SAFETY CHAIN - Building the right kind of Business Continuity

Computer Weekly 12/7/05 

Your trading partners  plans for business continuity can be as vital as your own. Arif Mohamed looks at positioning yourself for maximum competitive edge Good business continuity planning can give a company an edge over its competitors. 

Apart from the assurance that the business will run regardless of natural disasters or external hacker attacks, a company with a good plan can use it as a selling point. In fact, customers have driven the requirement for good business continuity planning over the past few years, says Gartner research vice-president Simon Mingay.  “One of the biggest drivers has been that customers have asked:  Have you got a plan? Show me the plan. What is the scope of it and how do you aim to keep it up to date? 

Mike Stichbury, head of business continuity services at BT Business, says,  “We frequently come across small and medium-sized companies that are asked for copies of their business continuity plans by clients who want to be assured they have sufficient procedures in place to protect against interruption to service.  

Mingay says most companies are alerted to business continuity planning by a catalyst.  “They might have an incident or a close call, or someone in the supply chain or a competitor has an incident, or a new executive comes in and decides to make it an issue. There could be a change in the regulatory regime, or an auditor who makes a comment, or a customer who starts asking questions, he says. Mingay says the issue of business resilience concerns many customers, and is a particular worry in financial services, with life sciences and pharmaceuticals following closely. One major benefit of business continuity planning is that companies stand to offer customers and potential customers assurance that their business is robust, which may be something their competitors cannot do. 

Business continuity planning can be a selling point for IT internally, and for the business externally, says Chris Stewart, technical consultant at EM C s Solutions Group, which offers business continuity consultancy.  “When you are looking at business continuity you want to make sure you are continuing to provide all the critical services the business relies on. IT services are one of those, but you are also going to have external services that you require from other companies, and you may be providing critical services to other businesses,  he says. With this in mind, an IT department will gain the edge if it can carry out risk assessments from planned or unplanned incidents and calculate how much data can be recovered and the time it will take, says Stewart. In addition, the IT department will get the company s executives onside if it can demonstrate a methodology, showing design and best practice, implementations and testing, and recovery and failover plans, he says. Industry-specific regulatory requirements, such as Sarbanes-Oxley, Turnbull and US healthcare legislation HIPAA, have acted as a significant catalyst for adopting a business continuity plan. 

Callum Sinclair, a solicitor with law firm Maclay Murray & Spens, says,  “Certain bodies deemed vital to running the country such as emergency services, the NHS and certain transport providers, are required to maintain continuity plans under the Civil Contingencies Act 2004.  “Beyond this, there are various additional industry rules and guidance which apply, to a greater or lesser extent, to financial services companies, PFI/PPP providers and others.  But what a company is required to do in terms of having a business continuity plan varies greatly by sector. 

In some sectors there ire few regulations, and in others, such as financial services, requirements are manifold, says Richard Chapman, solicitor at law firm Berwin Leighton Paisner.  “Regardless of sector, directors always have o act in the best interests of the company, and make appropriate measures to protect the company s assets,  he says.  “One way is to take out in insurance policy to cover databases, communications or customer records. All businesses should see what appropriate ways :here are to protect their assets.  One major issue surrounding business continuity is the involvement of business partners and suppliers, which often play a key role in the supply or business chain. Medium-sized as well as large companies are increasingly integrating their IT systems into their partners  systems, says Mingay.  “Organisations are much more tightly integrated into a trading ecosystem, and IT is fulfilling much more of that role than it did previously. Information is now being largely transferred automatically through the supply chain,  he says. 

Companies should therefore demand from their suppliers a high level of preparation for interruptions to business.  “Business interruptions will affect customers far more quickly than before,  says Mingay.  “You should be concerned about your own suppliers, and h~ asking more detailed questions about their business continuity planning. Just because they are big, do not assume they have a plan.  Many companies rely on their business and outsourcing partners to be resilient, as their services are core to the business. Because of this, business continuity issues are often addressed within a contractual framework, to ensure the core business is able to continue if the partner goes down. In creating a contractual framework for business continuity planning,  “Keep it simple and flexible and ensure you get the involvement and commitment from everyone in the business. You need to create the right organisational culture and adopt a holistic approach.  Chapman says,  “In outsourcing transactions, you would commonly put in the contract that your supplier is required to have business continuity in place. You will also want to have a disaster plan in place that links in with yours.  

Stichbury says,  “To get the best possible protection, organisations need to consider which elements of their business and supply chain are mission-critical and the potential impact should one of these fail or be hindered in any way. Armed with this information it is easier to negotiate service level guarantees with subsequent compensation should your supplier s services fail.  Sinclair adds,  “Where the strategy involves working with a partner - handling off-site IT back-ups and disaster recovery, for example be certain the contract includes assurances in relation to service levels. 

