advertise here



Industry Comment Research   RSS Feed

Webinars Buyers' Guide Podcasts

Related Publications Foward Features




  In partnership with:

July/August 2006 issue

Staying power


Mick James

Business continuity is what it's all about. Here are some new ideas on the oldest topic in business.

Fire, flood, famine, disease-it seems the world is becoming a more dangerous place. For once the facts back it up. According to the University of Louvain's Centre for Research on the Epidemiology of Disasters (CRED) there were 360 natural disasters in 2005, up from 305 the year before.

Combined with very real threats from avian 'flu and terrorism, the headlines have brought business continuity to the top of the business agenda once more. Last year, a survey of UK businesses by accountants Deloitte & Touche found that more than 83% of businesses had corporate business continuity plans, which seems impressive at first glance.

But how relevant are these continuity plans to today's changed circumstances? A more recent survey by the London Chambers of Commerce found that only 30% of the capital's firms had updated their contingency plans in the light of bird 'flu, and still fewer had tested them. So, is business continuity keeping pace, not just with the changing threat landscape, but the changing realities of business?

“Traditionally the focus of business continuity has been about seeking out the likely vulnerabilities, the single point of failure,” says Justin Clarke, senior consultant with BT's business continuity practice. “Now our means of production have changed-it's not necessarily a riskier world but the nature of the risk has shifted. It's no longer the manufacturing plant that's vulnerable, it's the just-in-time systems.”

Clarke believes that networked IT should no longer be seen as just part of the risk but as an enabler of business continuity. “We have all these devices-telephones, the internet, PDAs, faxes,” he says. “If you know you depend on them, you can build in the resilience. Then you can elevate them and make them part of the business continuity plan.”

Social distance
With 'social distancing' measures-closing offices and schools and restricting travel-a distinct possibility in the event of a 'flu pandemic, traditional recovery plans may be outflanked by the sheer inability to get people together in one place. Remote working could then come into its own, provided companies have already taken the time to establish the training, infrastructure, security and health and safety measure associated with it.

“You can't just expect this to work at the flick of a switch,” says Clarke. “We don't want people to buy a 'pandemic 'flu solution' that just sits there and when the 'flu hits you hit the switch.”

Instead, businesses need to start building remote working into their everyday working lives and enjoying all the benefits that flow from it, whether disaster occurs or not.

“If something does happen, people can be more flexible,” says Clarke. “After the London bombings, people could have got back to work the next day, although it would have been difficult. But people didn't want to. With the option to work from home the company can consider in a more compassionate manner the psychological effects of the disaster on people.”

Remote working obviously brings with it security and vigilance issues. This is why firms such as banks have frowned on it. But now, for example, it is feasible to extend call-recording economically to remote locations. Security measures that separate ID processes from the underlying technology, such as log-in via mobile phone, can make even an internet café a reasonably secure environment.

Clarke believes this is a real opportunity for security professionals to embed effective security measures in the organisation. “All too often security professionals are told to go off and do something about security, but when they come back and say it will cost this much and cause this much disruption, they're told to get lost," he says. "But using business continuity disciplines, analyzing the impact of losing various functions, they can build an investment case for security measures.”

Chris Mayers, information security architect at Citrix agrees. “This is a big opportunity for IT security professionals to step up here,” he says. “A well-run IT security organisation has a lot to offer here. They understand how the business processes work, and if they are well plugged-in to how the business works they will know how to keep it running.”

This may involve taking on additional responsibilities, such as physical security. “You can see how, under disaster conditions, physical security is a real problem. But you also have to look at the physical security in the back-up location,” he says.

“Crisis management means thinking creatively about how to deal with the unforeseen. When things don't pan out as you expected, you may need more general solutions. There's a need for awareness not just about what keeps IT running but what keeps the business running as a whole.”

This means thinking about continuity, not as a one-off project, but a process that becomes part of the fabric of the organisation. “Some people still look at it has having a crisis policy, but some companies have turned the corner and it's now pervasive in the culture of everything they do,” says Brian O'Gilvie, business continuity and availability solutions manager for Hewlett-Packard's EMEA division.

Keep on trucking
Many organizations have now realized that continuity is now an integral part of the way they do business. O'Gilvie cites the work that Barclaycard has put into its authorization system, or DHL's promise to customers that they can track their packages worldwide, 24/7.

“Businesses are geared differently; this is now about competitive advantage, about having the people and the systems and the process to be the smartest operator in your market,” he says.

And this is not just about surviving the major catastrophes. “An outage that may last a week is seen as really risky,” he says. “But how many times are you down for operator error or virus threats or even maintenance. That's all seen by the customer as a pain in the neck. By the time you add up all these disruptions you realize they are killing you.”

This sort of customer-focused thinking is key to getting risk back onto the C-level agenda. "We don't talk so much about risk as the enablement of trust. This is what contributes to business value,” says Mark Jones, director of Atos Origin's security and risk practice. That means the appropriate management of risk so that trust isn't compromised.

He cites as an example the Gate Gourmet industrial dispute and its knock-on effects at both BAA and BA. “The provision of sandwiches isn't core to BA. The disaster recovery specialists didn't look at Gate Gourmet, but look at the actual impact on BA. It was enormous, and it was all about the undermining of trust.”

With more and more services outsourced or subcontracted, the interdependence of companies means that the focus of business continuity has moved out into supply chain relationships. It's not enough to have contracts that allow you to sue or prosecute suppliers when the consequences of an interruption in supply can be many times any likely damages or fine.

Supply chain
As continuity of supply becomes more and more crucial, business continuity becomes a matter of good governance internally and competitive advantage externally. “Companies are missing a trick if they don't look at the supply chain in terms of business continuity,” says Jones. “Business continuity gives suppliers the opportunity to say, we have appropriate measures in place, we've had them audited, your services are safe and we will continue to be a reliable supplier.”

Despite the increasing interdependence of businesses, many continuity plans are developed in isolation-even in the sort of multi-tenanted buildings commonly found in the City of London.

“If other businesses around you are confused, it can disrupt your execution,” says Nick Beale, managing director of CitySafe, the technology company that runs the CommunitySafe extranet. CommunitySafe provides emergency planning information to London, and will soon come to other cities.

“We try to engage with as wide a community as possible, and we've set up a secure group system that allows organizations to conducted anonymized exercises. So the head of a bank doesn't have to come out in public and say, 'I don't know what to do about this'.”

The exercises solve the problem of getting senior staff together to test continuity plans by sending out email 'injects'. These are updates on an unfolding disaster scenario. Members of the group can walk through their responses when they have an opportunity. This is backed up by chatrooms and an 'ask the expert' facility.

“It's often very hard to get to the right person to inform the actual plan,” says Beale. “The system fields a question, for example about access to power or water and so forth, feeds it to an expert and it's captured in a FAQ” The idea is to harness best
practices and then disseminate them to smaller organizations in more digestible form.

“The further down the scale you get the less is done in terms of business continuity,” says Beale. “We aim to capture some of the best tips and tricks and push them out. The idea of the exercise system is to share information and to get businesses to engage with each other.”

About the author
Mick James is a freelance journalist who contributes to a number of publications in the areas of management, consultancy, finance and IT.

 

Back to features index



 

 
Search this Site:
Google Custom Search



Click here...