News

Today at the Institute of Directors the British Standards Institution team charged with translating the current PAS56 guidance for Business Continuity into a full British Standard met for the first time formally.

The group comprises the Business Continuity Institute and the Continuity Forum, as well as a range of representatives from industry and government.

Hundreds of actors found themselves hired for an unusual performance earlier this month - faking illness. The actors, part of the US’s largest ever terrorism drill, played people suffering from the effects of a biological agent. The drill, during which officials staged a car bomb and a chemical attack in Connecticut, involved hospitals, investigators, politicians and consultants. On a smaller scale similar exercises are carried out by companies concerned to test the resilience of their operations to terrorism attacks. But while such exercises are becoming more common in the corporate world, consultants and insurance brokers argue that many companies are not sufficiently focused on the threat of terrorism. “In looking at some of the polls over the past few years and asking what factors keep boards awake at night, terrorism doesn’t even appear in the top 10,” says Rob Preston, consultant crisis management at Aon, the global insurance broker. “People see operational risk and loss of intellectual property as more critical than terrorism - and we think that’s probably wrong.” Part of the problem is that no pattern of attacks has yet emerged on which to base risk assessments with regard to terrorism. While events such as the World Trade Center attacks of 2001 and the Madrid bombings of 2004 have demonstrated the power of terrorists to wreak destruction, the global nature of terrorist networks makes it difficult to predict the location of future attacks or whether their frequency will increase. Nevertheless, argues Mr Preston, this is no reason for companies to bury their heads in the sand. What they should be doing, he says, is assessing risk by looking not only at the potential threats but the vulnerability of their own operations to those threats. “You can’t do anything about threat, but you can do something about vulnerability,” he says. “There’s physical side, such as blast proofing or CCTV, but also at board level, companies should look at business vulnerabilities like a choke point in the supply chain.” In addition, the threats vary considerably from country to country with different organisations choosing different targets and a variety of methods through which to attack those targets. "People see operational risk and loss of intellectual property as more critical" While catastrophic attacks tend to dominate the headlines, it is often forgotten that, for example, India regularly suffers attacks from separatist groups. “Companies have to be aware of how vulnerable they are,” says Alastair Morrison, chairman of Kroll Security International. “If you have to go into a country such as Indonesia, where there have been incidents against western interests, you have to think about how much at risk you are.” This will determine what a company should spend on measures to reduce the impact of terrorist attacks and on insurance coverage, says Stephen Ashwell, terrorism underwriter at Hiscox. “If you are a cheese farm in Finland, it is pointless spending millions of dollars on security.” By contrast, a business located in the centre of a big metropolitan area would need to take a different approach. “It’s clear that the platform of al Qaeda wants mass casualties on the front page. So anyone with public access or in large shopping areas is particularly at risk and they should look to security systems and at what their contingency plans should be,” he explains. “But any spending has to be commensurate with the risk.” Of this spending, a large proportion remains tied up with insurance. In this area, companies are finding that the access to and affordability of terrorism coverage have eased considerably in recent years, with far greater capacity in the market than there was immediately after the attacks of September 11. However, Mr Ashwell believes that many companies have not yet found the right balance between insurance coverage and risk management measures such as disaster recovery and business continuity plans.“Some of them may be tending to buy too much insurance, or too little, because they haven’t looked at that side of things,” he says. Nevertheless, there is evidence that more companies are taking terrorism threats into account when making investment decisions. “In the past, the question was ‘is the project viable and can we make money from it?’ But now you’re having major input from the security side,” says Mr Morrison. “So while a project makes sense financially, people are asking about the risk to installations of terrorists taking over, or people being killed because there’s a war going on.” Mr Morrison believes that terrorism is moving up the board agenda, with sophisticated companies appointing senior level executives to tackle managing risk in this area. Much of this pressure is coming from a recognition that security is part of corporate governance. “It’s forcing people to think these things through and the board has to go through the scenarios of what might bring down the business,” says Mr Morrison. “So the chairman and board are listening to their security people far more than they ever did before.”

