Your trading partners' plans for business continuity can be as vital as your own. Arif Mohamed looks at positioning yourself for maximum competitive edge
Good business continuity planning can give a company an edge over its competitors. Apart from the assurance that the business will run regardless of natural disasters or external hacker attacks, a company with a good plan can use it as a selling point.
In fact, customers have driven the requirement for good business continuity planning over the past few years, says Gartner research vice-president Simon Mingay. "One of the biggest drivers has been that customers have asked: 'Have you got a plan? Show me the plan. What is the scope of it and how do you aim to keep it up to date?'."
Mike Stichbury, head of business continuity services at BT Business, says, "We frequently come across small and medium-sized companies that are asked for copies of their business continuity plans by clients who want to be assured they have sufficient procedures in place to protect against interruption to service."
Mingay says most companies are alerted to business continuity planning by a catalyst. "They might have an incident or a close call, or someone in the supply chain or a competitor has an incident, or a new executive comes in and decides to make it an issue. There could be a change in the regulatory regime, or an auditor who makes a comment, or a customer who starts asking questions," he says.
Mingay says the issue of business resilience concerns many customers, and is a particular worry in financial services, with life sciences and pharmaceuticals following closely.
One major benefit of business continuity planning is that companies stand to offer customers and potential customers assurance that their business is robust, which may be something their competitors cannot do.
Lorraine Lane, chief executive at business continuity user group Survive, says, "Business continuity planning gives a company competitive advantage in that customers and potential customers know that their services or products are reliably delivered, and that future service and upgrades can be counted on. Moreover, a business that has a business continuity plan in place will have shown its supply chain to be resilient, which means that raw materials or components are more likely to be well sourced. Poor supply chain resilience often leads to last-minute changes and lower quality products."
Business continuity planning can be a selling point for IT internally, and for the business externally, says Chris Stewart, technical consultant at EMC's Solutions Group, which offers business continuity consultancy.
"When you are looking at business continuity you want to make sure you are continuing to provide all the critical services the business relies on. IT services are one of those, but you are also going to have external services that you require from other companies, and you may be providing critical services to other businesses," he says.
With this in mind, an IT department will gain the edge if it can carry out risk assessments from planned or unplanned incidents and calculate how much data can be recovered and the time it will take, says Stewart.
In addition, the IT department will get the company's executives onside if it can demonstrate a methodology, showing design and best practice, implementations and testing, and recovery and failover plans, he says.
Industry-specific regulatory requirements, such as Sarbanes-Oxley, Turnbull and US healthcare legislation HIPAA, have acted as a significant catalyst for adopting a business continuity plan. Callum Sinclair, a solicitor with law firm Maclay Murray & Spens, says, "Certain bodies deemed vital to running the country, such as emergency services, the NHS and certain transport providers, are required to maintain continuity plans under the Civil Contingencies Act 2004.
"Beyond this, there are various additional industry rules and guidance which apply, to a greater or lesser extent, to financial services companies, PFI/PPP providers and others."
But what a company is required to do in terms of having a business continuity plan varies greatly by sector. In some sectors there are few regulations, and in others, such as financial services, requirements are manifold, says Richard Chapman, solicitor at law firm Berwin Leighton Paisner.
"Regardless of sector, directors always have to act in the best interests of the company, and take appropriate measures to protect the company's assets," he says. "One way is to take out an insurance policy to cover databases, communications or customer records. All businesses should see what appropriate ways there are to protect their assets."
One major issue surrounding business continuity is the involvement of business partners and suppliers, which often play a key role in the supply or business chain.
Medium-sized as well as large companies are increasingly integrating their IT systems into their partners' systems, says Mingay.
"Organisations are much more tightly integrated into a trading ecosystem, and IT is fulfilling much more of that role than it did previously. Information is now being largely transferred automatically through the supply chain," he says.
Companies should therefore demand from their suppliers a high level of preparation for interruptions to business. "Business interruptions will affect customers far more quickly than before," says Mingay. "You should be concerned about your own suppliers, and be asking more detailed questions about their business continuity planning. Just because they are big, do not assume they have a plan."
