Assess, secure, respond: Business Continuity Planning

Business’ of all sizes are increasingly aware that fire, flood, theft, fraud, power loss, terrorist activity; computer viruses or IT systems failure could literally bring their operations to a grinding halt in a matter of minutes.

The probability of survival for any business involved in a major incident makes sobering reading with some 80% of companies never recovering. A recent report by Touche Ross estimated a survival rate of less than 10% for a business without a crisis management plan. Yet despite this strong correlation the paucity of business contingency planning in the UK prompted the Home Secretary to reiterate the importance of continuity planning earlier this year, stressing the duty of care for the safety and security of staff.

The take up of business continuity planning is not universally low. Larger organisations are more likely to have a plan of sorts while companies operating in heavily regulated economic sectors like financial services may be legally required to maintain a current plan. However, the absence of cogent planning in most UK companies can be attributed to a number of factors both historic and operational.

While UK companies traditionally faced business interruption from domestic terrorism and poor industrial relations, the proliferation of computer technology dramatically increased their vulnerability. The changing working practices that have accompanied the information technology revolution have increased commercial exposure. Just in time production techniques, global competition, knowledge workers, and an increasingly savvy and impatient customer base all serve to exacerbate the potential consequences of business interruption.

The very speed of computerisation resulted in an IT skill deficit at board level in many British companies. Unable to evaluate IT issues, the board frequently devolved responsibility for crisis planning to their IT departments. However, IT professionals were, in turn, often unwilling to highlight the true vulnerability of mission critical IT systems to a board seeking absolute answers to often unpredictable resilience issues. The resultant culture of untested plans and unfounded optimism is only now dissipating.

HSA has carried out a survey of 1,850 directors in London where some 85% stated that IT and Information Assurance was not their responsibility and that they did not recognise any Corporate Governance implications. Anything that was IT-related was automatically delegated, without reference to the IT department, and never even came in front of a Board Director.

Interestingly, the average age of shareholders in British companies has decreased by 15 years over the previous 2 decades. This could imply that the shareholders are, in all likelihood, more IT conversant than the boards of many major companies contributing to the shareholder revolts we have seen over the last 6 months.

The move to improve standards of corporate governance in the wake of Enron, establishing the personal liability of Directors who fail to respond to an identified threat to business activity, also re-enforces the importance of business continuity.

The latest Turnbull Report - guidance provided by The Institute of Chartered Accountants in England & Wales to enable UK companies to implement the internal controls required by the Combined Code on Corporate Governance - indicates that the internal control system "should be embedded within operations and should not be treated as a separate exercise" and "should be able to respond to the changing risks within and outside the economy".

According to research carried out in November 2002 by the London Business School, 57% of business disasters are IT-related and 44% of UK businesses from across the board suffered at least one malicious security breach in 2001. According to the similar research, each UK employee loses 183 hours per year due to IT failure.

In many small to medium sized organisations directors have been slow to adapt to their changing roles and, at best, have only a sketchy understanding of their true responsibilities. However, this still doesn’t account for the significant number of companies who are aware of the importance of business continuity but have so far failed to do anything about it.

Ultimately, the poor take up of business continuity can be attributed to the most prosaic of reasons, the time and expense traditionally associated with the plan development process.

Business continuity plans are often developed with the help of external consultants. In addition to the expense, the low levels of staff involvement in the development process can lead to a lack of devolved ownership of the plan. It never becomes embedded in the organisation’s culture and quickly becomes outdated once the consultants have departed.

The gamut of issues that come under the business continuity umbrella means that significant input from senior managers in every department is required on an ongoing basis if the plan is to be kept up to date. Even when adequate resources are allocated, the demands of plan maintenance, plan testing and plan reissue can prove onerous. For smaller companies with no dedicated business continuity resource, the process becomes unwieldy.

However, a new generation of web based business continuity software applications are revolutionising the cost and complexity of the business continuity planning process.

By adopting a scenario-based approach to mitigating the consequences of the loss of people, information or infrastructure, Shadow Planner, an online planning tool not only provides a planning framework but with automated, email based task management, it also streamlines on-going plan maintenance.

By involving a broad selection of individuals in the planning process, this software based solution encourages plan ownership which becomes an integral part of an organisation’s operational culture.

In today’s fast moving commercial environment, staff turn over, emerging technologies and changing work practices can quickly render an outsourced business continuity plan out dated. Business continuity plans are often developed with the help of external consultants. Low levels of staff involvement can lead to a lack of devolved ownership of the plans, which then quickly become outdated once the consultants have departed.

Automated email task management is key to Shadow-Planner’s up to the minute functionality. Individuals responsible for a part of the plan are issued with a task reminder email telling them that the relevant part of the plan needs to be updated. If the task is not then completed within the pre-agreed time frame, Shadow Planner alerts the Plan Controller by email.

Shadow Planner’s PDF report generator can be used to distribute clear reports to plan holders, minimising the time and resources required to keep the plan current while ensuring that only the updated version of the plan is available.

Hosted online Shadow Planner doesn’t need to be installed on the network and can be accessed through the internet from anywhere at any time. The Shadow Planner web-site is linked to an informative portal site which includes information on disaster recovery, employment law, government advice on adverse weather or terrorist risks etc, ie it supports the development of plans with access to relevant services.

To ensure your sensitive data is protected, all procedures, action plans and contact details are automatically encrypted using strong encryption.

Finally, Shadow Planner is inexpensive; a company employing 50 staff would pay circa £200 per month.

Further information:
Mika Bishop
Lehmann Communications
Tel: 020 7266 3020

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development