Creating Continuity ... Building Resilience ...

If you would like to know more about how your organisation can get involved and benefit from working with the Continuity Forum, please email us HERE! or call on + 44 (0) 208 993 1599. ____________________________ ***Back to Home page ***

By Paul J Davies

ARCHIVED 2005

Outsourcing and offshoring have become a mainstream strategic option for many corporations looking to cut costs. Hundreds of thousands of IT jobs have been exported from western Europe and the US to countries such as India, while tens of thousands of call centre jobs have gone from the UK alone. But the ever increasing popularity of such moves belies the considerable risks involved.

According to Sam Samaratunga, a partner in Risk Assurance Services at PwC, 25 per cent of IT outsourcing contracts fail within the first two years with the rate rising to 50 per cent over five years - and this includes domestic outsourcing.

When companies send contracts offshore the risks are compounded. Offshoring risks range from the large political event threats such as terrorism, political violence and war to the more subtle, including political discrimination, regulatory considerations and cultural issues.

Matthew Strong, a partner at Jardine Lloyd Thomson, the insurance broker and risk consultancy, says few countries will unilaterally confiscate company assets, but unexpected renegotiation of a licence to operate remains a danger. China and India are among the most popular of offshoring destinations due to an abundance of well-educated but cheap labour.

However, their relative modernity and stability is far from assured, says Charles Keville, a director of Aon Crisis Management, a unit of Aon insurance brokers. “Very recently, China said it could declare war on Taiwan while two years ago everyone thought there could be imminent nuclear war between India and Pakistan," he says. Sure enough, just as the countries agree on a peaceful bus route through Kashmir, trouble has flared again.

For the apocalyptic situations insurance is the only safety net but, according to Strong, losses are still likely. Coverage for asset confiscation, for example, is capped at about £1bn, he says, although companies can still mitigate losses by arranging cover with a number of providers. "Cultural problems are both common and hard to mitigate, especially in customer-facing operations" The more common threats, where insurance is also an option, involve a whole gamut of service interruptions.

Depending on your company, these will be more or less important to your business, says Mr Keville. For an online travel company with IT services abroad, a long interruption would be likely to cause a painful loss of business, not just at the time but when affected customers are considering which site to visit in the future. However, the same kind of interruption is not likely to be nearly as sensitive for an online directories business.

One of the most important things, whether you are concerned about serious peril or just a hiccup, is to have good contingency planning in place. When it comes to insurance, most companies will take out a policy to cover the costs of re-establishing operations quickly, whether that be back at home or at another offshore site. Mr Keville says that, because of this, it may only take a policy for £5m or £10m to protect a business. But while you can insure against errors, continuity of service, even fraud, there are plenty of risks that are far harder to quantify and so very difficult to insure.

Cultural risks are both incredibly common and hard to mitigate, especially when it comes to customer facing operations. Capital One, the credit card company, found this to its cost when it cancelled a telemarketing deal with an Indian call centre company because it discovered that workers had misled customers with spurious offers of credit. Dell was also forced to reverse its policy and shift a number of customer support jobs back to the US because a significant number of customers complained that they had difficulty understanding Indian accents. As Mr Samaratunga says: “If you've broken down in Aylesbury and end up speaking to someone in India there's a good chance they are not going to be able to relate to you or your situation very well."

Customer frustration can lead easily to customer loss. But if outsourcing is pursued with phased implementation of contracts that have been well prepared with a proper understanding of the rationale for pursuing the move and a firmly established cost base, many problems can be avoided. Companies need to understand all the links in the chain of outsourcing, Mr Samaratunga says.

Outsourcing contractors can delegate some elements further to a subcontractor and a company needs to ensure that all elements of the chain will be contractually obliged to it. Another problem, particularly with IT contracts, is the hidden costs that a company can realise too late have previously been absorbed by departments other than the internal IT department but then can crop up as part of the outsourcing contract. But one of the biggest reasons for failure is that companies underestimate the amount of effort and control that is needed to ensure that outsourced service agreements are fulfilled.

