Disaster recovery (DR) and business continuity management (BCM) plans are essential in today's technology-driven world. From natural disasters to acts of terrorism, and the increasing threat posed by cyber-criminals, any company that does not have a plan to keep itself in business in the face of any crisis is taking a somewhat irresponsible approach.
According to research firm Gartner, failure to take an enterprise operational risk management approach to BCM/DR will cause at least one major US financial services provider to face regulatory action in 2007.
Despite a plethora of predictions and statistics proving that bankruptcy is the most frequent outcome of a severe business failure or disaster, research conducted by HP late last year has shown that one in five (18%) enterprises and one in three (31%) SMEs lack a business continuity plan today.]
In a post-9/11 and post-Enron world, DR and BCM are becoming critical for compliance, necessary for audit approvals, and even competitive differentiators. But let's take a step back and establish exactly what is meant by BCM and DR, two terms that are frequently used interchangeably but actually have somewhat different meanings.
Laying down the lines
BCM is now considered to be good business practice.
Allen Smith, MD, Continuity SA
According to the Business Continuity Institute, BCM is "a holistic management process that identifies potential impacts that threaten an organisation; it provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities".
By way of contrast, Microsoft defines disaster recovery as "the ability to recover from the loss of a complete site, whether due to natural disaster or malicious intent. Disaster recovery strategies include replication and backup and restore."
In other words, business continuity refers to any and all activity that needs to be considered in order to effectively deal with anything that threatens a business. Disaster recovery relates more to operational recovery from a specific, critical incident. For example, a server going down may threaten the business but not necessarily immediately or catastrophically, thus it should be covered in the business continuity plan, but will not necessarily require a disaster recovery plan.
Compliance, compliance
The groundswell in awareness and adoption of BCM and DR has been slow to date, with many companies not seeing the need for such plans, or paying lip service to the concept by internally developing a plan and then failing to maintain and update it. This, finally, is changing.
We're seeing a shift from protecting shareholders to placing responsibility on shareholders.
Jeanine Osborne, business continuity and recovery and services lead, HP SA
Says Continuity SA MD Allen Smith: "It's taken a long time, but BCM is now considered to be good business practice. The groundswell relates to general awareness caused by 9/11, the Basel accord, Financial Services Board requirements, King II and other regulatory requirements building up pressure."
There is certainly an awareness by listed companies that they need to take risk management seriously, and that BCM and DR are part of this.
"We're seeing a shift," says HP SA business continuity and recovery and services lead Jeanine Osborne, "from protecting shareholders to placing responsibility on shareholders. They are now [accountable] for the plans they have put in place, as opposed to being able to lay blame at operational level."
<B>Sound bytes</B>
A solid DR and BCM plan relies on some sound principles.
1. "The best response to the threat of business disruption is a combination of several disparate risk management strategies into a single, integrated resilience strategy." - Chamu M'Kombe, business continuity and recovery services division manager at IBM SA
2. "There must be operational business benefits derived from BCM or you're not doing it for the right reasons. Even if the portion you are looking at is only strictly speaking DR, there must be a business benefit to it. [Otherwise] what's the point of doing it?" - Mike Rees, channel manager at Symantec SA
3. "DR is what the IT manager should think of and BC is what the risk team and management should be thinking of. The DR module forms part of a BC plan." - Jonathan de Magalhaes, specialist product manager at Faritec
4. "Ensuring optimal levels of service means having a DR and BCM plan in place." - Sagaran Naidoo, storage business unit manager at CA Africa
5. "While disaster recovery strategies are intrinsic to the enterprise risk efforts of all organisations, disaster strategies should only be considered as viable options in the truly unforeseen cases such as actual disasters, and not minor hiccups." - Dick Sharod, country manager at Stratus SA
6. "There are a couple of basic principles. Rehearse [and review, regularly], get buy-in from management, train staff and get buy-in from staff." - Jeanine Osborne, business continuity and recovery and services lead at HP SA
In South Africa, listed companies are required to comply with JSE regulations on good corporate governance, and while King II isn't prescribed, it is recommended. King II specifies that:
* The board is responsible for the total process of risk management.
* The board should make use of recognised risk management principles.
* The board is responsible for ensuring a formal risk assessment is undertaken annually.
* Companies should develop a system of risk management and internal control.
* The board is responsible for disclosures in relation to risk management in the annual report.
Other relevant legislation applicable locally and globally includes the Social Responsibility Index (RSA), the Electronic Communications and Transactions Act (RSA), Securities Exchange Commission (USA), Sarbanes Oxley Act (USA), Treadway Commission (USA), Turnbull & Cadbury Reports (UK), the Cromme Report (EEC) and the Companies Act (RSA), which provide a basis to prosecute individuals for negligence in BCM, says Continuity's Smith.*
EOH Technology Consulting divisional director Hubert Wentzel argues that all Pty Ltds are obliged in some fashion to show they are planning for BCM. Certainly it's becoming a factor in annual audits.
Says HP's Osborne: "Auditors are getting very strict and asking companies what they are doing to protect the information they have."
Smith concurs: "Auditors are putting pressure on companies to comply or they will not qualify their audits."
Osborne adds that companies are beginning to ask questions of their suppliers too when signing deals, and insisting on the implementation of BCM and DR plans in the same way they insist on SLAs.
BCM and DR can also be a competitive advantage, as Smith notes. "Shareholders perceive companies with such plans in place to be better run, and there is a premium to the share price as a result."
The good news
<B>Blogging gains credibility as DM tool</B>
Gartner has revealed that blogs and wikis are viable disaster management tools.
An advisory recently* released by Gartner states there is a high probability that, by 2009, 35% of local first responder and homeland security crisis management plans will be revised to take into account the challenges and opportunities posed by content collaboration applications, like wikis.
Current disaster management documentation systems are slow and cumbersome, says Gartner. This results in inefficient and disorganised responses to disasters like Hurricane Katrina, where damage assessments were incorrect, and adversely affected resource allocation. In a bid to improve communications during disasters, says Gartner, some managers have started using e-mail. This isn't a suitable medium for many-to-many discussions.
"Another solution is the possible use of virtual technologies, such as blogs and wikis, to better share information to assist in disaster management relief efforts," the Gartner report says. "Blogs are more suitable for presenting multiple agency perspectives in chronological order; wikis are more suitable as an information synthesis and an organisational tool than e-mail. Virtual technologies, such as blogs and wikis, are an extreme form of 'Web democracy' that can foster rapid and easy collaboration within a particular community of interest. Blogs and wikis are appropriate where there is joint responsibility, where there is an incentive to contribute, and where the process involves ongoing discussion and change. These are good alternatives to asynchronous e-mail accounts because they enable chronological authorship," the report notes.
Gartner says tools like blogs and wikis have yet to be adopted due to a "perceived lack of user acceptance and improper training, such as a reluctance to edit content or accept the concept of online, self-correcting and self-evolving disaster management tools".
Gartner recommends that planners combine the blog and wiki experience, with "increased management for government users". The research house suggests a number of approaches, including training, to ensure users are familiar with the technologies, assigning content managers, and using blogs and wikis to co-ordinate responses to disasters internally.
*Blog/Wiki Use in Disaster Management Gains Credibility, Jeff Vining, 17 April 2007. Report courtesy of Gartner Africa.
The good news for all CXOs battling to get to grips with a horde of legislation, regulations and good governance requirements is that a standard for business continuity has been published.
The Business Continuity Institute in the UK has been working with the British Standards Institute (BSI) to get a standard for BCM published. The first part of this standard - BS25999 - was published in November last year and is available on the BSI Web site.
The first dedicated BCM Publicly Available Specifications (PAS) from the BSI, according to the BSI, are also available online.
"Influenced by the BCI Good Practice Guidelines, the BSI PAS 56 Guide to Business Continuity Management describes the activities and outcomes involved in establishing a BCM process and provides recommendations for good practice," the BSI says.
Formal standards give companies a line drawn in the sand, or at the very least a starting point, something that has been lacking in this field for years. Stories abound of badly implemented and poorly maintained plans, with awareness of these shortcomings only becoming apparent once disaster strikes. The statistics give credence to these anecdotes.
US-based auditing firm McGladrey and Pullen estimates that 50% of all businesses that experience a critical system outage of 10 days or more will never recover.
A Gartner survey revealed some time ago that two out of five companies that experience a catastrophic event or prolonged outage never resume operations. Of those that do, one of three goes out of business within two years as a direct result of that outage or event.
These statistics were taken from a Brainstorm feature published in 2006, and are similar to other data released over the years. Now that companies are being compelled to take DR and BCM seriously, perhaps we can start quoting statistics about disasters averted instead.
*List courtesy of Jeanine Osborne, HP SA.
* Article first published on brainstorm.itweb.co.za
Share