Business continuity is no longer about just avoiding IT downtime or even protecting people and resources: it’s about influencing customers and enabling growth. Stuart Fagg reports
Taking a look at some recent statistics around business continuity (BC) can make for sobering reading. An Economist Intelligence Unit study recently found that according to around half of the risk professionals surveyed, 24 hours of systems downtime could destroy entire companies. Meanwhile, a separate study found that around 50 per cent of organisations believe business is now as big a target for political violence as governments.
Traditionally, BC has, in some organisations, been underfunded and generally ignored. That’s now changing according to recent research from Forrester.
Tim Sheedy, an analyst at Forrester, said risk and compliance will drive spending this year. Forrester found that 48 per cent of companies in Australia and New Zealand will spend more money on security software in 2007. Business continuity and disaster recovery will also be a major focus of spend, with 57 per cent of firms set to significantly upgrade disaster recovery systems and 43 per cent earmarking upgrades to the security environment as a key priority.
Although many organisations have experienced minor BC events in Australia, the headline-making events that generally drive business continuity investment and activities are those such as terrorist attacks, major natural disasters and human capital impacting infectious disease events.
While no major incidents of this nature have occurred in Australia, the level of preparation and disruption being sanctioned for next month’s APEC leaders meeting in Sydney, both in terms of protecting the visiting leaders and local businesses, demonstrates the immediacy of the threat.
At the same time, a potential pandemic flu outbreak, ongoing IT attacks and natural catastrophes all remain credible threats to Australia. However, with differing threats and events gaining prominence at different times – for example Y2K in the late 1990s, the September 11 attacks, the threat of SARS in 2003, and more recently the Avian flu threat and the APEC meeting – some experts are concerned that a scenario planning attitude is creeping into business continuity planning.
“The problem with these events is the perception they leave behind,” said Brian McAtee, director at BC in a Box, and formerly a senior BC professional at Commonwealth Bank of Australia. “If APEC occurs and there are no major operational issues, then the risk is we have another situation of ‘cry wolf’. If organisations really focused on implementing the cornerstones of a good BC program, then events like APEC would be non-events in the BC arena. Organisations would be prepared for the loss of buildings, loss of precinct and loss of staff scenarios – all cornerstones of a well-executed BC program.”
Scott Lansley, also a director at BC in a Box, added that organisations should aim to build BC capabilities into the fabric of their businesses.
“You’ve got to wonder why you’re focusing on that specific event,” he said. “It doesn’t matter what has happened. If I look after a loss of resources in the locations that I’m most vulnerable in, then I must have attended to the key critical impact events there, if those locations are running my critical processes for the business. So it’s all about understanding what’s happening where in the organisation – what’s important and what’s not – and then trying to make sure that the focus and the priority of activity and expenditure is going into those areas first.”
Indeed, some have referred to the Avian flu pandemic threat – which remains a serious concern despite its disappearance from the news pages – as “Y2K with wings”, emphasising the need for solid executive backing for BC, which is usually easier in a region or company that has experienced serious disruption in the past.
“Without executive sponsorship you will get very little momentum to implement a major BC program,” said Jeremy Haworth, head of regional business continuity planning at HSBC in Hong Kong. “Clearly it helps if the sponsor has been exposed to BC invocations in the past.”
Some experts added that tackling pandemic risk may require going further than current BC frameworks. “Given the increasing awareness of pandemic risk I would suggest most institutions are preparing for a potential pandemic,” said Iain McAlister, head of business continuity at Westpac. “The challenge with pandemic risk is that while a sound business continuity framework will assist in preparing for a potential pandemic, it is unlikely to comprehensively address the impact of a pandemic which is likely to run for a series of weeks, if not months, and is likely to continue across multiple waves.”
Perhaps one of the bigger shifts in attitudes regarding business continuity in recent times has been the increasing realisation that human capital issues play a major role in BC planning and management. That requires, like many initiatives within risk management, a reconsideration of organisational culture as it relates to BC.
“Don’t underestimate the effect of an organisation’s culture on the success or otherwise of the BC activities,” said McAtee. “Culture is a set of informal behaviours and not documented but it ‘is the way things get done around here’ – it’s a mindset. If the organisation’s culture doesn’t embrace BC, and particularly through the ‘tone at the top’, then real BC capability won’t be created. The organisation may well go through the motions but there would have to be doubts about whether it would ‘when really needed’.”
