A decade in business continuity planning
Introduction The Central Bank of Sri Lanka was bombed the same month I started the company. The first World Trade Center bombing in New York City was an even more recent memory then than September 11, 2001 is to us today. Computer data was stored on tape reels in a “tape room,” often right next to the data center in the same building. Whether or not disasters were less frequent ten years ago than they are today, it is fair to say we were all much less concerned about man-made disasters than we are now. Ten years more experienced (if not wiser) than I was then, I’ve helped prepare contingency plans for companies all over the world. I’ve had an entrepreneur’s exhilarating journey, and I’ve learned some lessons. In preparing this paper I’ve thought about what might help you move forward with your own contingency planning. Here are some lessons I’ve learned, not necessarily in the order in which I learned them, but in the order in which you might apply them to your own planning. We are always prepared for the last disaster My client, a bank, lost its office in the October 1997 World Trade Center bombing in Colombo. After that incident, we often used bombing or fire as our disaster scenario. Little did we suspect that the next year, another bank would activate our contingency plan not because of a bombing, but because of riots in Jakarta in May 1998. Every business in Jakarta was closed, so serving their customers was not important. Instead, distributing payroll to employees was their most serious challenge: many employees in Indonesia don’t have bank accounts, so payroll is distributed in cash. All banks where cash could be obtained were closed. As the Indonesian Rupiah was grossly devalued at the time, the physical cash required to meet payroll weighed many kilograms. Asking expatriate managers to carry around and hand out large amounts of cash during a riot was not considered prudent. In our planning, we hadn’t considered any of these difficulties: both the disaster scenario and resulting challenges were unexpected. I did not guess on Monday, September 10, 2001 that airplanes would fly into America’s tallest buildings the next morning. Nor did I have any idea in March, 2003 that chickens and ducks were about to cause $15 billion in SARS damage to Asia’s economies. I read that avian influenza may devastate populations in Asia in the future, but I’d bet that the next business disaster in Asia will be something that I cannot predict today. Pictures & stories aren’t persuasive I know of a company in Singapore that lost US$12 million in a fire in June 1997, had a substantial environmental clean-up liability and took years to rebuild its business – but when I called some time later, the owner had no interest in talking about business continuity planning. A bank that had a fire in its headquarters in Europe and a fire in its trading room in Singapore only started preparing a BCP when regulations in the bank’s European home country made is mandatory. On the other hand, sometimes a disaster happening to a company is a motivator. ABN Amro Bank started its Asia business continuity project in October 1997, just after the bombing of the World Trade Center here in Colombo. Futures and options broker Refco called us for help with their BCP in October 2001, because the company’s New York office had been closed by the WTC bombing a month before. We started to prepare a BCP for a British bank’s North American offices in early 2002; their employees had walked out of Manhattan on September 11. There is at least one other motivator besides personal experience that gets management’s attention: the prospect of going to jail. In the US, 75 percent of companies now report (1) having some form of recovery plan. The reason? A director or manager faces personal civil or criminal liability for failure to comply with Sarbanes Oxley. When more governments in Asia adopt similar rules – and I believe strongly that they will – we will start to see widespread business continuity planning activity. Risks: Don’t Ask, Don’t Tell I remember exchanging e-mail in 1996 with a colleague in the US about a prospective bank client in Asia that wanted to skip a risk analysis: the bank told me, “You should know what risks banks face from your past experience.” “Ridiculous!” retorted my colleague. “No two banks are alike, and no two locations are alike. Assuming the risks in one location will be the same in another – particularly between the US and Asia – is crazy!” True perhaps, but I found that companies in Asia won’t spend time or money on risk analysis. Managers already know – or believe they know - what risks they face, and experience is their chief guide. If you ask about the risk of an earthquake in Singapore, everyone laughs. Ask about it in China or the Philippines, and everyone nods knowingly. Companies don’t even pay their insurance companies for risk analysis: they expect their insurance companies (or re-insurers) to provide risk assessments at no charge. And when we ask about a worst-case scenario, everyone has a different opinion. What’s the worst that could happen? I learned that most managers consider that their greatest risk is any event that would render their company’s office unusable, but that would allow their competitors and customers to continue to function. In short, the disaster would be very localized. This is called a ‘denial-of-access’ scenario, and it can be caused by fire, flood, power outage or terrorism, among others. Yes, a tsunami could hit, but you will agree that it is unlikely to wash away only your building. Even if you don’t agree, the consequences of a tsunami and of a power outage are the same to a business: the business could not use its facilities. So we’ve learned to use risk assumptions instead, which require no calculations, no research, and very little historical evidence. We ask managers to assume they would be unable to get into their buildings, and would be unable to use anything in those buildings, including any IT systems hosted there. For most companies in Asia who do not have a BCP, this is a plausible, useful way to start a BCP – and to skip or postpone a time-consuming risk analysis. If the disaster assumption, then, is a denial-of-use or denial-of-access, how likely is your building to “fail” in some way? To answer that question, we conduct a facility risk review. We examine a building’s infrastructure and services: * Air conditioning and ventilation I assumed that in a modern office building in any major Asian city, the likelihood of a building’s infrastructure or utilities failing would be low. What I’ve learned is that simply walking around a building with a checklist, accompanied by the property manager, nearly always turns up surprises. These surprises often turn out to be a much greater threat (and therefore a risk) than most companies imagine. Methodology madness I discovered there is no single correct business continuity methodology that works