A call centre strategy that works

Aviva, the UK's largest insurer has been one of the leaders in attempting to cut costs by offshoring call centre jobs to India, along with Prudential, HSBC and others. It has created 3,700 jobs in India already and plans to increase this to about 7,000 by the end of 2007. While it may have aroused the ire of Amicus, the UK union for white collar workers, the strategy has not yet run into any serious problems or caused an exodus of customers. Simon Machell, director of customer service, says the group began researching possibilities for offshoring call centres in 2002 and quickly decided not to open a new location itself in some faraway place.

The company decided on a three stage model in which it would find a partner to build the business and operate it with an option for Aviva to bring it under the group umbrella at a later date if it progressed well. This approach was a good way to minimise the cultural risk because it provided a cheap escape route if Aviva's customers did not take to the service or if the contracts were not fulfilled to the group's satisfaction.

“If we had set it all up ourselves and in one or two years had to unwind it because it wasn't working, it would have been very expensive, Mr Machell says. He says the group spoke to about 70 different companies in India before choosing, ranging from individual entrepreneurs who would be starting almost from scratch, to very large companies. “We chose a company called EXL the first time. They had done similar stuff with large US insurance companies and so had the knowledge of the industry as well as the capacity. The contracts are set so that a company such as EXL can run the business for a minimum of three years, allowing it time for to make a return on its investments but, after that period, Aviva can effectively take the operations back when it wants, Mr Machell says.

Mr Machell adds that the business continuity risks it faces in India are slightly more complex, but essentially much the same as it would face with a domestic call centre.

By Ellen Kelleher
Published: April 15 2005 16:03 | Last updated: April 15 2005 16:03

Six months have passed since regulators first went on a crusade to rid the insurance sector of improper practices and so much has changed. The Greenbergs are no longer the insurance industry’s reigning dynasty. Brokers have stopped accepting kickbacks from favoured insurers.

The accounting practices at American International Group, the biggest insurer in the world, are drawing intense scrutiny and, as regulators uncover more improprieties, companies are leaning on risk managers to assess the quality of their insurance programmes. The profile of these executives - who were once anonymous operators in most organisations - has been raised considerably.

“Chief financial officers are beginning to ask risk managers a lot more questions,” says Andrew Barile, an industry consultant. When Eliot Spitzer, the New York attorney general, sued Marsh, the world’s biggest insurance broker last October, directors and senior managers at Fortune 500 companies put pressure on risk managers to either drop Marsh or justify retaining its services. Risk managers were in the hot seat for failing to pick up on the bid-rigging alleged to have taken place at Marsh.

Most were aware that brokers had been accepting special bonuses from certain insurers and the threat of shareholder lawsuits posed concern. Risk managers ceded considerable control to brokers over the last decade, analysts say. In the 1990s, Marsh and others moved to take a more hands-on approach to the complicated business of structuring policies and began offering a wider variety of services such as risk management, research and consulting. As a result, the role of risk managers became more passive.

But the current investigation has changed the relationship between brokers and risk managers dramatically. Bob Hartwig, chief economist at the Insurance Information Institute, reports that the awareness of risk managers “has increased substantially” in the wake of Mr Spitzer’s investigation. As one analyst says: “The leverage in the relationship has changed. It will never be the same.”

A study by PwC suggests companies should delegate more responsibility to risk managers. Analysts say the most effective ones handle risk modelling strategies and thoroughly evaluate alternative insurance options such as captives in addition to the usual tasks of signing off on standard insurance programmes.

“Everybody involved in monitoring risk of all kinds should have a genuine influence over decision-making,” the PwC report states.

