Business continuity How to manage risk and protect your business
in association with
2
BUSINESS CONTINUITY: HOW TO MANAGE RISK AND PROTECT YOUR BUSINESS
Contents Foreword ............................................
2
To ensure that the essential functions of your business continue despite an emergency, effective business continuity planning is critical
3
From supply chain failure to terrorism, businesses face regular threats that could damage their brand reputation and bottom line. The companies with the right business continuity management programme will better protect their people, premises and profit
4
Few of us need to be reminded that “stuff happens”—just look at the chaos caused by a volcanic ash cloud when Eyjafjallajökull erupted in Iceland recently. We’ve grown accustomed to television pictures showing cities and towns across the globe struggling to cope with extreme weather events such as storms. And while these are mostly reported in terms of personal inconvenience—and sometimes tragedy—the images of offices closing down as buildings are battered illustrate only too well the threat that unexpected events pose to a company’s ability to trade.
Management .................................... Risk management is more than just an IT issue—it’s a business issue for all directors
Leadership ........................................ What do law firm Shoosmiths and distribution solutions provider Areva T&D have in common? Both have committed to robust business continuity plans
Strategy ..............................................
6
How to develop a business continuity and recovery plan
Comment ............................................ From the coalface— Professor Jim Norton shares his thoughts on the latest trends
DIRECTOR PUBLICATIONS Deputy editor Amy Duff Writer Trevor Clawson
Responsible businesses gain a competitive advantage
7
Less well reported are the everyday disasters—apparently small in themselves—that can have serious implications for organisations of all sizes. Small fires, localised power outages, telecoms breakdowns and internal faults rarely make the news but they can throw unprepared businesses into crisis mode. For example, according to research published in 2009 by the government’s Cabinet Office, around 40 per cent of organisations in the UK have suffered disruptions due to IT failure. So it’s perhaps surprising that many companies remain relatively unprepared to deal with the events that could seriously affect their ability to do business. Although the threat was never fully realised, the global swine flu pandemic clearly had the potential to be severely disruptive. Yet, as the Business Continuity Institute observes, barely a third of companies had a plan in place.
Design Halo Design Head of commercial relations Nicola Morris Production manager Louie Mears Chief operating officer Andrew Main Wilson Group editor Richard Cree Published by Director Publications Ltd for the Institute of Directors, 116 Pall Mall, London SW1Y 5ED. Opinions expressed do not necessarily reflect IoD policy. The IoD accepts no responsibility for views expressed by contributors. Editorial
director-ed@iod.com 020 7766 8950
Sponsorship opportunities@iod.com 020 7766 8885 Production production@iod.com 020 7766 8960
www.iod.com
Had swine flu really taken hold, the consequences for an already unstable economy could have been severe. Business depends on a chain of relationship between buyers and suppliers. If your business is unable to trade because of an unforeseen disaster, you lose revenue. You could also be causing problems for customers who rely on you to feed their supply chain. The same principle applies when you take time to look at your own suppliers. The way to address the risks that face all organisations is to have an accountable business continuity management (BCM) programme in place to enable you to both prevent problems from arising, and recover quickly when they prove to be unavoidable. Today, the broad principles of good practice in business continuity are well established and enshrined in, for example, BS25999 and other industry or government guidelines. Increasing numbers of companies are acting to comply with this criteria. In this report we’ll be looking at the business benefits, the practicalities of putting a continuity programme in place, and the experience of two companies that are reaping the benefits of having such a programme.
Richard Davenport Director, HP Business Continuity and Recovery Services
MANAGEMENT
Take charge of change Business continuity is not just an issue for IT directors, it’s a ‘need to know’ for all business leaders. Here, we look at the benefits of a good plan and the current best practice y and large managers know the risks they face,” says Lyndon Bird, technical services director at the Business Continuity Institute, a members’ organisation for those working in the resilience and recovery sector. “They know that flooding, fire or a systems failure could disrupt their operations but what they don’t necessarily think about is the full impact of that disruption on their businesses.”
