Strategy Through Hell and high water Responsive business thrives on continuity. William Knight finds that the trick to uninterrupted business is testing continuity processes before disaster strikes While many enterprises are still struggling to get the basics right, others see long-term strategic ties between business continuity and business agility. In this complicated business environment, there is more to avoid than the trinity of fanatics, floods and flu. Business continuity has recently become a popular topic of conversation, which is hardly surprising. Polarised by terrorist attacks, accidents and extreme weather, companies are recognising peril in many directions. The London underground bombings and the flooding of middle England in the summer of 2007 are good examples of the need for business continuity. You must safeguard your operations or risk catastrophic business failure. Business continuity is not just about putting a few backups in place. Certainly, backups are fundamental, says Mark Chaplin, senior research consultant at the Information Security Forum (ISF), but people interpret business continuity differently. “Typically the term conjures up images of ‘what do I need to do in order that the business continues as it needs to in the event of anything happening?’ How do you either prevent something from happening, or if it does happen, how do you ensure that the business continues to operate?”
If you suffer an incident, the media thrust a microphone in your face and immediately your reputation is down the pan
Legal Dynamite To state the obvious, unplanned and detrimental events do happen, sometimes more than once. When the IRA’s Baltic Exchange bomb exploded in 1992, it denied access to staff working at international law firm Norton Rose. On 24 April 1993, another IRA bomb blasted the heart from the City, damaging Norton Rose’s building. Twelve years later on July 7 2005, the suicide bomb at Aldgate tube station disrupted workers and tourists all across London, including personnel trying to get to work at Norton Rose. “The bigger bomb at Bishopsgate actually damaged much of the building and there were structural issues that had to be looked at before people could be allowed back in,” explains IT director for Norton Rose, Jeff Roberts. Roberts is responsible for over 2 000 users worldwide, connecting to 400 physical servers. Eight hundred and fifty Blackberry users employ laptops with remote access facilities, so the decision to move all live
22
SEPTEMBER 2008
Bharat Thakrar, BT Global Services
STRATEGY data to a remote site was bound to challenge the smooth running of the business. Planning was essential. Norton Rose commissioned a data centre in an old telephone exchange in Uxbridge. “The external data centre was built and went live in late January 2007,” explains Roberts, but he says it’s important to run a phased project, and not be tempted to do too much at once, taking care that systems are working between each move. Within a year, the justification for such a move was proved when a burst water main on Tooley Street on 27 April 2008 closed City Hall and cut power to the Norton Rose head office for two days. While staff worked remotely from home or wireless hot spots, the company lost no billing time at all. The remote production site, commissioned as a business continuity measure, remained unaffected and active while the disaster recovery site at head office was out of action. A simple ‘backup and restore’ would have been a catastrophe in such an event. To remain operational in the face of such disabling events takes planning, preparation and testing, says Butler Group’s Alan Rodger, senior research analyst. “Your backup strategy really affects the point to which you can restore your business; even if you only backup your systems every night. You’ve got all sorts of things to unwind; commitments made to people, transactions, money to be repaid, things like that, [it’s helpful] even if you can find out what they actually are. Your reputation can go badly astray, so there is justification for the hot
Your reputation can go badly astray, so there is justification for the hot remote site facility
Alan Rodger, Butler Group
SEPTEMBER 2008
23
STRATEGY
Practices that enable great agility are also techniques for business continuity remote site facility where it’s there and active and ready to be used when necessary” advises Rodger. Combine these factors with wide-ranging, global, enterprise structures – often involving many business partners in any one business process – and it’s clear that often the complexity of ‘restoring’ a business process is greater than building in resilience to events from the beginning. This is why modern business continuity attempts to put the business process at the heart of continuity, and tries to prevent the process from failing in the first place, says Bharat Thakrar, head of business continuity portfolio practice for BT Global Services. “When we talk about resilience, are we looking at it from an end-to-end perspective or do you look at your bit and I’ll look at my bit, and we don’t put the whole equation together? There could be things that fall between the cracks.