"Scandals have put the spotlight on managers’ roles and reputational risk"

In recent months risk managers have begun to ask tough questions about fees and commissions and how brokers place coverage. “What used to happen is brokers and risk managers would meet for dinner and later risk managers would write letters authorising brokers to place the coverage. Now the process is becoming a lot more formal. The bar has been raised because directors and senior managers are demanding it,” says Mr Barile. One reason why ties between risk managers and brokers were close was that modestly-paid risk managers often defected to brokers in search of higher salaries. Leaving for brokerages often allowed them to double or triple their pay.

“In recent years, their compensation hasn’t reflected their contribution to corporations,” Mr Barile says. Some predict risk managers will be paid more as their duties expand.

“There’s potential for higher rewards. Many businesses have become very aware of the importance of these jobs,” Mr Hartwig says. The Public Risk Management Association, (Prima) a US trade group for risk managers, reports a surge in interest in its training programmes. Among other things, the group tries to educate risk managers in the public sector about insurance markets and alternative risk financing. It suggests companies recruit managers with business degrees or graduate degrees in public administration and risk management.

“The role of the risk manager has evolved over the last couple of years and become more sophisticated. And all the regulatory issues have emphasised why the profession is so important,” says Jim Hirt, Prima’s executive director. The importance of hiring risk managers first rose to prominence following the attacks of September 11, 2001. “Since September 11, more companies and municipalities have begun to come to Prrima for educating on risk management,” Mr Hirt says. Following the September 11 attacks, the market hardened and prices rose. Risk managers were under pressure to try to control these costs. Risk managers were making some of companies’ most important decisions between the years 2000 and 2003 when the market hardened,” Mr Hartwig says.

Enron, WorldCom and other corporate scandals have also put the role in the spotlight as companies struggle to figure out how to handle the threat of reputational risk. The net result of these scandals has been new regulation. After the passage of the Sarbanes-Oxley act, companies are taking it upon themselves to interpret rules in the strictest possible way to avoid further potential problems. But for risk managers, this comes at a potential cost. They have complained the focus on box-ticking compliance with the new rules can act as a sort of tax and leaves them with less time to guard against less quantifiable threats, such as risk to reputation.

By Ross Tieman
Published: June 24 2005 13:52 | Last updated: June 24 2005 13:52

Geoff Taylor has been thinking about enterprise risk and maintaining business continuity for more than two decades.

As the director of Risk Management at US sporting goods manufacturer and retailer Nike for Europe, the Middle East and Africa, he is in the front line of ensuring a prominent American brand can continue to deliver its promise to customers, and profits to its shareholders.

And yet the core risks to business continuity that concern him most are workaday issues.

“The most important thing for us is to protect the supply chain,” he says, “making sure that customers get the products that they require at the right time in the right place.”

This down-to-earth assessment of the chief hazards to continuity at Nike is fascinating, because it puts the headline hazards in context.

Nike has been criticised for labour conditions in the factories of its low cost suppliers and, like every iconic US brand, could be a focus for those who vent their spleen on US foreign policy against assets of its corporations.

Says Mr Taylor: “This is an underlying issue for any US domiciled business. One of the things we like to think is that through sport and sports sponsorship people connect with the brand in a way that they would not, perhaps, for McDonald’s or Coca-Cola.”

Since joining Nike three years ago, after a career that began in insurance underwriting and spanned risk management roles at US contractor group Bechtel Group and jeans maker Levi Strauss, Mr Taylor has overseen a classic risk management strategy.

From Nike’s regional headquarters in Hilversum in the Netherlands he and his 15-strong team have focused on so-called Tier 1 risks: spanning environmental, safety and health issues at the region’s 174 facilities, ranging from stores to a massive distribution centre.

"Today’s generation of business continuity specialists are working with a much broader spectrum of management"

These elements are then broken down into issues of security, business continuity and insurance and claims. The core aim, he says, is to prevent incidents happening in the first place, but then to ensure there are back-up plans in place to ensure business continuity should an event occur. “If something does happen, we have an emergency plan to cover most eventualities,” he says. This too will have three parts: crisis management, business recovery and finally workplace or information technology recovery.