B
As Bird stresses, the impact shouldn’t be seen simply in terms of a direct loss of revenue. If, for whatever reason, a business is unable to communicate with its key customers, the results could be incalculably damaging in the longer term. A transactional website that doesn’t function for days on end; a call centre that’s out of commission; the accounts department that doesn’t answer an urgent query from a supplier. All of these scenarios have the potential to undermine confidence and deliver a severe hit on reputation that could in turn depress revenues for years. According to Brian Fowler, worldwide director, HP Business Continuity and Recovery Services, an increasing number of organisations are recognising the importance of taking a structured and proactive approach to creating resilient systems and processes while also putting in a framework for recovery should disaster strike. “Traditionally, it was banks that led the way,” says Fowler. “They put in highend business continuity management provisions because they had to. But now we’re finding a much wider range of organisations are putting business continuity plans in place.”
His view is corroborated by 2009, The Year of Living Dangerously, a UK government report which estimated that 52 per cent of organisations had business continuity plans in place compared with 47 per cent in 2008. The drivers are in part regulatory. Under the Combined Code, directors of public companies are required to address all aspects of the risks facing their businesses. And the establishment of a new British Standard for business continuity management provides a means to demonstrate to regulators and stakeholders that action has been taken to defend against threats and ensure rapid recovery of key processes in the event of a disruptive event. The government also found evidence that procurement policy is playing an important role. Put simply, major organisations in the public and private sector naturally seek assurances from their suppliers that measures have been taken to ensure a consistent level of service. To that end, corporate and government procurement contracts increasingly ask for evidence of commitment to business continuity. “All organisations look at their suppliers and assess the risks of non-supply,” says Fowler. “And what we’re seeing
“What we’re seeing is more customers looking at the BC policies of suppliers” is more customers looking at the BC policies of suppliers.” We’re not quite at the stage where a supplier’s failure to meet the criteria of a business continuity standard will scupper a deal, but compliance may well help a company win a contract against competitors that have not begun to address business continuity issues. “It can be a differentiator,” says Lyndon Bird. In the past, there has probably been a tendency to see issues of resilience and disaster recovery sitting in a silo that is somehow detached from the core functions of the business—a matter for IT directors and risk specialists. But in fact, the ability of a business to maintain continuity of service is central to its ability to trade in all circumstances and potentially an important box to tick when pitching for new contracts. That’s something that should be addressed at the highest level.
3
4
LEADERSHIP Continuity of service is a key requirement for law firm Shoosmiths
Safe hands When law firm Shoosmiths decided to invest in business continuity, it chose a flexible plan that could keep up with the pace of change in its business and protect its brand as well as its customers s anyone who has ever bought a home will tell you, the day when you take possession of the keys is fraught with tension. As the removal van waits outside the house, behind the scenes money is being transferred from the account of the buyer to the seller and lawyers are working hard to ensure it all happens.
A
“If there’s a chain involved there may be hundreds of people who will not be able to move into their new homes if something goes wrong,” says David Bason, information services director at law firm Shoosmiths. “We can’t afford to have any system failures. If something was to go wrong the damage to our brand would be considerable,” he says. The process of transferring money on the day of a move is just one illustration of how the work carried out by Shoosmiths is often time-critical and of huge importance to customers. This simple fact was of one of the main drivers behind the firm’s decision to implement a business continuity plan. Equally important was a Law Society stipulation that member firms should do everything possible to ensure continuity of service. With a turnover of around £100m, Shoosmiths is one of the UK’s largest law firms, providing a mix of commercial and consumer services. In recent years, technology has played an increasing role in the way it has done business and while that has improved the efficiency of its processes, it has also made it more vulnerable to systems failures. But as Bason stresses, when the company began the process of preparing a Business Impact Analysis, the exercise extended far beyond information systems. “We asked
questions of people in all parts of the business. What happens if our systems go down? What happens if we lose premises? What happens if we lose people? What happens if we can’t get access to paper documents? What would be the effect on the client? The answer to these questions gave us an idea of the major risks that we were facing.” From there, Shoosmiths began to address those risks. “On the system side, we began to build in resilience,” says Bason. “We built a back-up for electronic records and introduced offsite email provision.” In addition, HP provides an emergency IT recovery facility and business recovery centres that can be used if an office is lost, and handles the key processes. Of course, in the event of a disaster occurring without warning, it isn’t enough to simply have facilities. It is also crucial to have a plan in place to
Need to know… Having a business continuity plan in place may not be enough to reduce the risk profile of your organisation. There are differing service commitments and governance models that service providers do, or don’t commit to. As well as evaluating your own risk profile, you should consider the risk represented to your organisation from doing business with a higher risk vendor.
