In December 2005, managers at financial services companies in London’s Square Mile were faced with a nightmare scenario: the UK’s wholesale sterling payment system had failed following a weekend upgrade. While staff were being mobilised to deal with the crisis, reports started coming in of co-ordinated bomb attacks in London and across the country.
Happily for the managers involved, the crisis was part of a simulation exercise conducted jointly by the Bank of England, the Treasury and the Financial Services Authority (FSA). The idea was to test the effectiveness of business continuity plans at 80 of the UK’s leading financial services companies.
The financial services industry should, at least in theory, be the best prepared when it comes to business continuity: while various pieces of corporate regulation, such as the Sarbanes-Oxley provision, have made business continuity a priority across the board, such planning is demanded by the FSA and the Basel II accord.
According to research by co-location provider Global Switch, 97% of banks reported confidence that their mission-critical IT infrastructure was housed in a resilient environment. In retail, that figure dropped to 84%, for other commercial organisations it was 79%.
But according to the head of corporate services at one London-based bank, the FSA regulations cause more business continuity headaches than they relieve because they offer no indication as to whether current efforts are sufficient to meet the FSA’s requirements: “The rules are just not prescriptive enough. We know that we must make provision for business continuity, but there are no benchmarks to guide us.”
The value of regulations such as those imposed by the FSA is that they force management boards to take the issue of business continuity seriously and provide them with regular reminders about best practice, argues Ron Miller, a senior consultant at SunGard. “Companies then have to test IT recovery and crisis management plans, and make sure they learn from the lessons.”
The sense of confusion within boardrooms is not restricted to financial services: compliance has become a priority for many businesses, and has led to the increased use of lawyers to oversee the planning, says Kit Burden, a partner in the UK technology practice at lawyers DLA Piper Rudnick Gray Cary. “There is a Sword of Damocles dangling over the heads of senior executives about failure to achieve compliance: they want to see a legal opinion that they are compliant, not just have the IT department’s blessing.”
For companies with operations in multiple countries, conflicting regulations increases the complexity of tackling compliance. Sarbanes-Oxley, Basel II, the Health Insurance Portability and Accountability Act (HIPAA), the Civil Contingencies Act may all impact a business. Keeping up to date is impractical, says Michael Rasmussen of IT analyst group Forrester Research.
“The real challenge for IT is to modify processes in a timely manner to keep pace with [regulatory changes]. Therefore, IT must manage the risks of compliance as a process, not as individual projects” he explains.
Business continuity plans based on compliance requirements can also set the bar too low for business needs, say analysts at IT advisory group Gartner. A report into regulations’ influence on business continuity planning concludes: “Compliance requires satisfying the letter of the law, business continuity requires going beyond the minimum requirements, to having in place plans and training – based on industry, geography and business impact analysis – to keep your organisation going under any circumstances.”
Despite these warnings, there are indications that managers are reluctant to see compliance issues as anything more than a tick-box problem, which can be forgotten once minimum requirements are met.
For example, backing up data is a cornerstone of most organisations’ business continuity planning and yet protection of that data remains patchy: 1.2 million customer records went missing from the Bank of America when it lost back-up tapes; consultancy Deloitte recently mislaid the personal data of 9,000 staff from a company it was auditing.
Yet in both these cases encryption of that data could have protected customers. “At the moment, investment in encrypted data storage is borne out of fear,” says Paul Howard, managing director of encryption vendor DISUK.
In some areas, regulation has positively helped organisations, says Tim Furmidge, business development manager at BT Global Services. As more companies switch to IP-based telephony, regulation has required them to store voice calls along with other data records. “Voice-recognition technology can highlight keywords and phrases, when searching through voice libraries,” he says. And that is adding rich sources of information that managers can mine to improve business performance.
However, Forrester’s Rasmussen is more optimistic about business leaders’ willingness to take a more proactive approach to compliance and business continuity.
One of the driving factors will be an understanding of corporate weak-spots. This will highlight the degree to which many businesses rely on their partners, he explains. “Inadequate planning on the part of a supplier, vendor or business partner can be the Achilles heel of even the most thorough business continuity plan.”
But while assessing partners’ plans in detail is too time consuming and laborious for most business leaders, certification against pre-defined standards for business continuity can be a useful short cut for measuring partners’ plans.
Carl Winsor, chief technology consultant of collocation provider Telecity, explains: “Working towards BS7799 compliance is a useful starting point when constructing a business continuity plan – even if organisations never envisage becoming certified to the standard, it is based on industry best practice and is generally a good framework.”
The survey shows that executive boards are clearly attuned to the need for business continuity. The vast majority of respondents that cited compliance as an issue also reported greater awareness of the issues at board level