Business continuity may be seen as an after-thought or ´added extra´, but in truth it lies at the heart of good business practice. As organisations become more connected in this increasingly networked world, the vulnerabilities they face are changing and growing.
The risks they must deal with are different, and they need to be prepared. Business continuity plans and processes ensure that organisations can minimise the impact of any disruption or attack; leverage their IT systems and processes; and comply with regulatory requirements.
Business continuity is not a dark art – the numbers and statistics exist to show that investment in this field is both worthwhile and necessary. The Business Continuity Institute in the UK stated in a recent report that, within 13 months of suffering a critical data loss, 80 per cent of enterprises went out of business. At the end of 2004, analyst group Computer Economics estimated $6.25 billion of damage had been caused by the Netsky and Sasser computer worms – to organisations that included the UK Coastguard, Heathrow Airport and the European Commission. And, even before the Sarbanes Oxley Act existed, five Wall Street firms had been fined a total of US$8.25m for violating SEC rules that require ´business-as-such´ e-mails to be preserved for three years.
One cost of downtime or business interruption that is often underestimated is the potential damage to a company´s reputation. Service management company, Tertio SMS recently announced the results of a survey that highlighted the potential danger to big business of even a minor technology-based service failure. They found out that 23 per cent of the UK population is unable to use services, such as cash machines, mobile phone networks or the internet, on at least one occasion each week.
An average of one in ten people encounter problems on a daily basis – and half of consumers that do have difficulties blame the company delivering the service for technology mishaps, regardless of whether they are at fault or not. IT failures can have a significant impact on a business´ reputation.
Furthermore, management consultants at McKinsey & Co. say that managing risk successfully provides a clear return on investment, with over 80 per cent of investors saying they would pay 18 per cent more for shares in a well-governed company.
When it comes down to it, business continuity really is all about good governance and making sure your company is prepared. Implementing a business continuity plan shouldn´t start and finish with technology – it must consider the bigger picture including, everything from operations and behaviours to policies and objectives in order to take a total view of the company.
As well as looking at the company, the team implementing the business continuity plan must take a broad view of the risks faced by the organisation: an IT disaster could do a lot of damage to the business, but so could local road closures or bad weather that prevent employees getting into work. You can see that business continuity requires the management to fully understand the organisation, and every element within it.
This is why using a third party can be beneficial for some organisations. Because they are so familiar with their own business and how it functions, internal teams will often make assumptions that external consultants will question. The ´outsiders´ will look at a company from the top down and have the advantage of being able to to bridge all the information and operational silos that are often created within the enterprise. For example, the team responsible for servers may have assumed that the individuals responsible for networking have built resilience into things like circuits, when in reality they haven´t. All the unknown elements must be considered if business continuity is to stand a chance at success.
When looking for consultants to help them write and implement a business continuity plan, organisations should look for experts who will also help outline a technology solution and go through a benchmarking exercise with the relevant vendors. However, what they mustn´t do is specify how things should be done: they should offer all the options, spell out the pros and cons, and give recommendations.
For many organisations, business continuity plans can be seen as a significant market enabler. Viewed strategically, business continuity offers organisations real advantages, enabling them to become more agile and more efficient, with the reduced risk of failure at times of change and transformation.
For business continuity to be effective all procedures in place need to be tested and retested regularly. A recent CSO Magazine survey on business continuity in the US showed that, while an overwhelming majority (93 per cent) of US companies had a business continuity plan in place, only 37 per cent had tested it in a real life situation. In today´s world, this is no longer acceptable.
One example that reiterates the importance of testing is the UK-based company that had a plan which had been signed off by all its business continuity people and the CEO. But it involved moving 3,000 people from London´s Docklands business district to a recovery centre in North London in thirty minutes. That is just over 17 km, through the heart of the one of the busiest cities in Europe, in under half an hour. This was spotted by the external consultants before it was finally rolled out – but it highlights the type of problem that testing could solve.
Companies shouldn´t only find out if their business continuity plans are reliable when something goes wrong or if they are involved in a major incident. They need to have plans and procedures in place that have been comprehensively tested, and they must ensure that everyone knows exactly what do to if disaster strikes. These plans should be so well-coordinated and rehearsed that they become business as usual. It´s generally accepted that even the most meticulously planned new systems and procedures do not survive their first exposure to reality intact, and business continuity is no exception.
There is little doubt that no matter what plans you have in place or how much due diligence you have gone through, you cannot eradiate risk entirely. To be effective at managing your business continuity plans you should be thinking about risk all the time. Attention to detail is vital: every stone must be turned and every procedure proven. Companies must dedicate specific resource to this work because it takes both time and effort but business continuity helps ensure that the organisation is compliant, rationalised and optimised – benefits that no company should ignore.