“We built a back-up for electronic records and introduced offsite email provision” coordinate the movement of staff and the allocation of tasks. A “gold” team of directors and a “silver” team, formed to manage the recovery and continuity operations at office level, handle this part of the operation. All these systems and procedures are tested and reassessed on a regular basis. The commitment to maintaining continuity of service provides assurance to Shoosmith’s customers. “We are often challenged by clients on this and many want to see a copy of our recovery plan,” says Bason. “And we can demonstrate to them that the work we do is secure and safe.”
that it can’t concurrently support with appropriate assets and facilities within that location.
Global and national standards ISO/PAS 22399:2007 Guideline for incident preparedness and operational continuity. Published by the International Organisation for Standardisation (ISO)
A company that promises lower syndication ratios ensures that you are less likely to find yourself competing for valuable resources during a disruption.
NFPA 1600 US standard on disaster/emergency management and business continuity programmes. Published by the National Fire Protection Association
Choose a vendor that commits to maintaining a 400 metre exclusion area around its customer’s premises—it will not contract with any other customers
HB 292-2006 and HB 293-2006 Practioner’s and executive’s guide to business continuity management. Published by Standards Australia
LEADERSHIP
Tried and tested When Areva T&D’s board chose to make business continuity management an essential commercial discipline, it put in place an effective solution to safeguard its reputation and its bottom line odern businesses have a very low tolerance for the nonavailability of IT systems,” says Colin Haynes. As IT director (North West Europe) for Areva T&D, a global provider of power transmission and distribution solutions, Haynes is responsible for managing the information systems used by all of Areva’s business units in Britain and the Nordic countries.
M
Maintaining the availability of IT services to those units is a key priority and around three years ago, Haynes and his team embarked on an exercise aimed at establishing Areva’s ability to recover should one or more of its systems fail. “We looked at a number of types of loss and the time it would take to recover the systems,” he recalls. Armed with solid information on recovery times across a range of systems, the information services team took their findings to Areva’s business leaders and posed a simple question. “Could they live with these recovery timelines?” In certain circumstances, the answer was “yes”. If the rapid restoration of a particular system was not business critical then a recovery time of a few days was deemed acceptable or not. However, in the case of crucial information systems, Areva’s decisionmakers recognised a clear need to take steps that would ensure continuity of IT provision in the event of a catastrophic event or major technical failure. This recognition was driven, at least in part, by a discussion about the cost to the business of a particular system going down. From there, Haynes was given the go ahead to carry out a more detailed study, which in turn led to the company going to the market to select a business continuity provider. After an
Areva T&D develops technologies to manage power grids worldwide
extensive process, HP Business Continuity and Recovery Services was chosen to provide a solution, a plan and collaborate closely thereafter. The backbone of the continuity plan, explains Haynes, was a remote vaulting system involving the back-up of data to an offsite centre provided by HP. Equally important, the deal involved a “ship-to-site” agreement that would see the vendor delivering back-up hardware and software should Areva’s own equipment be rendered unavailable. “Under the agreement, the equipment comes preconfigured and pre-loaded with the software we need,” says Haynes. Given that his remit covers several countries, Haynes was looking for a supplier with an international capability. “Initially the focus has been on the UK because that’s where most of our work is centred,” he says. “But in time, we would want to implement the continuity measures in other countries, so we wouldn’t have
“Modern businesses have a very low tolerance for the non-availability of IT systems” chosen a supplier that didn’t have the ability to scale up internationally.” Areva reviews its information continuity plan annually and the system is also tested every year. “The testing process has proved very useful for us,” says Haynes. “For instance, we wanted to upgrade an SAP system but were concerned about what would happen if the upgrade caused a failure. We had a back-up plan but we asked HP to rehearse that plan as part of the testing process. Because we tested, we were confident we could manage the situation if the upgrade hadn’t gone as planned,” Haynes says. In the event, the upgrade did go smoothly but the peace of mind was there.
