Extinguishing risk

When a disaster strikes, the difference between organisations that have well developed business continuity plans and those that do not is easy to see. The prepared move quickly into new premises, recover their data and get back to work. The rest have little choice but to close down or restrict their operations until a solution can be found. The delays can be expensive and, in the worst cases, threaten the organisation's very existence. For example, in a sobering report, the British Chambers of Commerce noted that 80% of organisations that suffered a critical incident never reopened and went out of business within 18 months.

So, why is it that some organisations fail to invest sufficiently in business continuity or to take enough care when developing their plans?

The problem is that the benefits are not fully evident until something goes wrong. However, these days, organisations are exposed to a much wider range of risks than ever before - not just major disasters like floods, hurricanes and terrorist attacks but everyday hazards like power blackouts, road accidents, staff sickness, and software viruses.

Late in 2004, for example, analyst Computer Economics estimated that the Netsky and Sasser computer worms had caused an estimated $6.25bn (£3.17bn) in damage, infecting hundreds of organisations worldwide, including the UK Coastguard, Heathrow Airport and the European Commission. Even a simple human error can result in a significant loss of data and can cause big problems.

Of course, even the largest companies in the world cannot predict the future. However, there are steps organisations can take to make sure they are properly prepared for whatever the future may bring. And what is more, McKinsey says if you can manage risk successfully, there is a clear return on investment. It says that in excess of 80% of investors would pay 18% more for shares in a well-governed company.

So what do you need to do to manage risk effectively and ensure the continuity of your business?

As in other areas of business, it pays to base your approach on industry best practice. The Business Continuity Institute, which has members in over 50 countries, has produced good practice guidelines that provide a good foundation for any business continuity plan. In the UK, they are the basis of the British Standards Institution's specification PAS56 - a first step towards a formal standard for business continuity management.

Beyond that, there are three keys to success. The first is to get help from an independent outsider. People who work in organisations get used to how things are done, and can easily overlook what, to an outside, is an obvious issue. And it is probable that they will not ask as many questions as they should, making assumptions based on their experience.

This can put the whole plan at risk. For example, the team that operates the organisation's servers may have assumed that the team that runs the network has planned in redundancy to protect against the loss of a single connection, when in reality it has not.

Cost effective security

To secure an organisation as cost effectively as possible, you need a fully detailed understanding of its objectives, priorities and operations. Then you need to consider all the risks - not just disasters but more routine events that could prejudice the organisation's ability to undertake an aspect of its business. Of course, you need to consider the consequences of failure of IT and communication systems but that is just a start. The risks of human error, failure of a key supplier, and so on, also have to be thought through. This is where outside consultants are invaluable. They will ask lots of simple 'back to basics' questions and will really get to the bottom of what does, and could, happen.

The second key is to understand how cost is related to benefit. The costs are clear - the time taken to develop and communicate business continuity plans, the redundancy that allows one part of a business to take over when another fails, and the extra IT equipment needed for backups and to protect against single point failures.

However, given these investments are being made to protect the organisation against events that may never happen, how do you calculate the benefits?

With a detailed understanding of how an organisation works, it is possible to predict the costs that could result from an incident both before and after the plan, and any consequent infrastructure investments, are put into place. This allows competing and alternative investments to be assessed based on their ability to reduce the organisation's overall financial risks.

Detailed analysis

The detailed analysis that goes into a business continuity plan can also have valuable spin-off benefits - for example, highlighting processes that could be completed more efficiently.

The third key to success is testing. Worryingly, a recent CSO Magazine survey reported that, while an overwhelming majority of US companies had some form of business continuity plan in place (93%), only 37% had tested in a real life situation.

Take the example of a major UK business. It had a business continuity plan that had been approved by and range of functional experts and the CEO but it involved moving 3000 of people from London's Docklands business district to a recovery centre in North London in thirty minutes. That's just over 17 km, through the heart of the one of the busiest cities in Europe, in under half an hour.

In that case, it was clear that the plan probably would not work if put into practice. In most cases, through, the weaknesses are less apparent, and that is why every business continuity plan must be regularly rehearsed. Just as the emergency services do, you need to simulate events and prove you can respond properly to them. It is no good just assuming you can recover data from backup, or that a contact centre in Asia can take over from one in Europe - you actually have to prove it.

Employee response

Just as importantly, employees need to know how they should respond when things go wrong. Organisations commonly test evacuation procedures to be sure their employees can get out in the event of a fire, so why do they not also test their employees response in other - perhaps more likely - situations?

Statistics suggest organisations are more likely to suffer a major disruption at the hands of their plumber than as a result of a terrorist attack. Most often, it is the seemingly simple that we all have to guard against and, to do that, you need people who are trained to think about risk all the time. They need to turn over every stone, to avoid missing things off, and to use best-practice procedures. And to be sure they have done their job properly and that everyone knows what is expected of them, you need to test, test and test again.

It is painstaking work but it can make the difference between continued success and business failure.

The 'Seven Ps'

The Business Continuity Institute has stated that effective BCM is built on 'seven Ps':

- Programme - proactively managing the process

- People - roles and responsibilities, awareness and education

- Processes - all organisational processes, including ICT

- Premises - buildings and facilities

- Providers - supply chain, including outsourcing

- Profile - brand, image and reputation

- Performance - benchmarking, evaluation and audit

Five stage BCM process

The Business Continuity Institute has developed a five-stage BCM process which is widely accepted and has been incorporated into a British Standards Institute Publicly Available Specification (PAS 56):

Stage 1: Understanding your business: Using impact and risk assessments to identify critical deliverables, evaluate recovery priorities and assess the risks that could lead to a disruption to service delivery.

Stage 2: BCM strategies: Identifying the alternative strategies available to mitigate loss, and assessing their potential effectiveness in maintaining the organisation's ability to deliver critical functions.

Stage 3: Developing and implementing a BCM response: Developing the response to challenges, and the plans underpinning the response.

Stage 4: Establishing a BCM culture: Ensuring a continuity culture is embedded in the organisation by raising awareness throughout the organisation and its key stakeholders, and offering training to key staff on BCM issues.

Stage 5: Maintaining and auditing BCM: Ensuring plans are fit for purpose, kept up to date and quality assured.