In April this year, Iceland’s Eyjafjallajökull volcano erupted, spewing volcanic ash high into the atmosphere, with repercussions that shook the world. The local response had to be urgent, with people given just 20 minutes to evacuate their homes.
Immediately after the eruption, air travel across Scandinavia, the UK and Western Europe was halted for a number of days, making it the largest ever interruption to global air travel. Consider how manymeetings had to be put on hold or cancelled, not to mention the huge numbers of people unable to return home from business and holiday travel. Gartner reports that the impact on the airline industry alone was in the region of $1.7 billion. This volcano disaster is a perfect example of why a business continuity plan is so vital. Businesses need to understand the effects of a crisis in order to respond by leveraging recovery plans and procedures.
Recent events highlight the fact that Business Continuity Managementn (BCM) programmes need to shift from their traditional focus of recovery following a disaster. A strategic, proactive, and risk-management based approach is now necessary to ensure businesses remain resilient. Gartner predicts that by the end of 2015, 15% of Global 2000 enterprises will have transformed their BCM programmes into a cross-enterprise business operations strategy and planning function.
The 2009 CIO agenda revealed that business continuity is a topic that CIOs are seriously thinking about. Head of Deloitte’s Enterprise Risk Group, Ian Perry, believes that the bird flu pandemic was a contributing factor to the popularity of the business continuity plan.
“It definitely heightened awareness at the executive table,” he says. “People began to question their BCM programmes and how effective they are.”
This is still highly relevant considering we have now moved from dealing with avian flu to the outbreak of swine flu, which is continuing to affect staff within companies.
The Business Continuity Institute promotes the following definition in its ‘Good Practice Guidelines’: “Business Continuity Management is a holistic process that identifies potential threats to an organisation and the impacts to business operations that those threats, if realised, might cause. It provides a framework for building organisational resilience with the capability for an effective response that safeguards the interests of key stakeholders, reputation, brand and valuecreating activities.”
Ian Clark, Director of East Neuk Consulting Ltd, says that this can be interpreted to mean business continuity management is a “business-owned, business-driven process that establishes a practicable, strategic, and operational framework”.
Clark goes on to say that a business continuity plan should deliver three key things:
1) Improve an organisation’s resilience against the disruption of its ability to achieve key objectives;
2) Provide a rehearsed method of restoring an organisation’s ability to supply key products and services to an agreed level, and within an agreed time, after a disruption;
3) Deliver a proven capability to manage a business disruption, while protecting the organisation’s reputation and brand.
If a crisis should occur, it is vital that up-to-date and complete information is available for a quick and effective response. Gartner points out that many BCM plans are outdated as they don’t considercurrent business availability needs, or they are stored in multiple places throughout an enterprise and without a strong document management process, it is hard to keep them current.
While talk of ‘planning’ arises a lot when we discuss business continuity, it appears that words are speaking louder than actions.
“People are stuck in the mindset of ‘we’ll work out the details when disaster strikes’. But when something does happen, you’ll quickly learn that the people who you thought you could rely on may not necessarily be there. The planning process is truly critical,” says Gartner Research Vice President, Roberta Witty.
Witty also recommends planning for an outage timelonger than seven days.
“Not planning for a long enough timeis a critical mistake. Most businesses plan for three to five days. The likelihood is that this will probably only cover a regional crisis or issue,” she says.Businesses need to accept responsibility for planning to ensure that ICT needs are adequately defined and funded.
According to Ian Clarke, a CIO can benefit from having adequate knowledge of business priorities, being sure to receive regular updates as the BCM system is tailored to respond to changing business requirements.
“The overall ICT enterprise architecture can be directed to efficiently serve the business, and scarce funds can be effectively deployed to meet the needs justified by the business. Without the advantage of a BCM system, the CIO will remain wrong-footed by attempting to divine business requirements based upon scarcely justified business cases, and these are often founded on suppositions,” says Clarke.
A common misconception is that disaster recovery and business continuity are the same thing. Perry says there is a great deal of confusion between a business continuity plan and a disaster recovery plan.
“Disaster recovery is purely about recovering essential support services, which is only part of the business,” he explains. “Disaster recovery should come under the business continuity umbrella.”
A good example of this is a financial services entity that has physical elements which keep it going. If there is a fire in a trading room, where wholesale transactions take place, that entity will need tohave a disaster recovery plan. As part of the business continuity process, a series of disaster recovery plans is normally developed.
“One of the biggest issues in this area is thinking the IT department is the only area of an organisation that needs to recover the business,” says Witty. “A business continuity plan should be put into place by a committed team of people with a senior management sponsor.”
Perry adds to this, stating: “It’s not a good idea for a CIO to take on the responsibility of a business continuity manager as a singlethread IT thing. To ensure the appropriate BCM plan, it is a collaborative responsibility, beyond the CIO, into executive management.”
The downturn in the economy has highlighted the fact that businesses are now more intricately interconnected, and this interdependency is making business continuity management more important than ever before.
In hard economic times, the idea of eliminating BCM positions and ventures may be appealing as a means of saving money, however it would seriously jeopardise longterm viability. An enterprise should respond to the downturn by focusing more resources on disaster recovery planning and use it as an opportunity to eliminate complex, redundant or underused processes.
“Business Continuity Management is moving into mainstream business life. In the majority of the world, BCM is now on the board agenda of many organisations.” Clark says.
“Most organisations place business continuity within their operational risk portfolio. This is a far better home than having the responsibility hanging around the necks of CIOs, who often have far greater concerns for effectively addressing the ICT needs within decreasing budgets.”
In the current economy, risk sets are constantly changing. Plan for a much broader array of scenarios that may interrupt business activity and for those risks that extend beyond your own company, include business partners and suppliers. Prepare for increased demand on the network, as more employees may need to work from home in an emergency.
Gartner recommends that the focus of enterprise BCM programmes needs to be expanded beyond physical threats to incorporate a structured framework of business operations, with the aim of eventually achieving certification.