McAlister said having a people-focused culture overall in the business is a big help to BC. “Being an employer of choice and a leader in corporate social responsibility, Westpac already has the human side instilled culturally, in our values and approach to business. We’re very aware of the human side and that makes the investment easier.”
Haworth added that embedding BC in organisational culture in fast-growing companies and economies is key to long-term stability. “As economies grow exponentially in this region, businesses are trying to capture the fruits of that economic growth for their shareholders,” he said. “Being able to effectively embed BC in rapidly expanding businesses is a key challenge – think of new premises, new processes, acquisition and large numbers of staff to assimilate.”
He added that big business is increasingly seeing that BC is being incorporated into expansion plans to meet growth expectations. “Doing it early – and bringing in BC planners into the equation when selecting [new assets] will prevent expensive retrospective action at a later stage,” Haworth told Risk Management.
Indeed, detailing cost advantages and business benefits to be gained through BC will have significant impact on securing investment in BC activities.
The SARS outbreak of 2003 in Asia and the London bombings in July 2005 were major catalysts in advancing thinking on the human capital elements of BC. According to Dan Smith, a senior intelligence analyst at political risk consultancy AKE Group in London, the 7/7 attacks underscored the need for a whole-of-organisation approach to BC.
“It is vital that within the company an effective personnel structure is established to deal with risk and coordinate the response to identified dangers and vulnerabilities,” he wrote in Risk Management shortly after the London attacks. “It is important that this structure is robust and has built-in redundancy (implementation of business continuity planning must not fall apart because one member of staff is on annual leave), although this redundancy must not blur lines of authority. Unfortunately, there is often a complete absence of guidelines concerning the person ultimately accountable for security-related matters. Often this falls between risk managers, health and safety, security and human resources. Risk is varied and affects all aspects of a business, requiring co-operation and input from all levels. Although it is tempting to consider it as an afterthought, an effective risk management strategy should be woven into the very fabric of the company.”
HSBC’s Haworth agreed, adding that the corporate world could learn from Asian organisations’ experience in BC culture and the human capital issues associated with it, in dealing with both SARS and the hovering threat from Avian flu. “I think businesses which have been exposed to the effects of SARS do take planning for pandemics more seriously than in parts of the world which were not affected by it,” he told Risk Management. “Having said all of this, it is not just Asian organisations that take human capital issues seriously. Consider what organisations are doing in response to events such as 9/11, 7/7 in London, the Madrid and Mumbai train bombings, flooding in the UK and the big dry in Australia.”
McAlister added that outside of the areas of Asia that were impacted by SARS, Australian organisations are still early-embedders of human capital risk within BC. “There’s nothing like a crisis to provide early exposure to the need for business continuity,” he told Risk Management. “Having said that, organisations with a global view that are located in countries that weren’t particularly exposed to SARS, such as Australia, are probably as early in their adoption as anywhere else. I think a key factor is whether a company has a broad international view, and this is about the nature of its business and whether it has an international presence.”
Perhaps the most significant trend developing in business continuity is the move towards holistic, or enterprise, business community and the linkage of business resilience to BC. “Resilience really is the umbrella for which continuity, risk, security and so on, is underneath,” said Andrew Fry, IBM Global Services’ business continuity and recovery business manager. “It’s the attack and the defence. If you are a resilient enterprise then you have the ability to not only defend yourself from threats but also take advantage of market opportunities. If my competitor isn’t resilient and they’ve lost 50 per cent of their workload, have I got the capacity to pick it up between this plant and this plant? Can I move products? That’s the kind of thing [we’re interested in]. So it’s about how do I thrive in a crisis or prevent myself from being impacted.”
McAlister said that Westpac’s BC model will likely evolve to include resilience and influence customer activities. “Westpac’s approach is what we describe as a federated model – we have a core or group business continuity framework responsible for governance, policy and internal standards,” he told Risk Management. “This works with business continuity communities within each major business who understand that business, its priorities and culture and ensure the development of an effective and appropriate business continuity capability for that community.
“I expect Westpac’s business continuity program to evolve to the point where it not only provides sufficient capability to allow the enterprise to manage major incidents, irrespective of cause, but also to be tightly embedded within operational risk functions, be a value-add to the business and also able to influence customer activity due to the strength of Westpac’s business continuity framework and capability.”
News