The World Health Organisation’s experts predict that, given the mobility of populations, it could take as little as 21 days for a human strain of avian flu to reach pandemic proportions. For those businesses without plans in place, there could be precious little time to react.
Little wonder then that leading enterprises, such as financial services company HSBC, have started planning for the business impact of an outbreak. In its case, HSBC’s managers have been working out how to continue operating when up to 50% of its staff may be unavailable for work – either through infection or because of travel restrictions.
Alongside the exhortations for business leaders to prepare for a potential pandemic, natural disasters, terrorist attacks and fires at fuel depots have all helped raise the profile of disaster planning; the need is now understood at senior executive level.
According to management consultancy Deloitte, the number of companies that have developed formal business continuity management programmes within the last six years has nearly tripled. Today almost 85% of large businesses have some form of business continuity plan in place.
But Justin Clark, business continuity consultant at BT warns that plans can quickly become
undermined by employee complacency: “There can be a culture of ticking the box. It isn’t uncommon for people to put a BC strategy in place and then sit back and think ‘job done’.”
That is a particular danger when planning for issues such as an avian flu pandemic. Speaking on condition of anonymity, the risk strategy manager at a UK-based financial services group said that like HSBC, his company had also begun formalising its bird flu plans: strategy teams had been formed and key staff pulled in from across the organisation. “The problem for us is that no-one knows when it might happen; it could be years off. But will those same people still be around then? It’s a big issue now, but in two year’s time management may well have other priorities.”
To ensure that business continuity plans remain relevant at high street retailer Marks & Spencer, the plans are constantly reviewed and tested. This helps ensure that the business is as responsive and resilient as it can be, says Trevor Partridge, business continuity manager M&S. “You can’t afford a negative impact on brand,” he explains. “When we plan for something, you’re only as good as your last test, and without a test, your plan is useless,” he adds.
So how often should plans be tested and revised? Best practice guidelines from the Business Continuity Institute (BCI) suggest a minimum of an annual test – but in practice, testing is often not a single event; instead it is an ongoing process, with multiple layers.
Testing business continuity plans can encompass simple brainstorming sessions, or programmes to raise awareness, even to more involved ‘war-gaming’, where events are simulated using test systems.
Tests may range from simulating the loss of a single site, such as a data centre, to the loss of telecoms or denial of service attacks, to testing live production systems (although usually this is done out of office hours).
A full-blown rehearsal, where the production systems are tested, is costly – and it is only necessary to carry these out infrequently, says BT’s Clark. One of the aims of testing is to highlight areas of weakness in plans. Plans that are tested too often risk slipping into the ‘fire drill syndrome’, where staff stop off to collect coats, cups of tea and bags before leaving the premises. Familiarity brings complacency, and nothing can be learned from simulations conducted complacently.
“Testing isn’t a one time event,” says Nigel Tozer, principal consultant at software provider CA. “Having a disaster recovery plan, back-up systems and testing regimes is great, but don’t leave out continuous monitoring of the key systems and the backup systems – if you can spot a problem and take action before it becomes critical, it’ll cost you far less than using failover systems,” he adds.
Even when managers formulate considered and detailed plans, oversights can occur. The major
incident plan at one hotel chain was enacted during the 2005 terrorist attacks on the London transport system. Its managers soon discovered flaws in the plan: it had been assumed that mobile phones would provide vital communication links between key personnel, but the mobile networks were swamped by demand, and callers could not get through. In these circumstances, fixed-line calls became an improvised ‘plan B’.
Typically, service contracts contain minimal provision for recovery in the event of a major incident, says Simon Mingay, research vice president at IT advisory group Gartner. “Teams responsible for evaluation, selection and ongoing sourcing management must be explicit about their business continuity requirements.”
Business leaders can protect themselves – at least to some extent – through insisting that suppliers are ISO 27002 certified, a broad security standard that encompasses business continuity. There are also the British Standards Institute PAS56 guidelines for business continuity, which are due to be published towards the end of 2006. Through using
certifications, managers can save themselves the effort of having to test suppliers and partners, instead relying on industry best practice.
“Regular, rigorous and integrated testing by external service providers and recipients is an excellent mechanism for ensuring recovery capabilities and driving continual improvement,” says Mingay.
Most respondents now have some form of business continuity testing regime in place. However, nearly a quarter still fail to check their plans, while one in 10 only test plans after an incident.