These should include specific requirements for response times and service availability.  “However, it is also important to have a good working relationship with such partners, with regular meetings and updates to help foster in-depth knowledge of processes and systems.  “There are data protection implications around using a third party for disaster recovery, as the information held in off-site backups may fall within the remit of the Data Protection Act 1998. Details of any third party providers should be included in information such as privacy statements and fair use notices.  

Chapman says that where a disaster recovery location is situated abroad, transferring personal information across national boundaries may also have data protection implications, being subject to international data protection laws. But Mingay says,  “Regardless of onshore or offshore, the issue is the same. As we move towards outsourcing, from an IT point of view, organisations absolutely need to concern themselves with the business continuity and disaster recovery plans that the provider has, and not assume that because they are going with an external service provider, that they have made provision for them, if there is nothing in the contract.  “It is a common problem that people have made assumptions of the level of capabilities of their partner. It is not always the fault of the provider. It is sometimes the fault of the client, who is looking at ways they can take costs out of the deal, and that may involve reducing their business continuity. You pay for what you get.  

CASE STUDY 

Carphone Warehouse mirrors its datacenters 

Retailer Carphone Warehouse wanted to ensure it had effective business continuity. It offered consumers services that required its communications network to be up and running around the clock, each day of the week Last year the company built a new datacenter that mirrored its core environment, but is also capable of running live services. 

Carphone Warehouses’ infrastructure and operations director Attiq Qureshi, says the company now regularly switches key services between the sites, whenever they add capacity or carry out maintenance. The firm signed a 10-year deal in September 2004 with business continuity service provider Globix to ensure the datacentre and its networks run at all times. The contract included service level agreements that cover network performance at 99.99% uptime, hardware failure response, and round-the-clock application monitoring. I think it has given us a competitive advantage, We now have two large datacentres, so we can move between the sites. It has given us growth and raised the profile of business continuity systems in the business,  says Qureshi Carphone Warehouse has an audit committee made up of some of its most senior executives, who are now very interested in the company s business continuity plans. 

The company was required to communicate its capabilities and plans to telecoms regulator Ofcom. Carphone Warehouse also informed the Financial Services Authority, for insurance purposes.  “We were urged on by our insurers, and now that we have business continuity, we have got some fantastic savings on our insurance as a business,  says Qureshi.  “From an insurance point of view, customers need to know that we can continue to provide telecoms services and billing, can activate a new phone and bar it if the phone is stolen, and can give them accurate and timely bills,  he says. 

Continuity Forum Comment 

Recent events have added impetus and focus to the management issues surrounding BCM and we are already seeing a reaction similar to that following 9/11 where organisations rushed to show that they were active and positive towards Business Continuity Management and Security. However, this knee-jerk reaction to events needs to be considered against a broader backdrop of resistance and partial planning. 

The tendency to improve the 'easy' side BCM planning, the one with a host of suppliers - IT must be balanced by the other side. We have spoken with probably more people and organisations than any other in the sector and the consistent theme is that there are STILL significant issues in getting organisations to develop broad enough plans. 

Artificial parameters are being set on the BIA phase of the planning limiting the scope and effectiveness of the process and often huge omissions are left unaddressed by both Public and Private Sector organisations. The issues outlined above are great to plan for and resolve, but they represent only a proportion of the planning needed. What about your people? do they know what to do? What about the Supply Chain and key partners? Has a critical dependency been left unresolved? Has effective  liaison with Emergency Services, Local Authorities and the Insurance companies been undertaken? When was the last Rehearsal or full BCM plan review? 

Remember, Business Continuity Management is an ongoing process and needs regular review and update, it should cover all critical processes, not just IT ones and connect with the people working within the organisation. 

Our Benchmarking study shows that even amongst the best of breed adopters of BCM there are areas consistently left out and according to Murphy’s law you can bet that is where disaster will strike - life tends to be like that! On speaking with one Public Authority recently we were told that they were confident of being fully compliant with the Civil Contingencies Act, due to come into effect in November, yet when we asked about how they had handled some of the key local services, such as Care for the elderly and those in schools etc, we were told that they had 'concentrated only on the Authorities Buildings.

It came as a shock to them to find out that the scope of the Act goes far beyond a bit of Facilities Management, but it was a greater shock to us to hear that after 2 years (of notice) people had still failed to actually understand the importance and scope of Business Continuity Management to the Organisation. 

By the way the only IT system that was within the plan was that dealing with Council Tax! Business Continuity Management is a tremendously powerful and effective process, but there does need to be an honest and COMPLETE assessment of the organisations responsibilities and needs for it to be truly effective. 

We are working hard to address these issues and progress is being made, but please do realise that it is the executives responsibility NOW not to artificially limit the scope of activities involved in the BCM process, but rather develop an integrated, structured understanding of how ALL the processes and resources will be affected during an event and then link them back to the needs and responsibilities of the Stakeholders. Failure to do this will only leave you high and dry when you need Continuity most! 

END  

If you would like to know more about how your organisation can get involved and benefit from working with the Continuity Forum, please email us HERE! or call on + 44 (0) 208 993 1599.