The London bombings have raised fresh concerns that
small and medium-sized enterprises are failing to plan for
unexpected disruptions to their business.
Although many FTSE companies have plans in place and test them
regularly, SMEs are seen increasingly as the weakest link in supply
chains.
In particular, SMEs will come under pressure to show they have
thought about the business continuity of their IT systems. IT
managers will have to consider data back-up systems, whether their
firms need to duplicate their equipment at emergency back-up
centres, and how staff could be given access to central IT systems
if buildings became inaccessible.
Earlier this month James Hart, commissioner of the City of London
police, warned that 50% of firms in the City were ill prepared for
the disruption caused by a terrorist attack. His comments have
raised fears that even small companies not targeted directly by
terrorists could be forced out of business if they find access to
premises blocked following an attack. A closure for just a week
could be fatal to a low-profit-margin business.
Pressure from larger businesses, regulators, insurers and the
development of a new business continuity standard will make it more
difficult for smaller firms to ignore business continuity in the
future.
Tim Cracknell, delivery manager for insurance broker Marsh's
business continuity management service, said insurers first began
asking more questions about business continuity planning following
the attacks on the World Trade Center in New York.
"Information was king after 9/11. Insurers became a lot more
selective as to what they were going to offer. They wanted to have
only the best risks on their books. They wanted clients to
demonstrate they had robust contingency plans. They wanted evidence
of testing," he said.
After the London bombings, insurers' interest in business
continuity planning has grown, said Cracknell. And although the
cost of business continuity cover has fallen, insurers will
increasingly question companiesÕ business continuity planning when
the market picks up again.
Regulatory compliance in the financial sector has prompted a series
of initiatives among financial organisations to improve the
business continuity plans of their critical suppliers.
The Bank of England and the Treasury are working with 60 City
organisations on the Resiliance Benchmarking Project, which aims to
assess how the UK's financial system would react to a major
disruption.
Lloyd's insurance market is reviewing all 44 Lloyd's managing
agents and working with them to ensure they have emergency plans in
place.
In the retail sector, the major supermarkets, including Asda and
Tesco, have been working with their critical suppliers to assist
them in developing business continuity plans.
Sainbury's is planning a major business continuity drive following
a pilot with its IT and store equipment suppliers this year. It now
plans to focus on the business continuity plans of the top
suppliers delivering goods for sale in its stores.
Steve Mellish, Sainsbury's head of business continuity, said, "We
will be asking what their current capability is, whether they have
business continuity plans and disaster recovery, do they cover IT,
loss of a crucial location, etc. If we get something back saying
'no we do not have cover for IT' we will be talking to them very
quickly."
Sainsbury's programme is collaborative and involves working with
suppliers to improve their business continuity plans, rather than
penalising them when their plans are lacking. But the supermarket
is considering making business continuity planning a condition in
new contracts with future suppliers.
In the public sector, the Civil Contingencies Act will make it
compulsory for all local authorities, police, fire and ambulance
services to put continuity plans in place by the end of the year.
The act will have knock-on effects for SMEs. Local authorities will
expect them to demonstrate that they have business plans in
place.
Wayne Harrop, business continuity officer at Wakefield Metropolitan
City Council, said his authority would be seeking assurances from
its critical suppliers that they have plans in place to survive an
emergency. The council is focusing both on developing business
continuity plans for the council as a whole and on developing
business continuity plans for specific council services.
Harrop is working with business managers in the council to identify
the most critical suppliers from the 19,000 it does business with.
"We are trying to identify the critical suppliers. We are putting
together an emergency clause for all future contracts. It will say
what we expect the suppliers to do at short notice, if there is an
emergency," he said.
Until now there has been no readily accepted benchmark for business
continuity planning. But this will change next year when the
British Standards Institute publishes the first formal business
continuity standard.
Once it is established, the standard could be taken up quickly by
larger firms as a minimum benchmark for the smaller firms that
supply them.
"I think it will make a big change across the whole spectrum," said
Cracknell. "There will be those who measure up against the new
standard, and get a British Standard on their letterhead. It will
become a true standard and businesses will be asking whether you
are accredited."
The BSI has set up a committee of representatives from large and
small firms to finalise the new standard, which will be based on
the BSI's PAS 56, an informal business continuity standard, and
other international standards from the US and the Far East.
Larger companies are using PAS 56 as a guideline for their own
business continuity planning. But it has been criticised as being
too complex for smaller firms. The new standard is expected to be
simpler.
In the meantime, the BSI is working with the London Resiliance
Group to develop a simpler version of PAS 56 for smaller companies,
which is expected to become available later this year.
Nicki Dennis, head of risk market development at BSI, said the
institute wanted to end the myth that that business continuity was
expensive. "Firms are probably doing a lot of it anyway without
realising," she said.
The National Counter Terrorism Security Office is trying to
encourage more SMEs firms to take business continuity planning more
seriously. The organisation is working with trade associations to
show small firms there is a sound business case for establishing
business continuity plans.
Richard Flynn, business liaison officer at the National Counter
Terrorism Security Office, said, "People that have thought about
business continuity planning will have a commercial advantage over
those that have not thought about it. Large companies are much more
likely to place contracts with companies that can show they have
thought about it. We have seen this quite a lot."