5
6
STRATEGY
How to develop a business continuity programme Your reputation and performance could be significantly impacted with every minute of downtime resulting from a crisis. Here are some top tips to help you put a business continuity plan into practice
MAP OUT YOUR SYSTEMS
REHEARSE YOUR PLAN
A
t its simplest, business continuity management (BCM) is about putting the systems and procedures in place that will enable an organisation to continue trading and communicating with key stakeholders in crisis situations. Preparing and implementing a BCM programme should be an all-embracing process taking in all aspects of a company. An ongoing review procedure is also vital if your business is to comply with the BS25999 standard, or other industry and government guidelines. The business impact analysis The first step is to identify the threats. You need to look at all the business functions, from manufacturing through to customer accounts management, mapping out the systems that are in use, the people required to operate them and their importance should disaster strike. “You have to understand your business,” says Bill Crichton, EMEA consulting manager, HP Business Continuity and Recovery Services. “And you have to understand the impact on your business should a specific process become unavailable.” That last point is important. If an office goes down, some of the functions you lose may be important, but not particularly urgent in terms of the trading priorities. Others may be very urgent indeed.
Key steps towards developing a business continuity programme
INSTALL YOUR PLAN
“It’s not a one-off exercise. It’s a lifetime process” Gayle Malone, Americas manager, Consulting & Continuity Management, HP Business Continuity and Recovery Services stresses that you have to look at the three ‘Ps’—people, premises and (IT) processes. While a recovery plan should involve IT resilience and recovery provisions, those will be of little use unless there are plans for alternative premises (in the event of fire or flood) and people to manage them. The framework Once the risks have been assessed and the recovery of key options prioritised, the next stage is to build a business continuity management
IDENTIFY THE THREATS
BUILD A BC FRAMEWORK
framework. The details will depend on the requirements of the business, but you should certainly be looking at preventative measures to avoid outages [the interval during which your service or resource is not available], resilience strategies to keep systems up and running in the event of, say, a server going down or a virus attack. And last but not least, there should be an “incident management plan” to facilitate recovery should there be a serious business interruption. One key recovery mechanism is the establishment of an emergency facility where the organisation’s key IT systems are mirrored and ready to be switched on. Most companies can’t afford to run empty facilities in anticipation of an emergency, so the cost-effective solution is a shared recovery centre.
COMMENT
When assessing a supplier there are key factors that should be taken into consideration to ensure you have access to a facility when you need it. “Look at the ratio of subscribers,” advises Richard Davenport, director, HP Business Continuity and Recovery Services. “Across Europe we offer a maximum of 15 subscribers per recovery position in each of our centres. Equally important, ascertain that the emergency centre is not available to businesses operating close to you, which might need to use it concurrently. You should also choose a supplier that can meet your needs. For instance, ensure you are able to schedule rehearsals without long lead times, and that you are not penalised for making changes to your plans. Your plans must reflect business priorities, which can change over time”. Alignment testing and reviewing It’s vital that the BC plan should be aligned to your business, both in terms of the cost/benefit analysis and the availability of facilities as and when you need them. Your requirement for back-up IT hardware and software will almost certainly change over time, so the situation should be constantly reviewed in line with any changes that you make to the business. “It’s not a one-off exercise,” stresses Lyndon Bird of the Business Continuity Institute. “It’s a lifetime process. Even relatively subtle changes, such as the addition of a new customer or supplier could make a difference,” he says. “You need to look at the risks in terms of your ability to supply and the ability of important suppliers to deliver to you.” That means that your business continuity plan should be looking up and down the supply chain and if necessary you should seek assurances from those you trade with.
From the coalface Surveys of IoD members over the last few years have shown both strong recognition of the importance of effective ICT systems and steadily growing concern over the operation and management of these systems. The twin issues of data security and business continuity are consistently the two top areas of worry, cited by some 75 per cent of survey respondents There are good reasons for this. The world today is increasingly complex and interdependent. As those who have fallen victim to extreme weather know, nature is often by far the most effective terrorist. However, alongside the dangers from natural disasters such as fire, flood and earthquake we also have to consider the malign acts of humanity, whether disgruntled employee or ideological terrorist. The internet-enabled world is not a benign place.
actions and best practice, but the publication in late 2006 of British Standard 25999, the code of practice for business continuity, removed that fig leaf.
