On 11 December 2005, the early Sunday morning calm was shattered in Hertfordshire by explosions at the Buncefield oil depot. The blast was heard over 100 miles away; plumes of acrid smoke, 900 feet high, drifted over South East England; air travel was disrupted; motorways closed. And the impact on businesses was devastating.
Software and services company, Northgate Information Solutions saw its headquarters on the neighbouring Maylands industrial estate destroyed in the blast. The back-up systems it had in place were wiped out. And yet, because the management had undertaken rigorous business continuity planning, it was able to restore services almost immediately. It transferred its operations to remote data centres, ensuring staff and systems were able to get the company back up and running quickly.
The Buncefield explosion, along with hurricanes in the US or bomb explosions in London, highlight how catastrophic events can potentially cripple businesses. But with technology now so firmly embedded in business processes, disruptive events need not be so high profile. Denial of service attacks, power outages and system upgrades can all take down IT systems and the delivery of services.
For some, the terms ‘business continuity’ and ‘disaster recovery’ have been regarded as interchangeable, says Andy Hodgson, vice president of security at BT Global Services. This reflects the unwillingness of some senior executives to engage with the issue, failing to understand its complexities. “Business continuity still has not got the
status and profile in business, compared to things such as security.”
Business continuity is an umbrella term describing how organisations can continue to function. Elements of the business continuity plan might include risk management, contingency planning, crisis management and operational risk management. Disaster recovery forms one component of this plan; in particular, it focuses on the restoration of computer-related services and telecommunications after an event has occurred.
Therefore, business continuity does not just mean mirroring the data centre, or having a back-up site. Rather, it requires a strategy to minimise the potential points of failure within the organisation, such as considering what happens if a key location should fail and whether the organisation could continue trading, were it to do so.
It also requires a strategy to determine what applications are critical to keep the business operating. But this does not necessarily imply that all functions are kept running at all times, says Keith Tilley, managing director of business continuity vendor, SunGard Availability Services.
Instead, managers should determine the importance of each application to the business, and determine at what point their loss becomes critical. A payroll system, for example, is only active one time each month; for the remainder it is not necessary to have continuous support.
However, customer-facing systems are far more demanding, especially in areas such as online trading where transactions take place in a 24/7 environment. “If you cannot provide what a customer wants, when they want it, then they will go somewhere else,” warns Tilley.
A standard approach
Awareness of business continuity has been bolstered by both natural disasters and government legislation, forcing managers to undertake corporate risk assessments. But while regulations such as Sarbanes-Oxley and the Basel II accords have brought the issue to the attention of the management board, the legislation is not prescriptive about how business continuity is performed.
Instead, there are a number of standards emerging which are attempting to fill the void left by legislation. In particular, the Publicly Available Specification 56 (PAS 56), currently an informal standard being drafted into a full British standard by the British Standards Institution (BSI), aims to set out guidelines for best practice, and to provide organisations with guidance for business continuity planning and management. PAS 56 provides a framework around which to conduct business continuity planning.
Because a standards-based approach must encompass both the organisation and its partners and suppliers “it cannot be purely IT driven”, warns Martin Byrne, EMEA business continuity practice lead at IT services company Accenture.
Instead, IT directors need to engage with business managers to work out the priority areas for investment and to ensure that business continuity spending is proportionate. This includes partners where operations have been outsourced. The PAS 56 standard provides a yardstick to judge the continuity plans of third parties, but due diligence is still required in understanding the importance of the activity to the organisation, warns Byrne.
However, as Northgate’s experience of the Buncefield oil disaster proved, where proper processes do exist, there should be no cause for alarm. Business continuity planning could also be the catalyst for improving business performance, says BT’s Hodgson: “You will understand yourself better as an organisation once you have gone through the business continuity process.”
Overwhelmingly, the greatest threat to businesses is seen as internal systems. That offers the hope CIOs can take preventative action.
Most respondents report low levels of disruption, as is to be expected. Worringly, 5% report high level of disruption- and that represents a significant number of businesses experiencing problems.