Few corporate executives actually spend sufficient time considering the potential implications of a serious interruption to the normal conduct of business, writes Frank Hair.
An interruption in business may be the consequence of an unforeseen natural disaster, a serious fire or flood, or even a brief or extended power outage at a critical time or location. Interruptions are also likely to be caused by the premeditated actions of criminals or terrorists or even by simple human error bringing about the failure of a critical business resource.
Business continuity planning is designed to ensure the continued viability and operation of an organization in the event of an interruption or disaster resulting in the major loss of product or denial of access to mission critical facilities. While specialists in business continuity planning will go to great pains to assess risk across all aspects of a business, it is a fact that the great majority of the issues to be addressed - and the contingency strategies which provide protection - will have a technology or computer based flavor to them.
Business continuity planning is critically important for business survival! Most organizations which encounter a serious interruption to normal business, and have not taken steps to quantify their risk exposure and implement contingency strategies, will likely go out of business within 18 months of a "disaster" or "event". It has also been demonstrated that insurance, while it will help recover the costs of physical damage and short term loss of profits, cannot guarantee retention of market share if your customers, unable to do business with you, take their orders and future business elsewhere. But who is responsible for calling for the necessary steps to be taken?
Of the 350 companies who occupied New York's World Trade Center, approximately 150 failed to resume business following the terrorist attack there in 1993. Even in the wake of such high-profile events as the UK's Docklands and Manchester City Center bombs, the widely reported fire at the headquarters of the Credit Lyonnais in Paris, the devastation following a fire at the Pretoria City Council's facilities in South Africa and the recent climatic events in the wake of El Niño, far too many businesses still adopt the attitude that such events only ever happen to others.
The finance and IT functions of our larger corporations have been aware of the issue for many years - business is increasingly dependent upon its computing infrastructure. Computer mainframe contingency has been a feature of many companies' day-to-day risk management for many years but few organizations really know how they would manage the total loss of, for example, their inventory control systems or invoicing systems and the consequent loss of cash flow.
In many organizations it is the marketing function that drives the business continuity planning process - the need to maintain 100% deliverability of product or service to customers invokes some interesting "what-if" scenarios. The fear of a competitor capitalizing upon the company's temporary inability to service customers plays a crucial role in focusing the mind with respect to business risk.
Certainly it is essential to have the board of directors take an active interest in business continuity. Without its commitment and "sponsorship" the enterprise will not be able to invest the resources (time, dedicated personnel and costs related to contingency strategies) necessary to establish a robust business continuity organization and planning process.
Consider the following questions - if you can actually answer all points positively, you are working for an exceptional organization and can feel exceptionally prepared. On the other hand if you fail to score 100% perhaps you should be asking senior management these questions:
* Do you fully understand your role in the event of a major disaster affecting the place in which you work?
* Is this role fully documented as part of a broader emergency response or business continuity procedure?
* Do you know who, in your company, is responsible for the development and documentation of business continuity plans?
* Are you confident that your company or division is absolutely robust and that your job is secure in the event of a serious interruption to the normal business process?
* Do you believe that business threatening incidents only ever happen to other organizations? Many of those who make up the horrific statistic which follows came from a very similar perspective. Can you afford to wait and see?
Business continuity planning has, in recent years, transcended inter-departmental barriers within the corporate structure. Contingency planning techniques which originated in the domain of data center disaster recovery are now being applied to all manner of business processes from IT to customer and sales interfaces and manufacturing processes. Increasing support from the internal audit community and insurers, recognition within corporate security standards, heightened media awareness and debate among those charged with establishing best practice for corporate governance are, at last, taking business continuity to new levels of recognition.
The experienced business continuity planner tends, perhaps, not to focus too directly on a particular risk but will look more specifically at the effects of loss of a critical resource. Specific risks are, however, important because one of the key elements of a sound business continuity plan is to take steps to minimize both the known risks as well as their potential impact.
One area often overlooked by the less experienced planner is the effect of other organizations' disasters - most widely reflected in the sealing off, by the authorities of not only the immediate scene of the event but also a significant surrounding area. Denial of access is typically more likely to be caused by an incident in an adjacent block rather than within your own premises. Security cordons around crime scenes, picket lines of disgruntled employees, areas evacuated due to chemical leak are but a small cross section of the types of incident to cause denial of access.
Many people argue that comprehensive business insurance eliminates the need for business continuity procedures and plans - after all, if they suffer a loss their insurer will recover the costs? Not so! The reality is that insurance will typically contribute to the replacement of physical assets such as buildings and equipment. With the right cover there may be compensation for loss of profits and to facilitate expenditure on alternative modes of operation during the crisis period. What insurance will never cover is the loss of market share which occurs while your normal customers are unable to conduct business with you. If that loss is sufficient to terminally damage the viability of your business, then no payment within your insurance cover will be sufficient to save the business.
