A watertight solution

Business continuity management is changing. The swine flu threat is already being taken far more seriously than previous pandemic scares. It has reversed the temptation for businesses to cut spending, while the wider economic crisis is providing more lessons for business continuity planning (BCP). The interconnectivity between banks uncovered during the financial crisis led to unforeseen exposure between financial counterparties. A similar trend can be identified in BCP. Firms are broadening their BCP to provide resilience against the risk of their suppliers, or outsourcing providers, suffering their own interruptions or worse. Broadening the scope of BCP into these areas, formerly the realm of risk management, also reflects a shift away from risk silos blamed so heavily for handicapping firms before the financial tsunami hit.

Historically, business continuity initiatives have a tendency to look backwards. It is natural for a firm experiencing a shock such as a terrorist strike or power cut, or observing the effects of such an interruption in one of its competitors, to seek to mitigate that risk for its own business. However, looking at a specific scenario that has already occurred represents a reactionary approach to resilience. The concept of the 'Black Swan' by author Nassim Nicholas Taleb is highly relevant for disaster planning. Many of Taleb's illustrations are set in BCP-type scenarios. One lesson is that lightning tends not to strike twice in the same place, and so preparing for the previous shock provides scant protection against the next.

"People inevitably want to shut the stable door after the horse has bolted," says Martin Caddick, head of Marsh UK's business continuity risk management Practice. "The trick from a business continuity management practitioner's point of view is to make use of the desire to do something to prevent it ever happening again, and to convert that into something more generic. We are now in the midst of a swine flu epidemic, but there are other pandemic flu threats. Avian flu has not gone away, so really what you're trying to do is use these stimuli to put together a plan that in the first instance deals with widespread sickness, but what you're really doing is coming up with a plan to cope with losing a large proportion of your staff in one go. You can plan around that for scenarios such as a transport strike or extreme weather conditions."

Taking a 'worst case scenario' approach can provide the flexibility to mitigate whatever shock comes your way. It helps to have that in place already if you need to develop sub-plans for specific threats such as swine flu or adapt to unforeseen events. "If you have a good plan, then 90% of your people can follow it, and the other 10% can really focus on these areas that are flexible and what benefits that can bring," says Keith Tilley, UK managing director and executive vice president for Europe at business continuity specialist SunGard Availability Services. "You should always plan for what you perceive to be the worst possible incident - usually a destruction-type event. If you plan for that then you allow for certain elements to become flexible."

But looking at scenarios 'from the outside in' can also blinker firms by focusing on the recovery process rather than on the everyday functionality and business processes they should be working out from. "I encourage people to start by recording the normal level of service in their business," says Craig Begg, UK-based business interruption risk adviser at Aviva Risk Management Solutions. "That is a natural place to start and gets them thinking about service delivery, and working out from there to plan for their business continuity. It also has the benefit of documenting their recovery targets. Too often people don't know what they are trying to recover to. I try to divide business continuity into two components. The first is about understanding and minimising the risk, which a lot of people miss out and move on to thinking about the second component, which is the recovery process."

Data as a bedrock

BCP has traditionally been centred on backing up IT data for recovery. Off-site data centres containing all the necessary hardware, data to run the business, and seats for employees are usually the first items to tick off on any firm's business continuity shopping list. This is for good reason. "Data is the bedrock of recovery, because information is always stored on some form of technology," says Tilley at SunGard.

From an insurer's perspective too, the value of keeping IT up and running is top of the list. "It is still natural that when businesses begin their business continuity planning, they start with IT," says Begg at Aviva. "For a business with existing BCP, you would expect them to still concentrate on IT but to broaden the scope of their planning. IT is often still the area to cripple a business. From an insurance perspective, you could have only very limited physical damage and loss to physical assets, but the consequences of an IT interruption would cause massive costs and interruption across the whole business."

There are many business continuity scenarios involving no damage to the physical fabric of the business, its IT systems or data. The 7/7 terrorist attack in 2005 caused a paralysis of London's public transport network. Another example is the current pandemic threat; with employees unable reach their offices either because of illness or the threat of further contamination. Like the 7/7 example, in a worst-case pandemic scenario the government could shut down public transport. Schools would also be suspended and public places closed. Travelling to and from work could likely become either undesirable or impossible, especially in large city centres.

In such scenarios, putting into place the right infrastructure is crucial. Such risks and their effects on individual customers should be important when choosing the best locations for data centres and disaster recovery sites. A firm based in Manhattan, Canary Wharf or La Defense could require a different off-site set-up to a company headquartered in Newark, Manchester or Lille. In the case of a bomb attack at Canary Wharf, a wide perimeter would be closed off. Communications in the area would be impossible, so any disaster recovery site caught in the perimeter would be useless. Likewise, if public transport was down and the firm had no alternative transportation arrangements in place, then an off-site far from the city centre might also be impossible to reach.

