Management apathy has traditionally been the biggest inhibitor to implementing effective business continuity management (BCM) procedures. Too many organisations have tended to adopt a head-in-the-sand, it-won’t-happen-to-me approach or are put off by the amount of money that they could have to spend.
As a result, they always promise themselves to think about it later. But awareness of the need to ensure the survival of the business in case of a disaster has increased in recent years in the wake of a spate of regional catastrophes.
These range from Hurricane Katrina and the 9/11 attacks in the US to European terrorist bombings and the Asian tsunami. Widespread fears over a potential avian ‘flu pandemic have also helped to focus minds.
“This is not least because business continuity management is a very cost-effective insurance premium. In fact, it’s more effective than just insurance because it ensures that the business can continue to operate as opposed to waiting ages for a payout, which probably wouldn’t be as much as you expected anyway,” says Steve Mellish, head of business continuity at food retailer, J Sainsbury. However, according to Gartner, BCM does not comprise a single activity per se, but is an umbrella term comprising five different components. The first of these is disaster recovery, which involves restoring the datacentre if it is hit by fire, flood or power outages.
"Senior management have to back BCM wholeheartedly. You couldn’t do it without their support because it costs in terms of resources, both people and money"
Richard McDermott, head of IT, Fortis Guernsey
This activity is usually handled by the IT department and, says Roberta Witty, a research vice-president at Gartner, “is fairly prolific, with between 75 and 80 per cent of the Fortune 2,000 doing it quite well”. It is where forward-thinking organisations in highly regulated vertical markets such as financial services and telecoms started their BCM journey in the 1990s, following the realisation that technology was vital to the existence of the company.
But Richard McDermott, head of IT at Fortis Guernsey, which provides banking and insurance services, explains that over more recent years, regulatory issues such as Basel II have pushed BCM ever higher up the business agenda and are now “the big driver and justification for it”.
As a result, although Fortis Guernsey’s IT department used to be responsible for all BCM-related activities, since it became a group requirement to create a plan and keep it tested and up-to-date, this function has been controlled by the risk management office, although IT does contribute to the process.
While McDermott acknowledges that it is tempting for IT to try and do it all, he believes that, it is not necessarily best placed to do so. “Senior management have to back BCM wholeheartedly. You couldn’t do it without their support because it costs in terms of resources, both people and money,” he says.
“Also a lot of business processes aren’t automated and there are personnel and other issues. So these days, from the point of view of leadership, it’s better left outside of IT.”
The second element of BCM, meanwhile, is work area recovery, which is about providing staff with the facilities to keep on working in the event of an incident, whether in an office environment or at a manufacturing site. This means supplying them with everything from the right technology to raw materials and vital records that are necessary to help them do their jobs.
Fortis Guernsey, for one, now uses one of its old office buildings as a workplace recovery facility since it moved its 250 staff to a greenfield site last year. Here it provides staff with hot-desking capabilities using a Mitel-based IP network and the ability to work remotely should an incident strike. J Sainsbury, on the other hand, rents an alternative facility in London from third-party supplier, Sungard, in case anything should happen to its headquarters.
"The secret is to keep it simple, ensure that plans are business-led and, through education and awareness, that BCM becomes business-as-usual in how you run and manage the company"
Steve Mellish, head of business continuity, J Sainsbury
The site provides PCs and other equipment to 600 of the company’s 2,500 head office staff and is available for use on a 24x7 basis.
As Mellish explains: “We wouldn’t expect to run our operations on a simple nine to five basis, but would use the facilities creatively to keep all of our mission-critical operations going. So when they weren’t being used for certain functions, we could use them for less time-sensitive ones.”
When disaster strikes
In the event of an incident, staff and managers at all levels are aware that they need to call a freephone number to obtain information and instructions on what to do. This number is printed on one side of a business continuity pocket guide, which is issued to everyone on joining the company and provides information on basic emergency response actions to take if they are not already at the Holborn office. The other side of the guide details evacuation instructions should they be at the site when crisis hits.
But the retailer’s BCM contract also provides for the use of out-of-London recovery centres if a major event takes place in the capital.
“Our business includes over 700 sites so it’s like a supertanker and the headquarters is the bridge. If we lose that, we slowly but surely move off course and getting it back on course is hard to do so we have to do everything we can to prevent that,” says Mellish.
