Monthly newsletter Weekly news roundup Breaking news notification    

Concentration risk high on the agenda

Get free weekly news by e-mailThe latest UK Financial Services Authority business continuity publication, ‘Feedback Statement on the Resilience Benchmarking Project Discussion Paper’, raises questions about concentration risk which are being asked by many business continuity managers around the world.

The FSA’s feedback statement documented the results of a consultation on the official report into last year’s comprehensive Resilience Benchmarking Project, where participants from the UK’s financial sector responded to an exhaustive survey carried out on behalf of the Tripartite Authorities. One of the areas looked at was concentration risk and the results of the Benchmarking Project show that this is an area where there is a potential threat. This being that during a wide-area event firms’ operational and recovery facilities may both be impacted by the same incident.

Concentration risk does not only apply in the financial arena; it is relevant to every sector and profession. And, although it is more likely to be an issue in the central business district of any city around the world, it is still a potential threat to those situated in more rural areas. It is also important not to be lulled into thinking that it is just an issue for the ‘big boys’. Some of those most at risk are single site small and medium sized businesses.

One of the perennial questions asked, especially by those new to the industry, is ‘how far away should my recovery facility be from my operational facility?’ Or words to that effect. The FSA has found that similar questions were raised during the Resilience Benchmarking Project. The feedback statement says that there is ‘significant desire for guidance on minimum distance criteria’.

However, this is not and never will be, a question that can be answered, except in the most arbitrary way. The answer will always be that the minimum distance between an operational facility and a recovery facility has to be an individual decision, based, in good business continuity tradition, upon a risk assessment.

The FSA feedback statement recognises this, with the majority of firms feeling that, whilst it was helpful to raise the issue, distance was not the most critical factor when determining the suitability of recovery sites; setting hard and fast distance criteria would be unlikely to be useful unless the guidance was provided in context.

THE WAY AHEAD?
So, if the concentration risk issue has to be thrown firmly back into the hands of individual companies and their business continuity managers, what is the way forward in this area?

Firstly, as already highlighted, the first step revolves around risk assessment; creating a risk profile for operational and recovery facilities and determining where shared resources and infrastructure may pose a concentration risk. The FSA feedback statement identifies the following risks as examples of those that need to be considered:

- Power: are operational and recovery sites on the same power grid?
- Transport: are sites serviced by the same transport links?
- Environment: are sites subject to similar environmental risks?

Other areas for consideration include:

- Telecoms: could a fixed or mobile ‘phone outage impact both operational and recovery sites?

- Utilities: as well as power, could impacts to water and gas services potentially affect both sites?

- Cordons: is it feasible that access could be denied to both operational and recovery sites due to a police cordon? Have you considered the cordons that could be imposed for a conventional terrorist attack? What about a dirty bomb; or a toxic chemical release? A biological attack? A contagious disease outbreak?

- Neighbours: are there other businesses in the area which could have an impact on both sites? Are there fuel depots? Chemical factories? High risk terrorist targets?

- Supplier issues: If your recovery facility is provided by a third party business continuity supplier, there are various risk factors which may need to be considered. These include: what are your supplier’s own business continuity plans? Are you contracted to a specific recovery facility, or can you use other facilities operated by the same supplier? How feasible would it be to travel to other recovery facilities? How does your supplier manage syndication (the number of companies contracted to the same space or equipment)? Are there other syndicated companies who are likely to want to use the same recovery facility at the same time as you do? And, if so, how will this be managed? How might you be impacted?

MITIGATION MEASURES
If, having conducted a risk assessment, you decide that you have a concentration risk issue that needs resolving, what is the best approach? The FSA states that “broadly speaking, firms should have a recovery facility ‘close by’ that they can get to quickly in the event of a localised event, and something ‘further away’ which is subject to a different risk profile that would remain unaffected by a wide-area incident”. Although this makes sense there are questions which still need to be looked at. For example:

- Cost effectiveness: is it really going to be cost effective to have a dual recovery facility approach, or will this stretch your business continuity budget too far? Are there other business continuity areas which need the investment more?

- Communication: how will you tell staff which recovery facility to attend? How will you avoid confusion?

- Travel / logistics: if you are expecting staff to attend and work out of a recovery facility that may be a substantial distance from their home how will you facilitate travel? Will you reimburse taxi fares? Will you provide crèche facilities? What do you need to provide to cater for special needs? How feasible is it for staff members using wheelchairs to travel to the recovery facility? Bear in mind that people may commute long distances to work and adding a further 40 miles (for example) to their journey may make it necessary for them to be provided with over night accommodation, or might make them extremely reluctant to use the facility at all. Have you consulted with trades union representatives about your arrangements?

- Impact on RTO: what will the impact of using the more remote recovery facility be on your recovery time objectives? Will it still be within an acceptable time period?

- Reciprocal agreements: are there other businesses with which you could make a reciprocal agreement? For example if you want a secondary recovery facility to be 25 miles from your operational site, is there a synergistic business in that location which could provide you with a recovery venue and vice versa? What contracts would be needed to enforce such an agreement?

TESTING, EXERCISING AND UPDATING
The final areas that need highlighting in connection with concentration risk are testing, exercising and updating.

Testing and exercising: make sure that business continuity tests and exercises include scenarios where the local recovery facility is unavailable and where you need to fallback to a secondary facility. The use of a real-life exercise rather than a table top one may pay dividends here; identifying issues which might otherwise not be thought of, especially where it comes to travel and communications.

Updating: risk profiles do not remain static. It will be necessary to conduct repeated risk assessments of your various locations and their associated concentration risks.

Make a comment

Author: David Honour, editor, Continuity Central

More information on the FSA Resilience Benchmarking Project feedback and draft business continuity management guide can be found at
http://www.continuitycentral.com/news02655.htm

Date: 12th July 2006 • Region: UK/World Type: Article •Topic: Recovery facilities
Rate this article or make a comment - click here



Copyright 2008 Portal Publishing LtdPrivacy policyContact usSite mapNavigation help