BCP should take all these factors into consideration. “We have developed a BCP solution with a broker called Global Equities in France,” says Thierry Charvet, Paris-based strategic marketing director at Orange Business Services – Trading Solutions. “The disaster recovery site is not located in central Paris but close to the airport, which is a very good location. It is outside of the city, very close to motorways, near an international airport, providing good logistics, lots of hotels nearby, and the customer has already planned for priority booking in a hotel close to the off-site. He knows that there will be 60-80 rooms booked on that day for the main traders and management. He will be able to hold a press conference and it is already organised. It is already written into the process. Everybody knows where to go. Not only that, but because the employees could be affected by the traumatic events of a disaster, the firm has also planned for a psychologist to be in place to provide a counseling service."

Problems of greater interconnectivity

The crisis has shown to an unprecedented degree the vulnerabilities created by increased interconnectivity between financial services companies and the failure of risk management to keep pace with that complexity. That trend is consistent in BCP too, as businesses increasingly question the BCP in place at firms they rely on for outsourced, logistical and supply functions.

"A lot of work has been done by the banks in the area of BCP with respect to supplier, outsourcing and interconnectivity-type business continuity risks," says Vijay Sharma, senior vice president at Oracle Financial Services Consulting. "However, BCP in the new age requires analysis of the interplay between various risk types. Recent events have also shown there is a ripple effect, which can exert system-wide stress across the markets, sparing not even the largest organisations and sometimes even the countries."

The 'new' business continuity risks are increasing demands on providers. Firms do not want to spend capital on a new hardware system, so they are asking the vendors to take control of systems and applications. This way they can devote scarce capital and resources towards the business, without having to worry about the systems and data centres at the back. They are also seeking increased value from vendors, under pressure to deliver without hidden costs.

"Making the most of opportunity and maximising profit is more important than ever," says Chris Bates, UK managing director of trading technology provider IP Trade. "Having the insurance of a good plan in place in case of business disruption will help the firm generate profit in uncertain times. However, the cost of that solution is subject to more scrutiny than ever. I see firms responding positively to vendors who provide competitively priced solutions, where all costs are transparent and there are no hidden 'gotchas' down the line."

Clients are also contacting their vendors at an earlier stage, saying that they are anticipating an interruption. Part of the reason for this is that if a firm's systems go offline and people have trouble accessing data, that is increasingly grounds to presume the firm has gone out of business, rather than suffering an interruption, increasing the incentive to seek help. "Over the past six months customers have called us up to put us on alert because their supplier has had a problem," says SunGard's Tilley. "In one case it was because their landlord for a rented office had not been paying utilities bills, leading to threats from the utilities company that they were going to shut off the building's power and that they were going to suffer an outage."

By responding to these new alerts and expanding the role of BCP, business continuity is increasingly crossing into the domain of general business risk or operational risk management, which leads to an uncomfortable truth about the difference in status between the two disciplines. Risk management carries higher kudos and status within most organisations and is more likely to have representation at the top table than business continuity. Rising stars within an organisation frequently pass through risk management during their rise to the top. It is recognised as providing them with valuable experience and understanding of the overall business, as well as exposure to top executives.

"I don't think business continuity is seen in the same light, aside from perhaps as a haven for a lot of high-quality IT employees," says Caddick at Marsh. "The two worlds of risk and business continuity are separated within most financial institutions. The financial sector could learn from manufacturing by developing a more pragmatic approach combining risk and business continuity. How can you take the best of both disciplines and develop an integrated strategy for them? In the instances where firms have united risk with BCM (business continuity management), they've found that BCM provides risk with some big pluses. It provides the risk management function with a greater context around the risks they are trying to manage and the impact of risks on the organisation. It also gives BCM a closer link to different aspects of the business and a voice at the top table."

SETTING THE BCP STANDARD

Both Basel II and Sarbanes-Oxley (Sox) require that firms put some BCP measures in place, but they provide little or no specificity for the individual business continuity risks in question or what manner of measures to install. The BSI British Standards BS 25999 business continuity paper has moved towards providing an industry standard for BCP. It provides much needed guidelines, a test process and certification, providing useful evidence of a firm's BCP robustness. Tilley at SunGard says: "BS25999 has helped to do that because now you can look down the supply chain and ask companies whether they are compliant and certified."

But despite BS 25999's merits, few companies have yet attained certification. "It is more appropriate for larger businesses," says Begg at Aviva. "Smaller firms are still not ready to comply, and the level of uptake and certification has been low in general. We try to encourage businesses to take a practical approach to aspects of business continuity rather than aiming directly for compliance to the standard. Different businesses are at different stages of the business continuity journey, so it's more a case of encouraging people to improve what they have already."