Picking out any single overriding threat to business continuity is impossible, he says. “There is a raft of things that could happen,” from an incident at an external transport contractor to a warehouse fire.

Every conceivable possibility has to be assessed, ranked and, if necessary, planned for. “We continuously and constantly analyse different risks and, working with the people in the business, assess their possible impact,” he says.

Most of the consultation is with operational managers. Language difficulties across such a culturally-diverse region preclude direct consultation of shop floor staff, though Mr Taylor will walk through the facilities to assess possible hazards.

Where there are significant costs involved, he has to persuade his bosses to stump up the cash to protect against them, and put in place contingency plans to ensure continuity.

“Generally management are pretty supportive,” he says, “but we have to support our ideas and explain why we want to behave in a particular way.”

That explains why he reckons good communication skills are essential to a good business continuity manager.

That and resilience. “Often, what we do is not seen as a priority,” he says. “There is often a view that it has never happened, so it will never happen.” So determination and persuasion are needed to ensure business continuity planning is accepted and implemented. That is particularly true, he says, because of the way risk management and business continuity planning are evolving.

Where once companies focused on insurable risks, today’s generation of business continuity specialists, better trained and resourced, are working with a much broader spectrum of management colleagues, from health and safety specialists to the legal department and brand protection executives.

“Risk management and business continuity are becoming more professional,” he says. Nike has yet to suffer any serious continuity threat in its Europe, the Middle East and Africa region. Yet the company is determined not to be caught out.

“Risks are continuously evolving,” says Mr Taylor, “and so is our planning”.

By Tom Warner
Published: June 24 2005 13:52 | Last updated: June 24 2005 13:52

The World Economic Forum’s business conference in Kiev this month heard reassuring messages from Ukraine’s leaders about intentions to tackle what may be the biggest business continuity issue for foreign investors in the former Soviet Union: bureaucratic corruption.

President Viktor Yushchenko said his administration had replaced 18,000 bureaucrats and would sack others who did not live up to his no-bribes standards.

But it might be worth listening to the advice of a specialist in dealing with corruption. “From a company’s point of view, getting personal is a very dangerous game to play. I can’t think of any case where I would advise it,” says John Bray, a consultant at Control Risks Group.

Even when top authorities are committed to tackling corruption, co-operating is not always easy. At the conference, investors attending a panel on corruption delicately broached the subject. “I don’t pay bribes but my wife’s family’s company does,” says one businessman.

Mr Yushchenko’s team “needs a lot of help from the business community”, says Gerald Parfitt, a senior partner at PwCs’ Kiev office, which also offers crisis management consulting. “It is very difficult to cure corruption once it’s in the nature of society.”

There are strategies that help. One of the most important, according to Mr Bray, is patience: “In Ukraine and other parts of the former Soviet Union, you need to be investing for the longer term. If you need something in a hurry, you’re vulnerable.” Mr Bray advises companies to play for time while coming up with “alibis” – reasons why the company is unable to pay. For example, your local office is unable to make spending decisions without approval from the head office. You are obliged to document and explain all payments and record them in the company’s accounts. Laws in your home country prohibit bribing.

Sometimes, a firm response is all that is required. If a bureaucrat is holding up some kind of permission, he may cave in to persistent nagging.

When making the decision to turn to a powerful person for help, one should be aware that one will usually later receive “some kind of bill,” Mr Bray says.

For example, a politician may ask for a job for one of his friends.

Keeping one’s nose clean is particularly crucial if one lands in a dispute with a competitor or former partner. In the former Soviet Union, these tend to involve harassing law suits and planted reports in the media designed to wreck a rival’s reputation, usually with the goal of pressuring the rival into making some kind of deal.

Mr Bray says such problems require individually tailored responses, but companies can join together to address the underlying systemic weaknesses by taking part in business associations and lobbying the government.

