BT’s business continuity, security and governance practice
As we move into an increasingly networked world, enterprises are exposed to a changing set of vulnerabilities.
The landscape of risk has changed.
In this new world, good business continuity standards can make sure companies comply with increasingly strict regulation and data protection requirements; avoid malicious attacks; and optimise, sustain and leverage IT and processes for competitive advantage.
The costs of disruption
A host of figures support the need for ongoing investment in business continuity.
For example, a recent study by the UK’s Business Continuity Institute showed that 80 per cent of organisations that suffered a critical data loss went out of business within 13 months.
Even before the Sarbanes Oxley Act came into effect in 2004, five Wall Street firms had been fined a total of US $8.25m for violating SEC rules that require ‘business-as-such’ e-mails to be preserved for three years.
In the UK alone the annual cost of business interruption is estimated to be £3.9 billion, according to Adam Associates.
With regard to reputation damage, a recent independent survey commissioned by service management company, Tertio SMS, highlighted the dangers to big business of even minor technology-based service failure.
Every week nearly a quarter (23 per cent) of the UK population finds itself unable to use services, such as cash machines, mobile phone networks or the internet, on at least one occasion.
One in ten people encounter problems on a daily basis.
And half of consumers lay the blame for technology mishaps at the door of the company delivering the service, regardless of whether they are at fault or not.
IT failures have a significant impact on a business’s reputation.
That’s what happens when business continuity measures are not put in place.
But there’s also evidence to suggest that such measures do not simply help organisations avoid these negative situations, they also lead to discernable advantages.
Management consultants at McKinsey & Co. say that managing risk successfully provides a clear return on investment, with over 80 per cent of investors saying they would pay 18 per cent more for shares in a well-governed company.
In other words, there is a wealth of evidence that tells us that business continuity is all about good corporate governance rather than simply being a knee jerk reaction to a high profile disaster.
It also tells us that it’s time to get real about the risks that companies face.
The reality of risk
It would be impossible to dismiss the impact of high profile natural disasters, but it’s all too easy to forget the smaller, mundane issues that can have an effect that is seemingly out of proportion with the size of the cause.
The humble computer virus can wreak havoc: analyst group, Computer Economics, estimated in late 2004 that the Netsky and Sasser computer worms had caused an estimated $6.25 billion in damage, infecting hundreds of organisations worldwide, including the UK Coastguard, Heathrow Airport and the European Commission.
What’s more Adam Associates have calculated that the average outage time following a fire is 28 days, 26 days for a theft and 10 for flood damage. IT failures take an average of 10 days to recover from, and a power failure can take up to 24 hours.
Even an accident on the motorway that prevents staff from getting in to the office or a misunderstanding over where the vacuum cleaner should be plugged in can take their toll.
Sources of risk, therefore, are not just the headline grabbers.
The sheer diversity and unpredictability of the potential threats to the modern business is why organisations should concentrate more on creating long term strategies to manage risk.
At the heart of such strategies lies the business impact analysis.
Unlike other security disciplines, business continuity does not necessarily start with thorough risk assessment and management, but by looking at what needs to be protected.
Organisational focus should therefore be o identifying what is important to a company and to its brand – its Mission Critical Activities or Assets.
And whereas a company’s IT managers, security experts or business continuity mangers will all have a view on this, a true 360 degree view comes from input from all areas of the business.
Furthermore a consensus must be drawn to develop the priorities from among these activities.
Creating the intelligent business
Effective business continuity is therefore about far more than technology – although naturally this has a role to play.
Instead, managing business continuity is about taking a total view of the company – from operations and behaviours to policies and objectives – so that methods of securing and protecting the business can be worked out.
In other words, business continuity requires the management to fully understand the organisation, and every element within it.
The work can be seen as a market enabler. Viewed strategically, business continuity offers organisations real advantages, enabling them to become more agile and more efficient, while also reducing the risk of failure at times of change and transformation.
It requires a company to fully understand itself, how it works and what its brand stands for.
By going through all the initial information-gathering procedures, an organisation gains a thorough awareness of the consequences of losing key people, processes or equipment.
It knows how long it could survive such a loss, and how it would affect other dependencies – both within and outside its own walls.
The insatiable appetite for accurate and timely information that characterises business continuity also creates invaluable management information.
Calling in the outsiders
For these reasons the use of third party experts can be particularly beneficial.
Because they are so familiar with their own businesses, organisations can make assumptions that are often hidden, which outside consultants will discover and question.
They will look at a company from the top down and are able to bridge all the information and operational silos that a typical organisation’s structure generally creates.
For example, the team responsible for the company’s servers may have assumed that those responsible for networking have built resilience into things like circuits.
At the same time the networking team have assumed exactly the same thing of their colleagues managing the servers – with the result that no-one is doing it.
This is a straightforward IT-based example, but it neatly illustrates the kinds of issues that organisations, particularly larger ones, face at all levels. But, if business continuity is to succeed, such unknowns must be identified and resolved.
Once armed with this knowledge, good business continuity consultants can also assist in the creation of the solution.
The growing awareness of the need for business continuity is increasingly reflected in corporate governance regulations, such as the UK Combined Code, the Basel II Accord and even Sarbanes Oxley Act.
The net result is that the number of vendors, products and solutions in this field has grown dramatically.
Although the British Standards Institute (BSI) has put in motion the process to create a recognised, uniform standard, the current absence of one can make the business continuity arena appear cluttered and confusing.
Third party consultants can help clarify the situation, and go through the necessary benchmarking exercises with the relevant vendors to ensure that products and solutions chosen will deliver the required outcome.
However, organisations should still be wary of the consultant who lays down an overly prescriptive solution.
The best consultants will not say that things should be done in a specified way: they offer all the options, spell out the pros and cons, and give recommendations.
Theory – and reality
For business continuity to be effective all procedures in place need to be tested – and tested again. A recent CSO Magazine survey on business continuity in the US showed that, while an overwhelming majority (93 per cent) of US companies had a business continuity plan in place, only 37 per cent had tested it in a real life situation.
In today’s world, this is no longer acceptable.One example that reiterates the importance of testing is the UK-based company that had a plan which had been signed off by its entire business continuity people and the CEO.
But it involved moving 3,000 people from London’s Docklands business district to a recovery centre in North London in thirty minutes.
That is just over 17 km, through the heart of the one of the busiest cities in Europe, in under half an hour.
This was spotted by the external consultants before it was finally rolled out – but it highlights the type of problem that testing could solve.
The aftermath of a major incident is not the time to establish whether business continuity plans work or not.
Very strict and precise information is needed, such as fast recovery check lists that make sure people know exactly what do to when disaster strikes. And plans have to be well-coordinated and rehearsed until they become business as usual.
It’s generally accepted that even the most meticulously planned new systems and procedures do not survive their first exposure to reality intact, and business continuity is no exception.
It’s been said that while you cannot eradiate risk entirely, you can make it work for you. Business continuity involves thinking about risk all the time. Attention to detail is vital: every stone must be turned and every procedure proven.
It all takes time and effort but, when organisations have done everything necessary to put an effective business continuity programme in place, they typically find they are not just compliant, but also healthy, rationalised and optimised.
These in themselves are substantial benefits that few organisations can afford to ignore.
Entry Filed under: SUPPLIER AND TECHNOFIN®, Risk Management, Telecommunications, Compliance
Trackback this post