While many enterprises are still struggling to get the basics
right, others see long-term strategic ties between business
continuity and business agility. In this complicated business
environment, there is more to avoid than the trinity of fanatics,
floods and flu.
Business continuity has recently become a popular topic of
conversation. Polarised by terrorist attacks, accidents and extreme
weather, companies are recognising peril from many directions.
The
London Underground bombings and the
flooding of middle England in the summer of 2007 are good
examples of the need for business continuity. You must safeguard
your operations or risk catastrophic business failure.
Business continuity is not just about putting a few
back-ups in place. Certainly, back-ups are fundamental, but
people interpret business continuity differently, says Mark
Chaplin, senior research consultant at the
Information Security
Forum (ISF). "How do you either prevent something from
happening? If it does happen, how do you ensure that the business
continues to operate?"
Legal dynamite
To state the obvious, unplanned and detrimental events do
happen, sometimes more than once. When the IRA's Baltic Exchange
bomb exploded in 1992, it denied access to staff working at
international law firm Norton Rose. On 24 April 1993, another IRA
bomb blasted the heart from the City, damaging Norton Rose's
building.
Twelve years later, on 7 July 2005, the suicide bomb at Aldgate
tube station disrupted workers and tourists all across London,
including personnel trying to get to work at Norton Rose.
"The bigger bomb at Bishopsgate damaged much of the building and
there were structural issues that had to be looked at before people
were allowed back in," explains Norton Rose IT director, Jeff
Roberts.
Roberts is responsible for over 2,000 users worldwide,
connecting to 400 physical servers. A total of 850 Blackberry users
employ laptops with remote access facilities, so the decision to
move all live data to a remote site was bound to challenge the
smooth running of the business. Planning was essential.
Norton Rose commissioned a datacentre in an old telephone
exchange in Uxbridge. While the external datacentre was built and
went live in late January 2007, Roberts says it is important to run
a phased project, not be tempted to do too much at once, taking
care that systems are working between each move.
Within a year, the justification for such a move was proved when
a burst water main on Tooley Street on 27 April 2008 closed City
Hall and cut power to the Norton Rose head office for two days.
While staff worked remotely from home or wireless hotspots, the
company lost no billing time at all. The remote production site,
commissioned as a business continuity measure, remained unaffected
and active while the disaster recovery site at head office was out
of action.
A simple back-up and restore would have been a catastrophe in
such an event. To remain operational in the face of such disabling
events takes planning, preparation and testing, says Alan Rodger,
senior research analyst at
Butler Group.
"Your back-up strategy really affects the point to which you can
restore your business; even if you only back up your systems every
night. You have got all sorts of things to unwind; commitments made
to people, transactions, money to be repaid, things like that.
[It's helpful] even if you can find out what they actually are.
Your reputation can go badly astray, so there is justification for
the hot remote site facility which is active and ready to be used
when necessary."
Resilience built-in
Combine these factors with wide-ranging, global, enterprise
structures, often involving many business partners in any one
business process, and it is clear that often the complexity of
"restoring" a business process is greater than building in
resilience to events from the beginning.
Which is why modern business continuity attempts to put the
business process at the heart of continuity, and tries to prevent
the process from failing in the first place, says Bharat Thakrar,
head of business continuity portfolio practice for BT Global
Services.
When we talk about resilience, Thakrar asks whether businesses
are looking at it from an end-to-end perspective, or if it is a
case of each department taking responsibility for their own area
and not putting them together.
"Organisations are changing quite fast, bringing on new
partners, moving into new markets," Thakrar says. "We must
understand what is critical to each of the organisations that
support the overall business process. We need to make sure
diversity is built in, from the client and their customers, right
through the supply chain, all the way to the smaller organisations
in the chain."
Understanding which of your business processes are critical is
the first step, says Thakrar. It is then a matter of gauging the
exposure, should something go wrong, before measured and
appropriate steps can be taken to protect the process.
"You get an alignment of investment against exposure. There will
be some basic, common tactics which will help a number of
processes, and then there will be specific things for that
process," he says. "It is like a dialogue between business
continuity and the process owner: 'Are we agreed that this is the
level of protection we need?'."
Planning and testing
Putting the protection in place is not enough, according to
ISF's Chaplin. Business continuity plans must be thoroughly tested,
before disaster strikes. "I don't think C-level executives and
senior management are really aware of the effort required to set up
and maintain an effective business continuity capability. They do
not realise all the intricate aspects of being able to deal with a
major incident, and quite often these are discovered during
testing."
This ties in with Thakrar's experience. "Companies are still
failing the basics," he says. "Patches are not updated, hardware
keeps failing-over; in a crisis organisations do not know what the
first step to take is. If you suffer an incident, your reputation
can go down the pan."
Thakrar emphasises the need for testing. "Testing comes at the
end of the chain and it tells you what is not working. Businesses
will flash a business continuity plan in front of you, but when you
ask, 'When did you conduct your last test, what did you find, and
have you got a corrective action plan?', they will stare into a
blank space," he says.
A marriage with business agility
There are moves afoot to make business continuity more of a
business governance issue, and even the subject of regulation
(where it is not yet subject to compliance measures, as in
financial dealings).
According to
The
Pitt Review: Learning the Lessons of the 2007 Floods, an
independent report commissioned by the government, some 55,000
properties were flooded and 30,000 businesses made an insurance
claim of some sort. The total bill for these claims will be in the
region of £3bn. The review recommended the creation of a national
framework to reduce the risks to the delivery of services. This
should include the introduction of mandatory business continuity
planning for critical providers.
While this will cover strategic utilities and infrastructure,
the insurance industry will raise the profile elsewhere. "In the
past, insurance companies have made scant enquiries over the
business continuity plan a business may have," says Ed Jones,
managing director of
Thinking SAFE. "However,
since the floods of summer 2007, much more emphasis has been put on
verifying the plans, and if a company cannot provide enough
evidence that they are prepared, there seem to be two options. The
first is that the company will not be offered consequential loss
insurance until they can. The second is that insurance will be
offered at a higher cost. We have heard tales of premium rate
increases of up to 300% year on year."
Ultimately, Thakrar sees the practice of business continuity and
business agility combining, possibly even under one umbrella. If a
company is exposed to economic risks in one jurisdiction, it makes
sense to be able to switch where and how a business process
operates to avoid the risk, perhaps overnight or even instantly,
just as if there had been a continuity event, like a flood.
Such
strategic planning must be done right from the start of a new
business process however, not retro-fitted when business continuity
is later considered. "Organisations must be responsive because we
don't know what the future threats are going to be. You build
agility and responsiveness into your business. It is almost like a
side issue from business continuity; business continuity is a side
benefit from it," says Thakrar.
Guarantee business as usual
All things considered, the business continuity basics must still
be covered, but currently organisations, particularly mid-range and
smaller firms, are failing in this regard. ISF's Chaplin says if
continuity is interrupted, businesses should conduct a
post-incident review, assess and evaluate what happened, why it
happened, then feed the results back in to enhance your
capability.
He adds that business continuity planning should not be done
because auditors or regulators are telling you, but because you are
protecting your business. "Ask yourself, 'How can we ensure we are
competitive, an effective organisation and can continue operating
24/7 in the event of something happening?'."
More: