Subscribe

Keeping business as usual

James Francis
By James Francis, Ghost Writer, Copywriter, Media Hack & Illustrator
Johannesburg, 04 Aug 2015
Yannick Decaux, country manager, Orange Business Services
Yannick Decaux, country manager, Orange Business Services

"Never was anything great achieved without danger," wrote the Renaissance philosopher Niccol`o Machiavelli. Business as a rule understands this: there is no reward without risk. Yet, that's not the type of risk keeping business leaders awake at night. Instead, that age-old concern - keeping the lights on - sits at the forefront of executive nightmares.

According to an EMC survey, nearly three-quarters of local companies are not confident of fully recovering from a disaster. It's a real threat: more than half the companies surveyed suffered downtime or data loss in the previous year.

These are not even small companies. The situation for SMEs, according to Connection Telecom sales and marketing director Sacha Matulovich, is already one of hanging on for dear life. Instead, the bulk of business continuity management (BCM) activity is among large enterprises. A KPMG report found only 9% of companies focused on BCM are single-location operations. But, as technology's reach grows, so does the risk to all businesses.

BCM is the discipline of making sure a company's technology stays up and running despite internal and external interruptions. The shaky condition of SA's electricity supply has prompted a lot of attention towards BCM, as noted by the attendees of this roundtable. In fact, had champagne been on offer, they might have slyly toasted Eskom for its ineptitude.

The unknown

But, energy barriers aside, BCM is not simply a matter of buying generators and good backup software.

"You have to look at the world at the moment. Its velocity compounds downtime. Your market share can go next door while you're down," says Mark Ogden, senior manager at EY. "It's also more volatile, and everything you say and do is open to scrutiny. So you don't have enough space to deal with what goes wrong. Inherently, you assume known risks, but is it good enough to deal with just those? No, you have to deal with the unknown."

"It's to protect customers as well," adds Matulovich. "To be a responsible trader and not leave customers in the dark."

But BCM adoption doesn't really need to be motivated. The more thorny issue is what BCM today actually represents. As technology has grown to underpin business operations, the principles of BCM have transcended from a strictly IT perspective to embracing the whole enterprise.

"We're starting to see that clients don't just want network node infrastructure, which was the real value-add," says Michele McCann, business development manager at Teraco. "Now, guys realise they have cloud, compliance, staff issues... So we're seeing huge growth in network resilience, telecoms for voice resilience, more app resilience. Then it's all put into cloud-on-demand."

Warren Olivier, regional manager: South Africa, Veeam South Africa
Warren Olivier, regional manager: South Africa, Veeam South Africa

Michael Davies, CEO of ContinuitySA, agrees: "CIOs realise there is more risk - a lot more risk - because the world is becoming more complex due to fibre, cloud and so on. The opportunities and threats are rolled into one."

The amorphous qualities of networked technology have shifted BCM from silo strategies that involve singular departments or applications to a wholesale approach. But the services revolution, termed by Veeam South Africa regional manager Warren Olivier as "an `a la carte approach", is also prompting customers to handpick which areas of BCM they want to address: "That's where everything as a service [XaaS] comes in. Recovery, testing, POPI compliance - these can all be offered as a service. Outsourcing is not new, but cloud is the new way of doing things. Clients just want us to do this or that for them."

You've got to look at the world at the moment. Its velocity compounds downtime.

Mark Ogden, senior manager, EY

Yet, even if companies are picking their BCM battles, it's not really an option. Good corporate governance, enforced by legislation, increasingly requires continuity at large companies, says T-Systems SA business continuity manager Glenn Rugan: "Governments focus on it with the hope of improving private sector business practices, ultimately to protect shareholders and customers."

From the top down

All of the above has cemented the most fundamental change to BCM.

Sacha Matulovich, sales and marketing director, Connection Telecom
Sacha Matulovich, sales and marketing director, Connection Telecom

"BCM starts with a B - it's business," says Amanda De Beer, regional manager: Data Protection Solutions at EMC. "It's a business problem."

In other words, it's the oft-heard mantra that there are no technology problems, only business problems. As such, BCM only functions if it's adopted at the top as a company strategy.

"The CIO can only do so much," says Davies. "It's a comprehensive approach that requires the whole board's backing. BCM mitigates risk and financial exposure. It creates a forward-looking company that understands its environment better. There is every reason why the entire leadership should be invested in it."

Why is this fundamental? BCM strategies that aren't driven from the top become granular. Bits are done here and there, but no umbrella strategy ever really takes shape. The resulting fractured landscape is the antithesis of modern ubiquitous technology systems.

The challenge is selling the grudge/gain duality of BCM to the rest of the company. Some prefer to frame it as an insurance paradigm, but to others, this devolves BCM's new forward-thinking qualities. The latter holds that BCM enables a company to be more agile and make better use of its resources. Still, even with this proactive jacket, BCM remains a bitter pill.

"BCM is a grudge purchase, but also a valid risk treatment," Davies continues. "As much as you have agility to deal with what's gone wrong, you gain the ability to deal with what's gone right too. That's because you've adopted the resilience stance, not the reactive continuity stance."

CIOs realise there is more risk. The opportunities and threats are rolled into one.

Michael Davies, CEO, ContinuitySA

The proposition that BCM can be a forward-thinking strategy is certainly one to woo the company with. It's already the means by which to determine a company's own visionary prowess, says Matulovich. "Sophisticated companies take a forward-looking view on BCM, while less sophisticated companies see it as a grudge purchase."

The difference is the aforementioned qualities of resilience versus reactive thinking. It creates the ability to truly understand a company's various parts.

"Many customers are reluctant to spend on new infrastructure, but BCM can put them into the future," says McCann. "What we did was revisit our processes again. At the time, it felt like a negative annoyance. But it improved us as an organisation, leading to sales, and made us a better business. We found small things we could fix, like how to run a cable better."

Michael Davies, CEO, ContinuitySA
Michael Davies, CEO, ContinuitySA

BCM is also not applied equally and, if done right, will identify different tiers of importance within the organisation.

"Maybe 80% of the environment needs a recovery time of two hours," says Olivier. "But 10% is mission-critical, so companies are willing to pay extra because it has to be up in seconds."

Risk is risk

Yet, a BCM strategy is not the first step. Before a company can address shortfalls or aim for agile resilience, it needs to know what is at stake. This is a major barrier for robust BCM solutions. Companies often don't quantify the value of the risk. Many only figure this out once they've lost data, market share or something else.

"How much are you willing to spend on this?" asks Yannick Decaux, country manager for Orange Business Services. "Some customers have no clue - they don't know what the right amount is. Before talking about BCM, first check if you know the risk, if it's quantified. You can't have a BCM plan if you don't know the risk and its cost. Some customers know exactly what happens if they had to shut down a site. Some are still guessing."

The good news is since BCM is a business strategy, business risk is a good measuring stick. As such, it's relative to the nature of the company. Decaux offers an example of a multinational courier customer: the freight service rates the risk of a warehouse with parcels going up in flames not by the value of the parcels, but the resulting loss of current and future customers if those parcels fail to reach their destination.

BCM starts with a B ? it's business. It's a business problem.

Amanda de Beer, regional manager: Data Protection Solutions, EMC

To draw BCM's circle, start with the bottom line: what does the company do and what can't it afford to lose? Then identify the various functions in the business that support that, in turn identifying the technologies that enable those functions.

"You can never reach 100% resilience," Decaux proclaims. "It all comes down to cost and risk assessment. And be sure your suppliers understand your BCM plan."

Also read the fine print, particularly around matters such as data. With cloud environments gaining popularity, many of the legislative and resilience requirements are being placed on the IT service industry. But that does not mean those entities carry responsibility. Legislation is always on the client company, but even the recovery of data, or what to do when that data disappears completely, may not be covered by a service provider. The devil is in the detail with contracts, says Olivier, so customers should look at that.

