Business continuity spotlight falls on SMEs

The London bombings have raised fresh concerns that small and medium-sized enterprises are failing to plan for unexpected disruptions to their business.

The London bombings have raised fresh concerns that small and medium-sized enterprises are failing to plan for unexpected disruptions to their business.

Although many FTSE companies have plans in place and test them regularly, SMEs are seen increasingly as the weakest link in supply chains.

In particular, SMEs will come under pressure to show they have thought about the business continuity of their IT systems. IT managers will have to consider data back-up systems, whether their firms need to duplicate their equipment at emergency back-up centres, and how staff could be given access to central IT systems if buildings became inaccessible.

Earlier this month James Hart, commissioner of the City of London police, warned that 50% of firms in the City were ill prepared for the disruption caused by a terrorist attack. His comments have raised fears that even small companies not targeted directly by terrorists could be forced out of business if they find access to premises blocked following an attack. A closure for just a week could be fatal to a low-profit-margin business.

Pressure from larger businesses, regulators, insurers and the development of a new business continuity standard will make it more difficult for smaller firms to ignore business continuity in the future.

Tim Cracknell, delivery manager for insurance broker Marsh's business continuity management service, said insurers first began asking more questions about business continuity planning following the attacks on the World Trade Center in New York.

"Information was king after 9/11. Insurers became a lot more selective as to what they were going to offer. They wanted to have only the best risks on their books. They wanted clients to demonstrate they had robust contingency plans. They wanted evidence of testing," he said.

After the London bombings, insurers' interest in business continuity planning has grown, said Cracknell. And although the cost of business continuity cover has fallen, insurers will increasingly question companiesÕ business continuity planning when the market picks up again.

Regulatory compliance in the financial sector has prompted a series of initiatives among financial organisations to improve the business continuity plans of their critical suppliers.

The Bank of England and the Treasury are working with 60 City organisations on the Resiliance Benchmarking Project, which aims to assess how the UK's financial system would react to a major disruption.

Lloyd's insurance market is reviewing all 44 Lloyd's managing agents and working with them to ensure they have emergency plans in place.
In the retail sector, the major supermarkets, including Asda and Tesco, have been working with their critical suppliers to assist them in developing business continuity plans.

Sainbury's is planning a major business continuity drive following a pilot with its IT and store equipment suppliers this year. It now plans to focus on the business continuity plans of the top suppliers delivering goods for sale in its stores.

Steve Mellish, Sainsbury's head of business continuity, said, "We will be asking what their current capability is, whether they have business continuity plans and disaster recovery, do they cover IT, loss of a crucial location, etc. If we get something back saying 'no we do not have cover for IT' we will be talking to them very quickly."

Sainsbury's programme is collaborative and involves working with suppliers to improve their business continuity plans, rather than penalising them when their plans are lacking. But the supermarket is considering making business continuity planning a condition in new contracts with future suppliers.

In the public sector, the Civil Contingencies Act will make it compulsory for all local authorities, police, fire and ambulance services to put continuity plans in place by the end of the year. The act will have knock-on effects for SMEs. Local authorities will expect them to demonstrate that they have business plans in place.

Wayne Harrop, business continuity officer at Wakefield Metropolitan City Council, said his authority would be seeking assurances from its critical suppliers that they have plans in place to survive an emergency. The council is focusing both on developing business continuity plans for the council as a whole and on developing business continuity plans for specific council services.

Harrop is working with business managers in the council to identify the most critical suppliers from the 19,000 it does business with. "We are trying to identify the critical suppliers. We are putting together an emergency clause for all future contracts. It will say what we expect the suppliers to do at short notice, if there is an emergency," he said.

Until now there has been no readily accepted benchmark for business continuity planning. But this will change next year when the British Standards Institute publishes the first formal business continuity standard.

Once it is established, the standard could be taken up quickly by larger firms as a minimum benchmark for the smaller firms that supply them.
"I think it will make a big change across the whole spectrum," said Cracknell. "There will be those who measure up against the new standard, and get a British Standard on their letterhead. It will become a true standard and businesses will be asking whether you are accredited."

The BSI has set up a committee of representatives from large and small firms to finalise the new standard, which will be based on the BSI's PAS 56, an informal business continuity standard, and other international standards from the US and the Far East.

Larger companies are using PAS 56 as a guideline for their own business continuity planning. But it has been criticised as being too complex for smaller firms. The new standard is expected to be simpler.

In the meantime, the BSI is working with the London Resiliance Group to develop a simpler version of PAS 56 for smaller companies, which is expected to become available later this year.

Nicki Dennis, head of risk market development at BSI, said the institute wanted to end the myth that that business continuity was expensive. "Firms are probably doing a lot of it anyway without realising," she said.

The National Counter Terrorism Security Office is trying to encourage more SMEs firms to take business continuity planning more seriously. The organisation is working with trade associations to show small firms there is a sound business case for establishing business continuity plans.

Richard Flynn, business liaison officer at the National Counter Terrorism Security Office, said, "People that have thought about business continuity planning will have a commercial advantage over those that have not thought about it. Large companies are much more likely to place contracts with companies that can show they have thought about it. We have seen this quite a lot."

Read more on IT risk management