This week Charlie discusses the justification for business continuity and provides some examples of where his work has improved organisational resilience.
The earthquake in Ecuador earlier this week has left me thinking about how many of the country’s businesses will survive and if many of them had business continuity plans in place? As quickly as details of the incident came onto the TV, they seem to have vanished again, as the news circus moves on to the deaths of Victoria Wood and Prince.
The earthquake got me thinking about the justification in carrying out business continuity and how we sell it to organisations to ensure that it adds value, and is worth spending the time and money to develop it. For a long time I asked many people, ‘where are the case studies which prove that business continuity works’? I was looking for an example of an organisation that has put in place a business continuity programme that could prove that they would fail without it. There may be case studies out there, but it seems as an industry, that there is not a well quoted example that everyone refers to. Therefore, case studies are probably not the way to justify implementing business continuity.
Many consultants and disaster recovery websites often quote, ‘70% of organisations that have a disaster will fail within 3 years’, or similar style statistics. A couple of very senior business continuity people tried to find the original quote for this and where it had come from, they were unable to find the source or any research which proved it. It has become an urban myth within business continuity and if you look closely most organisations who understand business continuity do not use it. So in our quest for business continuity justification it is not to be found in research and statistics.
Although nobody I have met with so far has said that conducting business continuity is a waste of time, they are looking for reassurance that the work they do provides business value. I then thought of looking closer to home to find justification. One of the things I pride myself in doing as a consultant is finding a major risk in an organisation, which is either not known or if it is known, senior managers are not aware of it. From this I can see the justification for carrying out business continuity and actually adding value to the organisation and making it more resilient.
A few examples:
1. I worked with a high tech firm who had two offices in Europe and one office in USA. This company is as high tech as it comes, even down with the hipster beards, heavy metal T shirts and coding with earphones on! Their IT for all their operations, their coding, email and website were all based on one site. If the site was lost they would lose all connectivity email, ability to work and even their website would be dark. They had a UPS, but this would only keep the systems up for 20 minutes. They had never thought about the impact of losing their data centre to a simple incident, such as a power cut. It would be extremely embarrassing for them, as a high tech company, to lose their website, the ability to email and be contacted by their customers. Once they were aware of the risk, they immediately started a project so that they had a number of systems in a second local data centre and their website was hosted at a third party. They are now much more resilient.
2. A similar example was a fuel company outside the UK which had 150 petrol stations. Fuel cards were a key part of their operation and the organisation had large amounts of data flow. They were at a stage that if they lost their IT they would be unable to operate. They backed up their data off site at one of their other offices. When I told them that although the data was backed up it would take 6-12 weeks to buy new hardware to restore the key systems, the senior managers’ faces went white! They are currently talking to a local data centre company to host some of their systems.
3. We have just started working with a logistics company. They have spent a lot of money on a disaster recovery solution giving them a 24-hour recovery. This included their website. I pointed out to them that they would want their website or at least a shorter version of their website to be hosted by a third party. This would ensure that they could use it for communicating with their customers and explaining what was happening during an incident until the IT was up again 24 hours later.
4. On supply chain, we pointed out the risk to a delivery company as part of a full business continuity lifecycle roll out. Their delivery from depot to customers is carried out by self employed van drivers. If the van drivers’ company went bankrupt, most providers had 2-3 vans so they could be easily replaced. In London they had one company providing 250 vans. I asked about the notice on the contract, which was 24 hours. So they were at risk of the company withdrawing all their vans with 24 hours notice with it being almost impossible to replace them. The contact now has a month’s break notice!
5. One of the techniques we teach during incident management training is the use of an agenda to manage meetings and keep them short and focused. A former client phoned me up to say they had a major incident which they had managed using the agenda. Their first incident team meeting took 40 minutes and the second took 15 minutes and he was congratulated for managing the incident so well.
6. We worked with an emergency water supply company to get them ISO22301 compliant. They lost power to their office and depot due to widespread power outages in the South of England. They followed their plan and there was minimal impact on their customers. It was so successful that LRQA turned it into a case study.
I have yet to carry out a business continuity assignment where we have not discovered risks or incidents which would have a major impact on the organisation if they occurred, therefore improving their resilience. Where plans have been used I am confident that those who use them will manage the incident better than if they had no business continuity in place.