Other reasons for business continuity planning include the need to protect against costs and outcomes of disaster which are often not insurable. These might include many types of legal costs, liquidated damages for failure to honor contractual obligations, lost cashflow (which is often more serious than pure profit or loss), lost production (which impacts future stock levels and supply capability), lost customers, diversion of key executives' time from normal productive work to the recovery process, increased inventories and so on.
We have explored many of the negative consequences of not planning but what of the positive outcomes of the planning process?
* Increased customer and shareholder confidence has been addressed above.
* It is also well worth considering the importance of greater employee confidence - those who proclaim that their employees are their greatest asset should think hard about this one.
* Savings can be made on insurance premiums - a number of insurers have realized that business continuity planning is good practice - perhaps it contributes to risk and loss mitigation - discounts may be declared by some insurers or are there to be negotiated.
* The whole process of planning can support or benefit many other business practices. It has been argued in the past that the fundamental evaluation of critical business processes is directly paralleled to the ongoing trend for business re-engineering for example.
So what are the key components of a business continuity planning methodology? The following elements seem to be commonly accepted by the world's experts in this field:
* Risk evaluation and control. To determine the events which can adversely affect an organization, the damage such events can cause, the timescale to restore normal operations and the controls that can be implemented to reduce the probability of impact.
* Business impact analysis. Evaluate the potential impact to the business due to the loss of specified essential resources.
* Security and siting. Consider and implement actions which will reduce the risk.
* Development of recovery strategies. Review the available options and formulate alternative operating strategies - i.e. those which will provide timely recovery for all critical business functions.
* Emergency response. The pre-planning and execution of actions to stabilize an incident and to select appropriate options within the recovery plan.
* Development and implementation of a BC plan. Develop and document the procedures that will ensure business continuity - in a form that is suitable for use under emergency conditions.
* Back-up and restoration procedures. Manage the development of procedures which ensure the availability of critical data, information, programs and documents under all circumstances.
* Awareness and training. Develop and implement a corporate awareness and education program which will gain commitment to the project and ensure development, maintenance and execution of the business continuity program.
* Testing and exercising. To employ structured, comprehensive and effective testing methods to ensure the business continuity plan is free from errors and omissions, is practical, and remains current.
* Maintenance and update. Develop processes to maintain the current status of continuity capabilities and the documented plan so that it is always kept in line with business changes.
* Salvage and restoration strategies. The development of emergency responses which ensure minimal losses, enable resources to be reinstated and information recovered, without adverse effects.
* Plan audit and review. To verify that a plan will prove to be effective, by comparison with a suitable standard, and the reporting of results in a clear and concise manner, to enable the plan to be improved where necessary.
As with any methodology this list is just a start. It is surrounded by several other features and implications - many of which will depend upon the culture within the business or organization and will be discovered only after you have embarked on the planning project. Here are just a few of the more important such considerations:
* No business continuity plan can be successful without total commitment at the highest level within the organization. Plans require resources, management time investment in contingency strategies - sometimes through external service providers.
* There is frequently an inclination, even among the most experienced practitioners, to focus on the corporate entity and to forget about the people around whom that entity is formed. People all react differently to stressful situations, including disasters. These factors and their effects on emergency management and future operations need to be addressed. For example, disasters have a notoriously unsettling effect on employees. Those events which lead to the relocation of premises have been known to lead to staff attrition levels up to 40% above the norm for the organization or industry involved.
* There is an important relationship between business continuity and the PR function - the right message in front of the TV cameras with a severely damaged building as a backdrop can protect your business whereas an unrehearsed comment can turn a minor crisis into a disaster.
* Consideration of the "fit" between business continuity, risk management, crisis management, audit, industry regulatory bodies, legal requirements, quality issues and many other business practices can lead to important new findings which will either influence the momentum towards planning in the first place or in identifying and prioritizing where the planning project commences.
Finally, every individual in every organization should ask themselves about the effects if suddenly and without warning they find that they are unable to gain access to their normal place of work. Are you equipped to achieve your personal responsibilities without access to your desk and papers; without your usual computer system; without being able to talk to your customers or colleagues across the desk or by telephone? Would your organization achieve its mission if its telephone system or computer system suffered a major power failure? How long could your business survive an interruption? Weeks, days or perhaps (in this
Frank Hair is executive director, North America, of Survive! The Business Continuity Group - the world-wide forum for business continuity and disaster recovery planning practitioners.
Survive! is the leading international forum for expertise in disaster recovery, business continuity and contingency planning representing almost 3,000 professionals world-wide. Members of the group include the leading suppliers of IT and work area recovery services, data security, virus protection and related management consultancy. More than 85% of the membership comes from the "end user community" within companies ranging from banking and insurance to aerospace and leisure. As the leading, global, independent authority on this critical business area Survive! is well placed to offer education and information sharing forums to business professionals with a related interest.
For further information about Survive! and the benefits of membership contact Frank Hair at 800-SURVIVE / (908) 704 8505, or fax: (908) 704 8999, or Email: email@example.com