The goal is to change the incentive system for bureaucrats and politicians alike, he says.

“One hopes that in the future politicians will gain power by bringing good companies into their constituencies. That’s something nobody would have to be embarrassed about.”

By Ross Tieman
Published: June 24 2005 13:52 | Last updated: June 24 2005 13:52

When UK business continuity managers gathered a couple of weeks ago in Brighton for the annual conference of the Association of Insurance and Risk Managers, one topic was on everybody’s mind: mounting importance of employee consultation.

The introduction in April of the Information and Consultation regulations gave staff the right to be involved in business continuity planning in organisations of more than 150 people wherever it affects their jobs.

Not that companies necessarily needed compulsion to talk to staff about continuity issues. A survey of 2,000 members of Britain’s Business Continuity Institute found in March that protecting employees was the paramount incentive for organisations to engage in business continuity planning.

Philip Carter, senior manager in the enterprise risk group at adviser Deloitte, says the two most striking emerging trends in business continuity planning are accelerating the speed of recovery after incidents and ensuring companies and organisations can recover from any blow to their human capital, particularly the knowledge staff have.

It is easy to understand why knowledge management is becoming a priority for Europe’s business continuity managers. It does not take a big disaster involving loss of life to cause disruption.

Take, for example, a small IT department employing three people responsible for a business critical system. One takes maternity leave, a second resigns for a job elsewhere and the third breaks a leg playing football.

Without a business continuity system that includes knowledge management the company could struggle to find someone who understands the system.

Early assessments of human risk inevitably focused on senior managers and those whose jobs put them in the front line – such as expatriate staff working for a defence contractor in Saudi Arabia, for example.

But as companies slim down and industrial and support functions become automated key personnel whose loss can affect efficiency are found throughout the organisation.

"By talking to staff, they are going to get better insights into ways to make workplaces safer and ensure business continuity"

One way to tackle the problem is to ensure ready access to personnel records that show who has knowledge of key processes or clients gained in an earlier role. Come what may, says Mr Carter, companies are finding they must duplicate knowledge. “No matter now much you might like to you can’t protect your people from all the hazards of life.”

Organisations are also increasingly obliged to listen to their staff. This does not come easily. Business continuity managers, says Mr Carter, tend to deal with other managers though “we do occasionally use shop floor people to understand, say, what the mechanical issues are with a particular piece of machinery”.

Unions believe they have more to contribute. They say employees have as much interest in ensuring business continuity as managers.

Hannah Reed, senior employment rights officer at the Trades Union Congress in London, says improving consultation over continuity planning offers “a win-win opportunity for employees and companies alike”.

In the past, she says, some companies and organisations paid only lip service to their declared principles of consultation. The new regulations, she believes, will encourage them to listen more closely to staff. And “by talking to staff, they are going to get better insights into ways to make workplaces safer and ensure business continuity”.

In practice it seems companies recognise consultation is important but take a pragmatic view on how much effort to invest in planning for contingencies they hope will never happen.

Mike Lewis, Group Risk Director at global music group EMI, says consulting managers and those with responsibility for particular locations is essential to identify continuity risks and achieve the best solutions.

”We polled a number of key managers in our core businesses and key locations before finalising our recovery strategy,” he says. “That helps you get it right.”

That done, EMI was able to produce a global business recovery strategy that includes assessment of the recovery strategies of key suppliers, such as the manufacturers of compact discs.

During the past 24 months, after a risk assessment presented to its board audit committee, EMI overhauled recovery planning. In particular it evolved plans to ensure security of copyrighted music and recordings, ensuring the catalogue in which much of the company’s value is encapsulated, is well protected.

Some provisions of the standard are universal: evidence of effective procedures for evacuating a building or dealing with a medical emergency is required at every location. But in other respects deployment can vary. “We don’t necessarily need the same arrangements for continuity in Indonesia or Columbia as we do in Britain or the US,” Mr Lewis says.

“Cost benefit analysis is among the tools we use.”

