13 October 2006
It's too late once disaster strikes
Wild weather, downtown flooding, fog-bound airports and recent power outages in Auckland and Wellington have been a shake-up for business. "They dramatically demonstrated how critical it is to have a solid and tested business continuity plan in place," says KPMG information risk management partner, Graeme Sinclair.
"Business continuity management (BCM) is not a luxury management tool but essential to stay in business, retain customer confidence, protect reputation and safeguard people.
"The skill is knowing how much of an investment to make in BCM and to make sure it is tested, updated regularly and for management to actively support and promote it."
"Bad weather or a power cut is not always perceived as a disaster, in terms of business continuity management, when we have such an appetising array of highly volatile natural risks such as eruptions, earthquakes and fires; events that conjure up images of crippling damage to businesses.
"But recent events caused all sorts of grief to individuals and businesses of all sizes. The ability of a power cut to cause an immense amount of damage, even when only short in duration, should not be underestimated," says KPMG.
Graeme Sinclair says a power cut can cause an uncontrolled computer shutdown with corruption to critical business data and operations. "Most businesses would be unable to supply the most basic service - like operating the cash register, accessing customers and contact by email. There's even health and safety risks when the lights fail and lifts stop working."
"Anecdotally, we've heard of cars being stuck behind barriers, cash tills not working and failed electronic links to Australia. Typically these are unlikely to cause a business to fail, however profits will fall and reputations are at risk."
Given that reported major casualties from disasters seem to be few and far between, to what extent should an organisation plan and for what scenarios?
"The BCM tool to measure risk is based on a algorithm of likelihood and impact," says the Graeme Sinclair. "It depends upon how much the organisation will be affected by what scenarios. For example, if an organisation is not near the sea there would be little to be gained from preparing for a tsunami. However, if that firm’s single supplier or customer is directly susceptible, then suddenly the likelihood of being affected by a tsunami increases.
KPMG says the key proviso is for senior management to understand the risks when deciding whether or not to prepare for a scenario. This logic applies also to disruption from bad weather and power cuts, which can be just as troublesome as earthquakes, influenza epidemics or floods.
"Bad weather and power cuts tend to be more localised which means an inability to fulfil an order is unlikely to generate empathy from customers in Sydney, China or even another city in New Zealand.
"Organisations need to understand the likelihood and the impact of a range of adverse situations before investing in BCM. Regardless of how large the investment is, one thing is absolutely clear, a business continuity plan is of little value if it does not work on the day," says KPMG,
"If an expensive uninterruptible power supply is installed, which is designed to initiate a controlled shutdown or last for four hours, it would be money wasted if, when needed, it's found that it is not configured properly and no one bothered to check this."
Management can only gain comfort that recovery tools will work on the day if they are tested beforehand. The extent of testing undertaken will depend upon the criticality of a resource (e.g. system) or process to the business and, for certain processes or organisations, a full and detailed scenario-based test may be relevant. However, business continuity plan (BCP) testing does not necessarily mean testing every facet of a BCP or permutation of processes and resources.
In a disaster there is likely to be a range of new environmental factors that will affect business processes, such as working from home, by mobile or from paper records and spreadsheets, instead of online. Testing should focus first on the changes to the environment. For example, checking that the connectivity works between home and the recovery site or that certain data can be retrieved remotely. This might be considered a ‘proof of concept’ approach. The objective is to gain confidence that a business process can be achieved, rather than providing full assurance that a process will work for a wide range of scenarios, with multiple users under stress.
Planning for change is as important as continuity planning itself. Nothing stays the same, people come people go, systems get upgraded and new risks emerge. The work does not end once a test strategy has been agreed and executed.
Whenever there is a material change in critical software, hardware or infrastructure, a key staff member or supplier, relevant legislation or any other important variable, the business continuity plan must be revisited and, if necessary, updated and tested again to ensure that the plan remains valid. The changes must then be rolled out to the stakeholders. And so it goes on. Only then will management gain any real comfort that their businesses will be able to adapt to ‘disasters’, however small or large, in the future," says KPMG's Graeme Sinclair.