Many things clamour for attention at board level in modern business. For example, as the UK Companies Act 2006 Section 172 states: “A director of a company must act in the way he (or she) considers, in good faith, would be most likely to promote the success of the company for the benefit of its members as a whole”.
development of the correct responses;
Few things seem to fit better with this key duty than taking the essential actions to ensure the continuity of operation of the organisation. Once directors might have appealed to a lack of guidance on what should constitute necessary
The actions now required are clear: prioritisation of activities across the extended organisation (including up and down the supply chain); evaluation of a range of strategies;
testing and exercising; embedding business continuity management into the organisation’s culture and values at all levels. The golfer Gary Player once quipped: “The more I practice the luckier I get”. In life and business, bad things do happen, but the more I prepare the less they seem to choose me. Professor Jim Norton is vice president of BCS, The Chartered Institute for IT
According to a survey by the Business Continuity Institute, of 221 organisations that have implemented business continuity plans, 77 per cent were able to recover faster as a result. 55 per cent said their plans have led to substantial cost savings or protected critical revenue streams in the last 12 months. 55 per cent of IT directors* say business continuity is their number one priority over the next 18 months.
Useful contacts For further information and free advice about BCM visit: www.hp.com/go/bcrs www.iod.com/hp Or email: hpbcrsuk@hp.com
BS25999, the world’s first standard for business continuity management, has been developed to help organisations minimise the risk of disruptions. Benefits include enhanced reputation and brand; competitive advantage and compliance. HP employs over 60 professionally qualified BCI-accredited professionals across Europe—a number that is unprecedented in the industry. It also has 60 recovery facilities in 40 countries. According to the United Nations Environment Programme, the number of natural disasters per year have doubled in the last decade. * Statistic taken from profiling information of delegates attending The IT Directors' Forum 2010, 16-19 June, organised by Richmond Events www.itdf.com
7
How prepared are you? Assess your business continuity plan in two minutes Please score your organisation against the following questions (circle your score, add to Score column and calculate your total score). The box below will help you understand your rating You can also do this two-minute self-assessment online: www.hp.com/go/bcrsselfassessment Weighting No
Partially Mainly
Yes
1 Is someone at board/senior management level accountable for business continuity?
1
0
1
2
3
2 Do you have business continuity management policies/guidelines in place?
2
0
2
4
6
3 Have you assessed the potential impact and risks to your business of serious disruption? (e.g. financial loss, breach of regulations, brand reputation and customer service)
3
0
3
6
9
4 Have you identified all the critical processes that support your business?
5
0
5
10
15
5 Have you implemented continuity strategies that will meet your recovery objectives?
5
0
5
10
15
6 Can you meet your recovery priorities/objectives with your current resources?
4
0
4
8
12
7 Do you regularly exercise your business and IT continuity plans?
5
0
5
10
15
8 Do you regularly exercise your Incident Management and Recovery teams using various scenarios?
5
0
5
10
15
9 Is governance in place to regularly review business impact, risk and continuity strategies?
2
0
2
4
6
10 Have you addressed the continuity capabilities within your supply chain?
1
0
1
2
3
Score
Total score HP consultants have weighted the above questions in line with their criticality and importance within the planning process. Your total rating will give a view of how prepared your organisation is to survive in the event of a disruption. Risk
Score
Outcome
Very high
< 25
Your business lacks the ability to properly manage and recover from a serious business interruption
High
26-50
Major parts of your business could suffer significant damage or loss if a serious incident occurred
Medium
51-74
Parts of your business may not have the capability or resources to easily recover from a disaster
Low
75-90
Some parts of your business may not meet the recovery objectives that you should be striving to achieve
Very low
> 90
Your business is capable and ready to deal with any significant business interruption
What if HP could fully manage your business and IT continuity programmes while reducing your risk? HP invite you to join us at our upcoming breakfast briefing on 8 June at the Institute of Directors, Pall Mall, London to explore how HP can help you. We’d be delighted to tell you how we build specific business continuity programme management relationships that create results. We want to share with you our views on the Business Continuity industry, its future and what HP can do to relieve your continuity management pains.
08:00
Registration
09:45
IT Service Continuity Management—Let HP deliver to its strengths while you deliver to yours
08:20
Seated breakfast
09:00
Opening & welcome
09:05
Business Continuity—“The more I practice the luckier I get”
10:05
Why choose HP?—A view of the customer experience
09:15
Be Prepared—Assessing threats & impacts: developing strategies & solutions
10:20
RETHINK continuity provision— A services update from HP
09:35
HP’s Business Continuity Practice Evolution—How you can benefit
For further information or to register for the event, email: hpbcrsuk@hp.com