SPECIAL REPORT: BUSINESS CONTINUITY Coming full circle Business continuity is all about just what the term suggests it is – the survival of a business in face of a serious disruption. Planning is paramount, and testing crucial. Mark Phillips spoke to IBM’s business continuity expert, Andrew Fry, to find out more. 12 RISK August 2009
About two weeks ago a blaze in the administration building of Melbourne’s Silver Top Taxi, which occupies 50 per cent of the city’s taxi market, crippled the company’s operations and caused massive disruptions to taxi telephone bookings. The fire, which is thought to have started in a downstairs office and spread quickly throughout the timber warehouse-style building, which included a call centre for bookings, also destroyed historic relics from Victoria’s taxi industry and caused “exceptional distress” among staff at the administration centre. The incident was yet another example of the frailty of many companies’ business continuity, and the importance of having well thought-out and tested plans in place to deal with crises. Unfortunately, even those firms that have invested in putting a business continuity plan together sometimes fail themselves when it comes to executing it in a crisis. “The plan is often poorly designed in terms of people knowing what to do and when,” says Andrew Fry, business unit executive manager, IBM Business Continuity and Resiliency Services. “There is often a reliance on or an assumption that base infrastructures will still be around. Depending on the scenario, there may not be a mobile phone network, and transportation is not necessarily a given.” Call trees have long been a standard in default planning, but their merit as a fail-safe system is questionable. Someone will get a call that something has gone wrong, and they, in turn, will contact perhaps another five people, and so it goes. “Typically it takes about two hours from the crisis point using a call tree to get the message out, and then another two hours for a response from the first message,” Fry says. “The first four to five hours after a crisis strikes is the golden period – the critical time in which you have to manage your response to media and stakeholders such as clients, suppliers and staff. By using a manual call tree you are only going to get one message “The first four to five hours after a crisis strikes is the golden period – the critical time in which you have to manage your response to media and stakeholders” out and back within two to four hours, which is a pretty poor way to manage a crisis.” Although it is one of the biggest exposures in continuity plans, people haven’t necessarily found any easy alternatives. After all, you can’t exactly recreate your own mobile network if it’s down. What you can do, however, is seek out software tools specifically designed to assist with crisis communications. One of the services offered by IBM is a web-delivered tool which will pretty much instantly communicate with thousands of people across all available devices – be they mobiles, landlines, email, fax machines or radio. “In so doing, you can actually shorten the initial response from a four-hour window to a matter of minutes and, importantly, have just the message that is relevant to a particular person go out. For example, a CEO will have a different role to someone who has to go out and fix a server, find alternate premises for staff, or speak to the media. You can articulate different activities to the right people and manage what can be very complicated communications.” Of course, this assumes that people know in advance what their role is supposed to be a crisis, which is a key planning issue that can be managed in-house, outsourced to specialist providers, or operated from web-delivered software such as IBM’s Business Continuity Planning Toolkit, which integrates with its communications tool. Unfortunately, it is a fact that businesses today face a whole raft of risks to their continuity – everything from pandemics to natural disasters to malicious web attacks. In face of declining budgets, can organisations realistically expect to have tried and tested continuity plans to counter all the threats they potentially might have to deal with? According to Fry, it is important to – as far as practically possible – separate planning from individual scenarios. “Our view is that continuity planning should be able to handle any kind of event, meaning that you need to think of it as an event or disruption per se, not a pandemic, fire, flood or cyber-attack. Yes, these are different scenarios RISK August 2009 13