While many enterprises are still struggling to get the basics right, others see long-term strategic ties between business continuity and business agility. In this complicated business environment, there is more to avoid than the trinity of fanatics, floods and flu.
Business continuity has recently become a popular topic of conversation. Polarised by terrorist attacks, accidents and extreme weather, companies are recognising peril from many directions.
The London Underground bombings and the flooding of middle England in the summer of 2007 are good examples of the need for business continuity. You must safeguard your operations or risk catastrophic business failure.
Business continuity is not just about putting a few back-ups in place. Certainly, back-ups are fundamental, but people interpret business continuity differently, says Mark Chaplin, senior research consultant at the Information Security Forum (ISF). "How do you either prevent something from happening? If it does happen, how do you ensure that the business continues to operate?"
To state the obvious, unplanned and detrimental events do happen, sometimes more than once. When the IRA's Baltic Exchange bomb exploded in 1992, it denied access to staff working at international law firm Norton Rose. On 24 April 1993, another IRA bomb blasted the heart from the City, damaging Norton Rose's building.
Twelve years later, on 7 July 2005, the suicide bomb at Aldgate tube station disrupted workers and tourists all across London, including personnel trying to get to work at Norton Rose.
"The bigger bomb at Bishopsgate damaged much of the building and there were structural issues that had to be looked at before people were allowed back in," explains Norton Rose IT director, Jeff Roberts.
Roberts is responsible for over 2,000 users worldwide, connecting to 400 physical servers. A total of 850 Blackberry users employ laptops with remote access facilities, so the decision to move all live data to a remote site was bound to challenge the smooth running of the business. Planning was essential.
Norton Rose commissioned a datacentre in an old telephone exchange in Uxbridge. While the external datacentre was built and went live in late January 2007, Roberts says it is important to run a phased project, not be tempted to do too much at once, taking care that systems are working between each move.
Within a year, the justification for such a move was proved when a burst water main on Tooley Street on 27 April 2008 closed City Hall and cut power to the Norton Rose head office for two days. While staff worked remotely from home or wireless hotspots, the company lost no billing time at all. The remote production site, commissioned as a business continuity measure, remained unaffected and active while the disaster recovery site at head office was out of action.
A simple back-up and restore would have been a catastrophe in such an event. To remain operational in the face of such disabling events takes planning, preparation and testing, says Alan Rodger, senior research analyst at Butler Group. "Your back-up strategy really affects the point to which you can restore your business; even if you only back up your systems every night. You have got all sorts of things to unwind; commitments made to people, transactions, money to be repaid, things like that. [It's helpful] even if you can find out what they actually are. Your reputation can go badly astray, so there is justification for the hot remote site facility which is active and ready to be used when necessary."
Combine these factors with wide-ranging, global, enterprise structures, often involving many business partners in any one business process, and it is clear that often the complexity of "restoring" a business process is greater than building in resilience to events from the beginning.
Which is why modern business continuity attempts to put the business process at the heart of continuity, and tries to prevent the process from failing in the first place, says Bharat Thakrar, head of business continuity portfolio practice for BT Global Services.
When we talk about resilience, Thakrar asks whether businesses are looking at it from an end-to-end perspective, or if it is a case of each department taking responsibility for their own area and not putting them together.
"Organisations are changing quite fast, bringing on new partners, moving into new markets," Thakrar says. "We must understand what is critical to each of the organisations that support the overall business process. We need to make sure diversity is built in, from the client and their customers, right through the supply chain, all the way to the smaller organisations in the chain."
Understanding which of your business processes are critical is the first step, says Thakrar. It is then a matter of gauging the exposure, should something go wrong, before measured and appropriate steps can be taken to protect the process.
"You get an alignment of investment against exposure. There will be some basic, common tactics which will help a number of processes, and then there will be specific things for that process," he says. "It is like a dialogue between business continuity and the process owner: 'Are we agreed that this is the level of protection we need?'."
Planning and testing
Putting the protection in place is not enough, according to ISF's Chaplin. Business continuity plans must be thoroughly tested, before disaster strikes. "I don't think C-level executives and senior management are really aware of the effort required to set up and maintain an effective business continuity capability. They do not realise all the intricate aspects of being able to deal with a major incident, and quite often these are discovered during testing."
This ties in with Thakrar's experience. "Companies are still failing the basics," he says. "Patches are not updated, hardware keeps failing-over; in a crisis organisations do not know what the first step to take is. If you suffer an incident, your reputation can go down the pan."
Thakrar emphasises the need for testing. "Testing comes at the end of the chain and it tells you what is not working. Businesses will flash a business continuity plan in front of you, but when you ask, 'When did you conduct your last test, what did you find, and have you got a corrective action plan?', they will stare into a blank space," he says.
A marriage with business agility
There are moves afoot to make business continuity more of a business governance issue, and even the subject of regulation (where it is not yet subject to compliance measures, as in financial dealings).
According to The Pitt Review: Learning the Lessons of the 2007 Floods, an independent report commissioned by the government, some 55,000 properties were flooded and 30,000 businesses made an insurance claim of some sort. The total bill for these claims will be in the region of £3bn. The review recommended the creation of a national framework to reduce the risks to the delivery of services. This should include the introduction of mandatory business continuity planning for critical providers.
While this will cover strategic utilities and infrastructure, the insurance industry will raise the profile elsewhere. "In the past, insurance companies have made scant enquiries over the business continuity plan a business may have," says Ed Jones, managing director of Thinking SAFE. "However, since the floods of summer 2007, much more emphasis has been put on verifying the plans, and if a company cannot provide enough evidence that they are prepared, there seem to be two options. The first is that the company will not be offered consequential loss insurance until they can. The second is that insurance will be offered at a higher cost. We have heard tales of premium rate increases of up to 300% year on year."
Ultimately, Thakrar sees the practice of business continuity and business agility combining, possibly even under one umbrella. If a company is exposed to economic risks in one jurisdiction, it makes sense to be able to switch where and how a business process operates to avoid the risk, perhaps overnight or even instantly, just as if there had been a continuity event, like a flood.
Such strategic planning must be done right from the start of a new business process however, not retro-fitted when business continuity is later considered. "Organisations must be responsive because we don't know what the future threats are going to be. You build agility and responsiveness into your business. It is almost like a side issue from business continuity; business continuity is a side benefit from it," says Thakrar.
Guarantee business as usual
All things considered, the business continuity basics must still be covered, but currently organisations, particularly mid-range and smaller firms, are failing in this regard. ISF's Chaplin says if continuity is interrupted, businesses should conduct a post-incident review, assess and evaluate what happened, why it happened, then feed the results back in to enhance your capability.
He adds that business continuity planning should not be done because auditors or regulators are telling you, but because you are protecting your business. "Ask yourself, 'How can we ensure we are competitive, an effective organisation and can continue operating 24/7 in the event of something happening?'."