By Andrew Baxter
Published: June 24 2005 13:52 | Last updated: June 24 2005 13:52

The terrorist attacks of September 11, 2001 focused the minds of chief executives and chief information officers on the nightmare scenario of being without their IT systems, however temporarily, and losing corporate data, perhaps permanently, as a result of an event beyond their control.

As each year goes by there is more data to lose. Estimates suggest the amount of data held by companies is rising by 50 to 100 per cent a year. E-mails alone add millions of data items a day to the average company’s volumes of electronic data storage.

Just to complicate matters, losing data as the result of disruption or error can have more serious consequences because of compliance regulations such as the US Sarbanes-Oxley Act.

The reality, however, is that companies’ back-up and data recovery routines tend to be triggered by events more prosaic than cataclysmic.

“One of the most common incidents involves things like floods and water damage,” says Simon Gay, consultancy practice leader at Computacenter, the IT infrastructure services provider. He recalls visiting one company in the UK whose data centre was situated below ground and was put out of action by flood.

Area exclusions, where the police cordon off streets because of an event such as a fire or a siege, can also be more than just an annoyance, he says. Having a back-up data centre little more than 1km away, as was the case with one company caught up in such an incident, proved to be less than inspired.

Losing data permanently appears to be rare, and depends on the type of storage system installed, while its importance depends on the type of business involved, says Alastair McAulay, a managing consultant at PA Consulting Group, the management and technology consultancy. He recalls one financial services company that suffered little more than an hour’s power outage, but was left with a permanent hole in its historical data sets.

Recovering quickly from an event of this sort is what corporate back-up and recovery systems are for. But the complexity of modern data storage systems means there is no simple solution, nor are companies starting from the same point. “Most organisations’ data centres have evolved and are continuing to evolve,” says Mr McAulay.

He points out that incidents are more likely to involve parts of an organisation rather than the whole company and this can make decision making in a crisis more difficult and complex. Another financial services client suffered from simultaneous, multiple power failures at the end of last year and while it had back-up arrangements, switching over to them in those situations is never as straightforward as it seems, says Mr McAulay.

Carolyn DiCenzo, a vice-president at Gartner Research, the IT researcher, says improving recovery remains a priority for most companies. One area of concern that emerged from a recent Gartner survey involved data protection for remote offices where only 22 per cent of respondents were satisfied with their recovery solution.

“Recovery is often a problem for remote offices, with back-ups not being done properly or not usable for some reason when needed,” says Ms DiCenzo.

Both Ms DiCenzo and Mr Gay at Computacenter say companies should take advantage of new disc based technologies to back up data, rather than rely on conventional tape based technologies. “Anyone relying on tape based recovery woefully underestimates the time taken to recover,” says Mr Gay. “It’s a triumph of hope over experience.”

The cost of disc technology is tumbling while the technology is improving, he adds. Many companies have attempted to solve data storage problems by buying more capacity, says Mr McAulay, but a better solution is to have a data storage manager to control the amounts of data and ensure only what is necessary is kept. “Companies should be asking themselves ‘What data should we recover in an emergency? What do we prioritise?’ and no vendor solution will give them that sense of priority,” he says.

Mr Gay agrees, pointing out that too few business continuity plans involve the business.

“Companies need to understand what is critical in the event of a disaster,” he says. “There is a lack of steer from the business, and to say ‘everything is critical’ is nonsense.”

At the heart of a growing industry

By Mark Huband Published: June 24 2005 13:52  

Helping businesses help themselves is no longer the benevolent act it may have seemed in the aftermath of the September 11, 2001 terrorist attacks. A sense of common purpose prevailed as private sector advisers, government agencies and companies themselves sought to address the threat to business operations in the months after the attacks in the US. But in the more than three years that have since passed the roles and outlooks of all forces in the provision of security have changed.

Executive Summary

In September 2000, British farmers and truck drivers launched a dramatic campaign of direct action to protest a fuel duty. Their campaign followed a similar one by farmers, truckers, and fishermen in France, which had resulted in concessions from the French government.

