled “Blackout 2003: Loss, Recovery and Business Continuity.”

The high cost of disaster

As businesses have learned all too well in the past two years, disaster can come in many forms and strike devastating blows with little warning. The 9/11 terrorist attacks, the blackouts of 2003, weather events including hurricanes, tornadoes and floods, devastating worm and virus attacks, demonstrations and strikes that block access to facilities, earthquakes, workplace violence – the list is seemingly endless.

The repercussions of these events can be devastating – loss of productivity, damage to plant and equipment, increased costs that lower profits, loss and corruption of data, devaluation of stock price, and corporate and executive liability issues are but a few of the damages identified in the E&Y program. The latest estimate on the cost of the U.S. power blackout, for example, now stands at between $4 billion and $6 billion.

When a company owns and manages its own computing resources, the challenges of planning for a disaster – while inherently complex – also are pretty straightforward. The E&Y experts – Carl Marano of the firm’s Real Estate Advisory Services, Suzanne Ray of its Business Continuity and Availability Practice and Daniel Torpey, practice leader specializing in insurance claims – advise starting with the basics.

For example, they suggest that the first step should be to determine what processes are critical to continued operations. Then look at what it will take to back up those operations and decide if the investments are worth the losses they will avert. It is unlikely most companies will be able to protect everything they would like to, which means setting priorities. Look into UPS and backup generator capacity, considering how long it will need to operate (be sure to have enough to at least accomplish a smooth system shutdown).

Evaluate your data backup system; is it adequate to cover your operation for an extended period? Has it been tested and serviced regularly? Do you have a way to get to your data if you can’t physically access your plant or if your main systems are out of operation or destroyed? Do you have ways to contact and communicate with customers, suppliers, and employees even if your primary contact files and communication systems are lost? Do you have the proper riders on your insurance to cover you for losses if all of your preparations still aren’t enough?

Utility computing tradeoffs

Some of these issues get easier to handle if your systems are not on-site or are operated by others, as might be the case with utility computing arrangements. Others become more difficult. Consider the blackout scenario as a specific example.

A company located in New York City with a utility computing provider based in Dallas, Texas, likely would have been less severely impacted by the blackout that hit the Northeast U.S. than those companies with on-site facilities. PCs, of course, would continue to work only as long as the capacity of the on-site UPS backup system. But the data, safe in the utility computing network, would not be lost or corrupted by the outage. It also would remain available to users at remote sites unaffected by the blackout, allowing those operations to continue.

But what if the scenario were reversed? What if the utility were hit with a blackout while its clients were not? What then?

This raises the need for companies to carefully investigate not only their own emergency preparedness, but that of their utility computing providers as well. In doing so, companies should ask the same probing questions they ask themselves about the stability of on-site resources:

• What backup systems does the utility have?
• Does it maintain data in more than one location, ensuring that it is always available even if its main system goes down?
• Does it have adequate emergency power and UPS systems to complete a smooth transfer from one site to another?
• How often does it service and test its backup systems?
• Does it have enough backup capacity to cover fully cover all of its clients, or will it need to set priorities?

The questions will need to be expanded to cover other emergency situations, including hacker attacks, widespread illness (think SARS), worms and viruses and the like. Be creative. Murphy’s Law being what it is, the disaster you don’t prepare for is the one most likely to strike.

Limits and liabilities

And what if something goes wrong? If your utility computing provider’s failures cause you to lose revenues or customers, will its insurance coverage compensate your company? What deductibles and exclusions apply? What if your stock price is affected? Will it share in the liabilities of your directors and officers? Does it have the coverage and resources to make good on its commitments? How financially stable are its insurers?

As the recent spate of disasters makes clear, companies need to carefully plan for how to maintain operations and recover from disasters caused by a wide range of circumstances. As utility computing comes to the fore, that planning will need to extend beyond their own facilities, systems, employees and processes to those of their providers as well. Asking the tough questions now will help ensure that the answers you get when disaster strikes are ones you’ll be glad to hear.