Hatching a plan

Pressure to wise up to business continuity will not go away, and - while it is tempting to put off starting the process - every organisation, no matter what its size or location, needs to have some form of plan in place. Despite the fact that the insurance sector is one of the key industries that cannot afford a business outage, even for a few hours, many organisations are still unclear of their obligations when it comes to business continuity, or even how to initiate a plan in the first place.

Sadly, it often takes events such as the recent bombings in London to bring the issue of business continuity into focus. Those organisations without continuity plans may understandably be left feeling vulnerable. Step changes in corporate governance and ever-increasing pressure from regulators are strong encouragements for businesses to establish a plan. Having a plan reassures investors that a business can continue to trade, shows customers that, whatever happens, service delivery will continue and demonstrates to employees that the company values its livelihood and is prepared to invest to protect it and its staff.

The insurance industry, in particular, is under pressure to have a plan, especially now it has fallen under the Financial Services Authority's remit. It is now imperative that all firms in the industry understand the FSA's evolving requirements and guidelines on business continuity.

An example of the potential scope and detail of FSA regulation exists within the financial services sector. Having already undertaken a benchmarking project last year, as well as in 2002, the FSA is currently conducting another major assessment of the resilience of the financial sector as a whole, which it has designated as one of the five essential services.

This latest project started in June and will finish in September and, by the end of the year, the results of the main paper will be rolled out to the regulated companies along with examples of good business continuity practice, plus an assessment of what needs to be done to improve the robustness of the financial services sector.

The project is pivotal to enhancing the industry's collective understanding of business continuity issues and to reinforce its ability to respond effectively. The findings will also serve to promote debate and will ultimately benefit the industry as a whole by raising business continuity standards.

Project contents

Earlier FSA benchmarking projects identified business continuity approaches that it considered to be good practice. To date, however, they have not mandated such practices through enforced regulation but have asked regulated companies to compare their own arrangements against this good practice. Therefore, with no specific legal requirements, some businesses may give a low priority to establishing a plan.

The contents of this latest project, when they are published, will represent another step change in the regulator's definitions and expectations of industry good practice. While its emphasis is on the larger players, each regulated firm will need to meet such expectations in line with the nature, scale and complexity of its own business, as well as meeting the growing expectations of all of its stakeholders.

In order to build a solid foundation for an effective process, several key points need to be considered.

First, it is important to ensure that senior management is behind your business continuity planning and that the most senior committee member of the company is supporting the initiative. This is a good way to prevent the process from stalling and it also ensures that business continuity becomes part of the organisation's culture.

Think about your company's motives for having a business continuity plan - is it because of industry regulation or pressure from customers? Remember, a realistic balance needs to be achieved between the risks of not having a plan and the cost of implementing one.

Business continuity should not just be seen as an extension of a business' IT function. It is a management process across the entire company, of which IT disaster recovery is just one part of the process. It is also the responsibility of human resources departments to have a key role in ensuring that all employee needs are considered, and that they are suitably informed and trained in business continuity arrangements.

A business continuity process should not just be seen as creating a plan and is not just about ticking boxes. It should be part of the whole culture of an organisation and should continually progress and develop with the firm beyond the initial planning stage.

It is essential to identify how long the business can survive before it is able to return to normal operations and this should be seen largely from a financial loss and customer retention perspective. Keep the plan as simple as possible because, if it varies too much from a standard day-to-day procedure, when it comes to that 2:00am telephone call, it will not work.

Continually review, amend and challenge the plan and treat it as an organic, ongoing process. It should be tested and fully documented at least once a year because insurers, as well as customers, may well request the results.

Finally, do not be scared to talk about having a business continuity plan. Increasingly, customers are demanding that suppliers have one, so it could even make the difference in winning a large deal.

Regular discussion

The FSA findings are likely to reflect the following: business continuity management systems will be required to address many levels of operational risk, specifically financial, regulatory, legal and reputational; managing such risks will be the responsibility of a company's senior management, while ownership of business continuity will be at board level and not limited to one director. Regular board-level discussion will be required as part of the adjudication process. Also, business continuity arrangements must be exercised and proven on a regular basis and these exercises must prove responses to all significant risks, many of which may only be peripherally linked to IT. It will also need to be emphasised that systems recovery is not business recovery and that lessons learnt from regular drills must be acted upon.

Arrangements must be appropriate to the risks identified by senior management. Exercising independently of the industry and those around you is one critical measure of the adequacy of the arrangements. It is also expected that the resilience of a particular geographic area and the interdependencies of companies and their plans to come under scrutiny, in order to ensure that the scope of risks and scenarios covered is sufficiently broad to cope with a wide area or market-wide threat.

Materials, facilities, sites, systems, people and organisation will all need to be addressed, and senior management will have to draw conclusions from the results of each of these areas following input from the relevant quarters.

With senior managers being responsible for business continuity ownership and specification, inspections and visits will be more likely to assess their individual knowledge and understanding - rather than the detailed operational preparation.

Invoking a firm's business continuity plan is a specific event requiring immediate notification to the FSA, so scrutiny of a firm's response to any major interruption will be more immediate and more intense.

While good practice guidelines may not be stringently enforced, it is the obligation of insurance companies to fully embrace business continuity. They must fulfil their regulatory obligations and, more importantly, to ensure they continue trading should the worst happen.

As mentioned, it takes events such as the bombings in London to bring the issue of business continuity into focus. However, having a business continuity plan in place proved extremely important for more than 100 companies in Central London that invoked the contingency plan. The incidents showed, in the full glare of the world, the importance of having a plan in place and the benefit of using rehearsals to get them right.

There already exists a mature and experienced business continuity industry of niche service providers that provide business continuity solutions on either a dedicated or shared-risk basis. As a whole, the industry has learnt three very good lessons from the London bombings that organisations should think carefully about in terms of planning, whether starting from scratch or reviewing existing plans.

First, every continuity plan has communication at its heart during the invocation stage. The London bombings proved that, when mobile communication is unavailable, landlines become swamped and cannot cope with the sheer volume of calls. Problems surrounding over-reliance on mobile phones, along with what to do if landlines become unavailable, need be given real consideration.

Second, employee logistics need to be seriously considered. What would happen if a city-centre transport system was locked down and potentially thousands of employees could not get to work? What are your obligations as an employer?

The London bombings closed the transport network essentially for one day each time and, as the weekend approached, many organisations allowed employees the day off or the option of working from home. Had there been any hint of chemical or biological attacks, this could have been extended by many weeks, bringing with it a completely different set of problems for human-resources departments. However, merely talking about 'what' and 'if' proves there is a need to have a plan in place to ensure business does not come to a complete standstill.

There are a few options: either have a contingency plan that involves bringing private transport solutions (if allowed access) to a predetermined location, arrange hotel accommodation, have systems and infrastructure that cater for large numbers of home users, or opt to utilise alternative work-place facilities outside of city centres.

A perceived threat

The third lesson revolves around what happens when an invocation takes place because of a perceived threat, rather than actual loss. In the case of organisations whose plan uses a shared resource, then this has the potential to impact on the recovery ability of an organisation that has actually been affected and particularly applies to shared services that have a high number of subscribers or operate an equitable sharing scheme that may see available space divided among those on standby and not just those organisations actually affected.

The rights of clients in terms of standby of plans versus actual invocation, or the ability to invoke based on perceived rather than actual incidents, are issues on which the industry as a whole, and individual providers, needs to be clearly defined.

There are still many lessons being learned, in every, respect from the London bombings. If businesses are to genuinely reduce the impact in human and economic terms, it is important that these lessons are heeded by those with existing plans and vital for those just starting the process.