Lane says, "You should demand a complete supply chain analysis. Raw material tracking, proof of quality, hazard assessment of critical control points, quality of training, maintenance of machinery, quality control, speed of delivery, method of delivery, tracking of order, to name but a few.
"They should be able to prove what it is they make their product from, where components came from, and how they are made safely, skillfully and reliably."
Many companies rely on their business and outsourcing partners to be resilient, as their services are core to the business. Because of this, business continuity issues are often addressed within a contractual framework, to ensure the core business is able to continue if the partner goes down.
In creating a contractual framework for business continuity planning, Lane says, "Keep it simple and flexible and ensure you get the involvement and commitment from everyone in the business. You need to create the right organisational culture and adopt a holistic approach."
Chapman says, "In outsourcing transactions, you would commonly put in the contract that your supplier is required to have business continuity in place. You will also want to have a disaster plan in place that links in with yours."
Stichbury says, "To get the best possible protection, organisations need to consider which elements of their business and supply chain are mission-critical and the potential impact should one of these fail or be hindered in any way. Armed with this information it is easier to negotiate service level guarantees with subsequent compensation should your supplier's services fail."
Sinclair adds, "Where the strategy involves working with a partner - handling off-site IT back-ups and disaster recovery, for example - be certain the contract includes assurances in relation to service levels. These should include specific requirements for response times and service availability.
"However, it is also important to have a good working relationship with such partners, with regular meetings and updates to help foster in-depth knowledge of processes and systems.
"There are data protection implications around using a third party for disaster recovery, as the information held in off-site back-ups may fall within the remit of the Data Protection Act 1998. Details of any third-party providers should be included in information such as privacy statements and fair use notices."
Chapman says that where a disaster recovery location is situated abroad, transferring personal information across national boundaries may also have data protection implications, being subject to international data protection laws.
But Mingay says, "Regardless of onshore or offshore, the issue is the same. As we move towards outsourcing, from an IT point of view, organisations absolutely need to concern themselves with the business continuity and disaster recovery plans that the provider has, and not assume that because they are going with an external service provider, that they have made provision for them, if there is nothing in the contract.
"It is a common problem that people have made assumptions of the level of capabilities of their partner. It is not always the fault of the provider. It is sometimes the fault of the client, who is looking at ways they can take costs out of the deal, and that may involve reducing their business continuity. You pay for what you get."
Top threats to business continuity in 2005
- Data security failure, including viruses, denial of service attacks and unauthorised access
- Datacentre hardware or software failure
- Telecoms failure.
Source: business continuity user group Survive
Case study: Carphone Warehouse mirrors its datacentres
Retailer Carphone Warehouse wanted to ensure it had effective business continuity. It offered consumers services that required its communications network to be up and running around the clock, each day of the week.
Last year the company built a new datacentre that mirrored its core environment, but is also capable of running live services. Carphone Warehouse's infrastructure and operations director Attiq Qureshi, says the company now regularly switches key services between the sites, whenever they add capacity or carry out maintenance.
The firm signed a 10-year deal in September 2004 with business continuity service provider Globix to ensure the datacentre and its networks run at all times.
The contract included service level agreements that cover network performance at 99.99% uptime, hardware failure response, and round-the-clock application monitoring.
"I think it has given us a competitive advantage. We now have two large datacentres, so we can move between the sites. It has given us growth and raised the profile of business continuity systems in the business," says Qureshi.
Carphone Warehouse has an audit committee made up of some of its most senior executives, who are now very interested in the company's business continuity plans.
The company was required to communicate its capabilities and plans to telecoms regulator Ofcom. Carphone Warehouse also informed the Financial Services Authority, for insurance purposes.
"We were urged on by our insurers, and now that we have business continuity, we have got some fantastic savings on our insurance as a business," says Qureshi.
"From an insurance point of view, customers need to know that we can continue to provide telecoms services and billing, can activate a new phone and bar it if the phone is stolen, and can give them accurate and timely bills," he says.