Nonetheless, high level generic plans, supported by one-page store-specific appendices, have also been drawn up to help individual retail outlets cope with any issues.
“So if we lose a store, which has occurred on at least five occasions, we relocate colleagues to the nearest three in the area. We also redirect deliveries there and, through our loyalty card database, we identify who shops at the store so we can advise them of alternatives,” says Mellish. The third piece of the puzzle is business resumption, which covers the short period of time from a problem taking place to it being determined whether or not it constitutes a full-blown incident.
“Not every event turns into a disaster so it’s about working out how the business can continue with a degraded capability. A perfect example would be a website going down and the business determining how it can take orders as an interim activity,” says Witty.
Back up plan
Number four on the BCM list is contingency planning. This involves exploring what could happen in the event of a problem with external agencies such as partners or suppliers – and even neighbours – and what impact this would be likely to have on the business.
Various organisations started work in this area in the late 1990s as fears around the Millennium bug raised awareness of the potential impact of disrupted data and business flows. “Unfortunately most simply put their plans on the shelf as nothing happened and prayed that they wouldn’t have to use them again,” says Witty.
But one company that was sparked into action at this time was Ascend, a member of the Airclaims group of companies, which provides specialist information and consultancy services to the aviation industry. “We embarked on BCM in 1999 as a direct consequence of the Y2K issue,” says Jacques Rene, the firm’s chief technology officer. “We were working for Lloyds of London because we’re also loss adjustors and it was one of the recommendations for anyone working with them that you have a business continuity programme. The company wanted extra assurance that if anything went wrong, it could pick things up quickly on 1 January 2000 so that was our main driver at the time.”
Ascend has since undertaken multiple risk analysis projects. Being based at Heathrow airport, which is “a high risk area for terrorism and other potential outages”, the organisation now has plans in place to enable it to recover within 48 hours.
These plans are reviewed each year by a BCM team, which includes Rene, the head of HR and the head of the project office, and subsequently tested annually to ensure that they are up-to-date and relevant. The organisation has also set up a disaster recovery site, which includes 20 seats for key staff, at co-location supplier Viatel’s amenity in Uxbridge but has at the same time kitted out its remaining 80 personnel with home-working facilities. “With the adoption of broadband now being more pervasive, there’s less need to pay for desk space in recovery centres,” says Rene.
“You still have to have somewhere to put your servers – that is a given. But these days, you don’t, in my opinion, need to have loads of empty space available waiting for you to arrive, which saves a lot of money.”
The final component of BCM, which underpins all of the others, meanwhile, is crisis or emergency incident management. This encompasses all of the activities involved in handling the disaster itself and entails setting up a crisis management centre not least to communicate with interested parties such as staff, customers, other stakeholders and the press.
“We’re at the very low end of maturity for crisis management. Most organisations have some sense of who they’d call to organise things, but they don’t have formalised processes around it. They don’t have training or organisational charts in place and one of the biggest things of all is that they don’t have a defined chain of command,” says Witty. “This is important because, in essence, when we’re talking about BCM, we’re really talking about creating a mini company. We’re saying that there are mission-critical parts of the business and here is how we run them in the event of a disaster.”
One organisation that has just such a structure in place is J Sainsbury. It has created a central BCM operations team of about six, which includes senior executives from key areas of the business such as retail and supply chain as well as directors from core functions such as HR and facilities management.
This means that if an incident such as the fuel crisis of September 2000 or foot and mouth strikes, the team is in a position to gather information as to the likely impact on the business very quickly and to take the necessary action at an enterprise-wide level.
As Mellish says: “Because we’re right at the centre of the business, we know who needs to know what, what they need to do and how they need to do it.”
Knowing your role
Key to guaranteeing that this approach works effectively is ensuring that every staff member understands the part they have to play. “It’s about embedding business continuity into the culture of the organisation. So while we can develop and rehearse our plans and even use them on occasion, we also have to ensure that everyone is aware of the BCM programme, its function and what their role is if we have to invoke the plans,” says Mellish. Nonetheless, it is also important not to make a drama out of a crisis, he believes.
The focus instead should be on moving the business beyond enacting its BCM plans and into business-as-usual mode as soon as possible, although the speed of such a step depends on the nature of the incident.
As Mellish concludes: “The secret is to keep it simple, ensure that plans are business-led and, through education and awareness, that BCM becomes business-as-usual in how you run and manage the company. That’s crucial.”