everywhere. Examples of successful – and unsuccessful - deviations from DRII and BCI methodologies abound. Perhaps it is more accurate to say that business continuity methodologies are evolving. For example, it seems logical, and the DRII methodology specifies, that testing should follow preparation of your BCP. I recently attended a conference in the US, however, at which several BCP professionals advocated testing first and then developing a business continuity plan based on the results of the test. They argued that this methodology can speed up the planning process, and get management’s attention by having them discover how ill-prepared they are. This turns the standard methodology on its head – but it may turn out to be very effective. Even our own methods for conducting a business impact analysis (BIA), for example, have changed significantly over the years. At first we interviewed at length one manager from every department to obtain Recovery Time Objectives and Minimum Operating Requirements for every activity in his or her department. This was time-consuming and expensive. To save time (and therefore cost) for our clients, we began to limit our interviews only to senior executives, and instead we distributed written BIA questionnaires that department representatives could complete on their own time. This saved time initially, but we found ourselves spending a lot more time chasing respondents to explain insufficiently-detailed answers to questionnaires. We’ve learned that interviews are better for some situations, questionnaires better for others. No matter how we collected it, eventually we distilled the BIA information we collected into a table format, and presented it to management orally. This process took weeks, sometimes months, but we imagined our BIA conclusions to be unassailable, because they devolved from our elaborately documented investigation. I was stunned the first time a CEO looked at our meticulously-prepared results and blurted out, “Who told you we needed that many people in Customer Service?!” With a pen stroke, he revised several months of our work. Now our methodology starts all projects with the senior managers setting recovery objectives and parameters for the company, and only refines their decisions with information collected in the questionnaires and interviews. Just as we’ve found that there is no single acceptable methodology, we’ve also learned there is no single outcome that applies uniformly, for example, to all accounting and finance departments, even though their business activities may be very similar. There is no “right” recovery strategy that applies to all manufacturing companies or to all supply chain logistics companies. There is no internationally-accepted Recovery Time Objective for a bank treasury department. BCP needs inspiration and perspiration Nor does it make sense to me to have specialists for security, human resources, facilities management or corporate communications, but not for business continuity. Preparing a business continuity plan requires training, experience and judgment no less than any of these professions. Many companies in Asia can’t afford to have full-time BCP professionals on staff, and so they contract with outside experts who can devote their full attention to planning. In a large company, developing a BCP, testing it and maintaining it is a full-time job. In some multinational companies, it’s a department. Business continuity planning is not, and should not be, a responsibility of the IT department. In many companies we’ve helped, BCP was initiated by - sometimes even sponsored by - the IT department, but IT’s only responsibility was to ensure that business managers made the required decisions to complete the BCP. Thereafter, IT should be responsible only for ensuring that IT recovery capabilities meet the recovery requirements set by the business. I’ve slowly concluded that maintaining separate departments for business continuity, security, facilities (property management), corporate communications, IT security and risk management will eventually prove unworkable. A good continuity plan provides for emergency response, crisis management and business recovery, and those cannot be comprehensively managed without all of these departments – and the rest of the business - working together. I have come to the conclusion that large organizations will one day appoint a Chief Continuity Officer to whom most or all of these departments will report, and who will be report to the Board of Directors, as Internal Audit does. BCP software I’ve found business continuity software of value primarily to an organization’s BCP coordinator, because the software’s database features permit consistency and synchronization across the organization. The “users” of the plans – department staff - benefit no more from using BCP software to write their plans, in my experience, than from using Microsoft Office software. As a result, only multinational, primarily North American Fortune 500 companies buy and use BCP software in Asia – and most of them use MS Office software instead. For creating large volumes of paper BCP’s to store in notebooks, or to show to internal auditors, Microsoft Word and Excel seem to work just fine and are, in my experience, the most widely-used BCP software programs in Asia. Public-Private Partnership Why is this important? Public authorities would be overwhelmed in any Asian city or country – as they were in Sri Lanka – by an event of the scale of the tsunami. Public authorities depend on the resources that private companies can contribute to a recovery effort. Without cooperation and joint planning in advance, those efforts will overlap in some areas, overlook other areas, and conflict in still others. A simple example: you set an assembly point outside your building to which evacuating employees should escape in an emergency. Will the emergency authorities permit you to assemble at that spot in a real emergency at your building? Have you mistakenly selected the spot where the fire department plans to set-up its command post? Can you call them up to ask? And if not, why not? Another example: as the BCP manager for your company, you will want to assess any damage to your office as soon as possible after an incident, or you may want to retrieve important papers from the building. Under what circumstances will emergency responders permit you to do that? This question is of sufficient concern that major US cities have established a Corporate Emergency Access System (CEAS), which permits credentialed representatives of companies to cross police and fire lines specifically for business continuity purposes. A similar system is, in my opinion, desperately needed in the major cities of Asia. Final thought Reference Contact the author: nforbes@calamity.com.sg This paper was first prepared for the Computer Society of Sri Lanka (CSSL) annual conference. www.cssl.lk
•Date: 20th Jan 2006 • Region: Asia/World • Type: Article •Topic: BC general |