“That is a crucial issue. Organisations are changing quite fast, bringing on new partners, moving into new market” Thakrar continues. “Let’s understand what is critical to each of the organisations that support the overall business process. We need to make sure diversity is built in, right across from the client and their customers right through the supply chain all the way to the smaller organisations in the chain.” Understanding which of your business processes are critical is the first step, says Thakrar. It’s then a matter of gauging the exposure, should something go wrong, before measured and appropriate steps can be taken to protect the process. “You get an alignment of investment against exposure”. “There will be some basic, common tactics which will help a number of processes, and then there will be specific things for that process”, continues Thakrar. “It is like a dialogue between business continuity and the process owner; ‘Are we agreed that this is the level of protection we need?’”
Testing, testing, testing Putting the protection in place is not enough says ISF’s Chaplin. Business continuity plans must be thoroughly tested, before disaster strikes. “I don’t think that C-level executives and senior management are really aware of the effort required to set up and maintain an effective business continuity capability. They don’t realise all the intricate aspects of being
Troubled waters: In this complicated business environment, there is more to avoid than the trinity of fanatics, floods and flu.
24
SEPTEMBER 2008
STRATEGY able to deal with a major incident, and quite often these are discovered during testing.” This ties in with Thakrar’s experience. Companies are still failing the basics, he says. “Patches aren’t updated, hardware keeps failing-over; in a crisis organisations don’t know what the first step to do is. If you suffer an incident the media thrust a microphone in your face and no one knows what to say; immediately your reputation is down the pan.” Consequently, Thakrar is “completely paranoid about testing. Testing comes at the end of the chain and it tells you what is not working. Businesses will flash a BC plan in front of you but when you ask, ‘When did you conduct your last test, what did you find and have you got a corrective action plan?’ they will stare into a blank space,” he explains.
Business continuity planning should not be done because auditors or regulators are telling you, but because you are protecting your business
A marriage with business agility But there are moves afoot to make BC much more of a business governance issue, and even the subject of regulation (where it is not yet subject to compliance measures, as in financial dealings). According to ‘The Pitt Review: Learning the Lessons of the 2007 Floods’, an independent report commissioned by the government, some 55 000 properties were flooded and 30 000 businesses made an insurance claim of some sort. The total bill for these claims will be in the region of £3 billion. The review recommended the creation of a national framework to reduce the risks to the delivery of services. This should include the introduction of mandatory business continuity planning for critical providers. While this will cover strategic utilities and infrastructure, the insurance industry will raise the profile elsewhere. “In the past, insurance companies have made scant enquiries over the business continuity plan a business may have,” says Ed Jones, managing director, Thinking SAFE. “However, since the floods of summer ‘07, much more emphasis has been put on verifying the plans, and if a company cannot provide enough evidence that they are prepared, there seem to be two options. The first is that the company will not be offered consequential loss insurance until they can. The second is that insurance will be offered at a higher cost and we’ve heard tales of premium rate increases of up to 300% year on year.” Ultimately, Thakrar sees the practice of business continuity and business agility combining, possibly even under one umbrella, say, “business agility experts.” If a company is exposed to economic risks in one jurisdiction, it makes sense to be able to switch where and how a business process operates to avoid the risk – perhaps overnight or even instantly. Just as if there had been a continuity event like a flood, in fact. Such strategic planning requires joined-up thinking right from the start of a new business process however, not retro-fitting when business continuity is later considered. “Organisations must be responsive because we don’t know what the future threats are going to be. You build agility and responsiveness into your business. It’s almost like a side issue from business continuity; business continuity is a side benefit from it,” says Thakrar.
Mark Chaplin, ISF
All things considered, the business continuity basics must still be covered and currently organisations, particularly midrange and smaller firms, are failing in this regard. If continuity is interrupted, says ISF’s Chaplin, “conduct a post-incident review, assess and evaluate what happened, why it happened, then feed [results] back in to enhance your capability.” Business continuity planning should not be done “because auditors or regulators are telling you,” Chaplin says, “but because you are protecting your business. Ask yourself, ‘How can we ensure we are competitive, an effective organisation and can continue operating 24/7 in the event of something happening?’”
SEPTEMBER 2008
25