exact phrase  any/all
Managing the enterprise information network
denotes premium content | Jan 6 2009 

Regular

posted 30 Mar 2006 in Volume 2 Issue 9

Survive and protect

By Clive Restall

Generally, I tend to think of my organisation as one that doesn’t suffer disasters. But since joining law firm Allen & Overy in 2002, I have in fact accumulated quite a list of actual events and near misses. Some of these have caused some degree of business interruption and others have come dangerously close to doing so.

We have suffered two power failures, three bomb threats, flooding in Prague, an accidental discharge of the fire-suppressant gas in the London IT room and various technical failures. We have also had to respond to the New York power failure, the Madrid bombings, the SARS outbreak and, of course, the London bombings in July 2005.

Allen & Overy is not accident prone. These sorts of events are happening all the time and can affect businesses of every kind and size. Usually, with some good fortune, they don’t have any major impact. But, regardless of that, a rock-solid programme of business continuity management (BCM) needs to be in place just in case an attack or disaster strikes just that little bit closer to a vital organ.

Simply good business sense?

Having a BCM programme simply makes good business sense. In fact, BCM should be a standard form of protection for any organisation, just like comprehensive insurance and locks on the doors. After all, if an established organisation suffers a disaster or business interruption and fails to recover from it effectively and at some speed, the resulting wholesale loss of confidence among its stakeholders can be a very real threat to its future existence.

That realisation is becoming more widespread. At Allen & Overy, many of our clients are large financial organisations for whom effective business continuity planning is a way of life. Industry regulators fully expect and require businesses in the financial-services sector to have a BCM programme in place. In fact, they mandate that finance companies should not only offer assurances that they themselves will be able to recover in the event of a disaster, but also that they can confirm that their critical suppliers have their own business recovery plans in place.

For many companies in the finance sector, Allen & Overy may be categorised as a critical supplier, so regardless of our own business needs, our business continuity plans are a necessity for many of our commercial relationships. Increasingly, clients ask us to provide statements regarding the existence, maintenance and testing of our business continuity plans.

All about planning?

Business continuity management is often thought of simply as a process to develop plans with which to respond to incidents.

The reality is more complex than this. The process also includes risk assessment and business impact analysis. The risk assessment process identifies risks to the business and enables a programme of risk reduction. The theory behind this is simple: it is better to reduce or eliminate risk rather than just have the capacity to respond when an incident occurs.

Nonetheless, the plan is an essential part of an organisation’s armoury. Most responsible citizens would not dream of driving a car without insurance, so why would any responsible company run its business without a business continuity plan (BCP)?

But what is a plan?

Documentation is important, but only as a formal record of the recovery process and supporting resources. When a disaster occurs, there is no time for everybody to sit down and read what is, in many cases, a formidable tome. My advice is to work at getting the recovery processes firmly embedded into the culture of the organisation through exercises and awareness training, and the provision of summary documents to assist the communication process and identify those actions that would be a priority in the event of a disaster.

The crisis management team, in responding to a plan invocation, needs to react instinctively. There is no substitute for a full and demanding programme of testing for both crisis management and business recovery. Exercises can take many forms and each can be set at differing levels of complexity. Examples of types of exercise are:

  • Scenario/desktop;
  • Testing the escalation and cascade processes;
  • Training in handling the media in a crisis;
  • IT component recovery and full IT recovery tests;
  • Combined exercises involving IT and workplace recovery.

 

A programme of testing should subject participants to increasingly difficult challenges. For that reason, I advise continuously ‘turning up the heat’ by introducing new challenges to maximise the learning process.

How long does it take?

The answer is, as long as you like. The formal processes of risk assessment and impact analysis may take weeks or months before the plan can start to be developed. It could take a year before a detailed plan document is ready for issue for a sizeable organisation and, during this time, the business remains unprotected.

For that reason, organisations should not assume that they need to complete the risk assessment and impact analysis before they start to develop the plan. These elements of the process can be developed simultaneously. In the early stages of a BCM project, I would recommend starting work on identifying and defining:

  • An escalation procedure;
  • Team composition and contact data;
  • Staff call trees;
  • A broad strategy for recovery;
  • Somewhere for the crisis team to meet.

 

Okay, so at this stage the plan template has not been fully populated and there has been no testing, but at least the right people will be informed if there is an incident and the organisation will be able to assemble its specialists who will be able to respond to events as they unfold. There may not be a completed plan in place, but at least the organisation has a fighting chance of implementing an effective response.

The plan needs to be supported with resources

The plan shouldn’t be a wish list of desired outcomes – it needs to be deliverable. Nothing should be promised in the plan unless its delivery is guaranteed within an agreed timescale. This rule applies to every aspect of a continuity plan including the recovery of IT operations, the provision of temporary work-areas for employees, access to meeting rooms and the availability of information materials and other general supplies stored off-site.

Driven from the top

Senior managers need to take ownership of the plan. After all, it is their business that is being protected. It will be difficult to get other members of staff to take BCM seriously unless they see that it is being driven from the top. Involving senior management in tests and exercises will help get them – and their teams – committed to the process. Seek their guidance on the composition of their teams and in setting the recovery strategy; ask them to sign off crisis management and business recovery plans to confirm the accuracy of the information and data – that the plan has been properly distributed and that its provisions will meet the needs of the business.

A word of warning

In your discussions with senior management or the business, avoid the use of acronyms and jargon. Their use is rife in business continuity circles but discussions peppered with terms such as HROT and WARCS will be meaningless to many. How can we hold people’s attention if we use terms such as ‘iterative business process decomposition’ and ‘survival time drivers’? Quite simply, it’s a turn-off. Jargon does not do anything to promote the cause of BCM.

Reputational risks

To my mind, BCM is not just a matter of financial loss. In many cases, the organisation may well be insured against such losses anyway. What is of real concern is the loss of reputation that may result from a disaster. If there is a significant dent in an organisation’s reputation, then there is likely to be a medium to long-term impact on client confidence and an erosion of the client base. This will affect the organisation’s ability to grow and to achieve its strategic objectives. These impacts, collectively, could have a major effect on an organisation’s ability to realise its true potential in terms of size and earnings. As such, BCM is an issue that can no longer be ignored.  

Clive Restall is global business continuity manager at Allen & Overy LLP. He can be contacted at clive.restall@allenovery.com

 

Recovery: an information management perspective

Disaster recovery plans focus on three key areas: prevention, continuity and recovery. All three can be viewed within the specific context of information management,as well as the more general context of business services as a whole.

In the context of information management, prevention involves making sure that proper maintenance and security mechanisms are in place. That means implementing

appropriate firewalls and anti-virus software and ensuring that there rigorous controls are applied to data access. In addition, there will need to be a regular maintenance schedule, providing for potential server downtime and system back-ups.

Continuity involves keeping information services going during an incident. That requires maintenance of core systems and, in some cases, the implementation of back-up systems at secondary sites.

Recovery, meanwhile, involves detailing all the measures necessary to restore all information services to the status that they held prior to the disaster.
Sponsored links

Subscribe to the EI e-newsletter. Keep up-to-date with the latest news from EI magazine
Intranets and Portals report
Copyright ©1994-2005 Ark Group Ltd All rights reserved. No part of this site or the publications described herein
may be reproduced in any form without the permission of Ark Conferences Ltd, Registered in England, No. 2931372.