The UK protesters blockaded fuel refineries and distribution depots, and, within days, created a fuel crisis that paralyzed CI sectors and brought the country to a virtual halt. The impact of the protest was much deeper than anticipated because it struck at a particularly vulnerable point of the UK economy -- the oil distribution network, which had been organized along just-in-time delivery principles. This, combined with anticipated shortages by fuel consumers and consequent panic buying, magnified the impact of the protests on practically all CI sectors in the UK.

CRITICAL INFRASTRUCTURE IMPACTED

The fuel price protests exposed the interdependencies of practically each CI sector of the UK economy on continuous fuel supply and resulted in direct and indirect impacts on CI in the UK.

Financial and Banking Sectors

Limited information exists concerning the impact of the fuel protests on banking and financial services. The sector was dependent on the transportation industry for the movement of money and financial notes.

Disruptions to the transportation sector during other incidents have affected the ability of banks to supply automatic teller machines (ATM) with cash, resulting in ATM service outages. However, the banks stated that there were no serious interruptions in daily operations. They did not have to resort to any drastic action after securing a place on the government's priority fuel list for the armoured vehicles, which transport money around Britain.

SC Magazine

The number of conventional phishing attacks dipped slightly last month but the amount of crimeware designed to steal personal data increased, according to the Anti-Phishing Working Group (APWG). There were 14,135 phishing attacks reported to APWG in July, down from 14,135 in June.

The number of phished brands also dipped to 71 last month, from 74 in July, as attackers shifted from targeting large companies to smaller financial institutions, APWG researchers reported. The number of malicious keylogging applications designed to steal passwords grew to 174 in July, up from 154 in June while the number of password-stealing URLs grew to 918 from 526.

By Hamish Bryce Published: August 17 2005 13:53 

Reports of explosions, London under attack, hundreds of casualties, many feared dead. Emergency services deploy and respond according to well-established plans. Not the events of July 7 but a scenario a few months earlier in April codenamed Atlantic Blue, an international exercise aimed at testing the response of departments and agencies to an incident eerily reminiscent of last month's bomb attack. 

Atlantic Blue and other exercises designed to prepare the capital for catastrophes have served us well - the emergency services' handling of the July attacks was successful and deserves our whole-hearted praise. But what now? What lessons have we learnt and how can we prepare for future threats? 

BBC website 5/8/05

Emergency service workers killed or injured during a terrorist incident may not be covered by personal insurance policies, a union has warned. Unison, representing emergency service workers, says insurance companies should drop exclusion clauses.

Policies covering accident and offering mortgage protection should be checked by policyholders carefully, it said. Exclusion clauses could leave emergency workers and their families high and dry if they are injured or killed. Fire crews in Somerset have already threatened to go on strike after claiming they may not be insured for dealing with a terrorist attack. The action has since been called off to allow further talks. Unison said it did not want the sacrifices that members of the emergency services were making to result in their families suffering financial hardship.

Terrorism exclusion

It pointed out that its own insurance policy offered to members provided full cover and called for other insurers to do the same. Jane Milne, Association of British Insurers says: "Most types of insurance are readily available without terrorism exclusions" "We are asking all insurance companies to look at their policies and if they have such exclusion clauses to drop them," said Sam Oestreicher, a Unison national officer.

The insurance industry itself admitted that some policies had exclusion clauses and advised policyholders to study the small print or contact their insurance company or broker. "We would like to reassure emergency workers and other customers that most types of insurance are readily available without terrorism exclusions," said Jane Milne at the Association of British Insurers. "The major personal types of insurance, such as life, household and comprehensive motor insurance, provide cover for the effects of a terrorist incident as a standard feature of the policy."

END 

If you would like to know more about how your organisation can get involved and benefit from working with the Continuity Forum, please email us HERE! or call on + 44 (0) 208 993 1599.