Test your strategy

A company may have invested in a sound BCM strategy, but it cannot be left to its own devices. As EMC's Amanda De Beer points out, it can take weeks or months to even discover something like critical data being corrupted. As such, it's important to constantly test and refine different parts of the BCM strategy.

Glenn Rugan, business continuity manager, T-Systems South Africa
Glenn Rugan, business continuity manager, T-Systems South Africa

"You always have to run tests on it to see that something works, and test live in the environment," says Veeam's Warren Olivier. "If you haven't tested the process, how will you know it won't fall down? Some things are out of your control, but there are ways around it."

Teraco's Michele McCann agrees that testing is important, not only to pressure systems, but also the skills that support them. She relates a story about a test at Teraco that brought down a large client's entire network. The fault? The client's employees, when installing their hardware, neglected to plug in the secondary power cable. One simple mistake led to downtime and losses ? tests exist to identify these blind spots.

Yet she can understand the reluctance to test BCM implementations: "Testing is expensive. But if there is an outage and we go down, our clients would riot. So we have to do these tests, but it costs time, money and resources."

This additional cost also creates friction in companies, often pitting the CIO against other executives, says Orange's Yannick Decaux: "The CIOs are more mature on the topic of testing than other business people. There is a struggle within organisations when it comes to testing. Most want it just as a theoretical illustration in PowerPoint. The CIOs try to enforce testing, but business wants to kick the can down the road. Implementing true testing discipline is a hot topic among enterprises."

How much is too much?

Despite its importance, companies often underspend on BCM. Then again, they are hardly at fault for doing this: quantifying the value of intangibles, such as processes and data, is not easy.

Michele McCann, business development manager, Teraco
Michele McCann, business development manager, Teraco

The first step is to not isolate BCM as a technology risk. It goes hand-in-hand with other factors: liquidity of the company, the impact of bad business decisions, the state of its market share, etc ? all of these are indicators of a company's health. A BCM solution should be approached as an overarching business risk strategy.

The second is to understand what is at stake. T-Systems' Glenn Rugan relates an experience as a former bank employee: the bank used the number of transactions it processed per second as a benchmark of losses in the event of a failure. The result was not one but three extra redundancy data centres - a cost justified by the potential damage of downtime.

Orange engages similar redundancy calculations, says Yannick Decaux. When protests broke out in Egypt a few years ago, the company could redirect local services to India and use mobility strategies so employees could work from home. Again, the cost of deploying that infrastructure ahead of time was balanced by circumventing a major nationwide disruption.

The third step is to engage in scenario-planning. This is a good way to curb costs. For example, Michele McCann explains how at Teraco, they store a month's worth of diesel for generators in case of an all-out blackout - humorously termed a 'Zombie Apocalypse'. But the plan doesn't extend to two months, because if such a scenario persists for that long, Teraco would be meaningless. At that point, nobody worries about connectivity anymore. Through scenario-planning, a company can identify where the limits of its survival lie and not overspend in the vain hope of avoiding the unavoidable.

Why BCM fails

Business continuity may be a complicated solution to build, but the reasons for failure are far easier to appreciate. EY's Mark Ogden lays out three points to why even the best BCM implementation can fall apart:

Amanda de Beer, regional manager: Data Protection Solutions, EMC
Amanda de Beer, regional manager: Data Protection Solutions, EMC

1. Know that something happened
Some errors may be immediately catastrophic, but much of the technology that drives a company is more obscure. A classic example is data corruption: it may take weeks or months to uncover, at which point the damage is done and may have spread. Investing in early warning systems through regular testing and scrutiny is imperative.

2. Do something about it
This may seem obvious, but many companies either lack an appropriate response and some continue to simply ignore the problem. But even the most trivial of technology failures can contribute towards wider and catastrophic downtime. There is no substitute for diligence.

3. Get the right people to the job
Getting labour on site is a surprisingly persistent issue. Often, BCM is left as a technology problem, ignoring the human skills and other resources required to address a failure. There is no point in spotting a problem if the appropriate people can't - or won't - fix it. Responses to problems can't be last-minute. Instead, a company must create a broader backdrop to its BCM strategy.

Share