Keeping the lights on

Extreme weather, earthquakes and political instability are all factors that can have a major effect on Middle Eastern companies. BM speaks with Chris Green, Chairman of the Business Continuity Institute, about the importance of being prepared when disaster strikes.

BM. A recent survey by The Times of Oman of companies in Oman and the UAE found that many were focusing their BC plans solely on IT and critical systems. What are the dangers of such an approach and what other areas should businesses be focusing on?
CG. IT Disaster Recovery (ITDR) is an important component of good resilience and recovery. However, it is just that: a component. Organizations that focus just on IT are missing the vital element of continuity and recovery – their people. No organization can do business if it has no staff. As well as ITDR, organizations need robust crisis plans that help senior managers deal with the immediate effects of a business interruption. They need continuity plans to ensure that their staff can get to other places of work to make sure that critical products and services keep getting made and delivered. Finally, they need a testing framework that starts from fire drills and evacuations, through to full recovery at alternate sites, to ensure that all staff know what is expected of them, and that managers know the key decisions and issues that they will have to address.

BM. Are there any specific risks that Middle Eastern companies should be aware of when forming BC strategies, or are concerns generally similar across the whole business world?
CG. Every organization, whether in the Middle East or elsewhere, needs to have conducted a good threat assessment to understand how its business may be affected by various events. Many types of threats are evident: some are political (war, terrorism, labour protests), some are environmental (weather, power, transport failures etc), some are physical (fire) and some are technological (computer failure, virus, denial of access attacks).

I think it's fair to say that political threats are more apparent in the Middle East than in some regions, but each of these needs to be understood, and an analysis made of what would happen to the organization if one of these threats became a genuine interruption (this is often called Business Impact Analysis – BIA). The organization can then explore strategies to overcome these impacts.

In the Middle East, infrastructure may be less robust than in other regions, and this must be factored into strategies. For example, a power failure may affect a larger area than it would in Europe, meaning that a recovery strategy may require long-distance relocation, or the advance installation of generators and UPS systems. Recovery sites are less available in the Middle East than in the UK or USA, as another example. Therefore, there may be a lower availability of alternate locations to work from following an interruption.

BM. What are the immediate and long-term effects of not putting business continuity practices into place should a serious event occur?
CG. It’s quite straightforward – the effects are loss of money, loss of customers and loss of reputation. Customers want guarantees of delivery. In this competitive world, if you can’t provide, someone else is waiting to take your place and your revenue. Even your staff may choose to leave rather than be laid off due to the business being interrupted, and with fewer staff and fewer customers, you’re in trouble. Sensible, pragmatic continuity practices and plans will enable organizations to mitigate these risks.

BM. How is technology providing companies with the means to safeguard against unforeseen catastrophic events?
CG. Organizations can use technology in many ways, but good crisis management and business continuity still rely on management skill and decision-making. Technology can help this, from better early warning (many people knew the floods were coming, even if not the precise path or force) to better backup techniques for data and systems. The days of the backup disks sitting on top of the server should be consigned to the dustbin of technological obsolescence.

For those who depend on customer calls, call-switching technology has become affordable. Improvements in cabling mean that data and systems can be delivered from greater distances. You don’t need to have your IT sitting in the same office as your colleagues, therefore reducing your risks through physical separation. If you lose one, you don’t lose the other. Scale in technology also means that many specialist companies offer application delivery via the internet, and others can provide remote hosting and backup – in fact, there’s a whole range of initiatives.

BM. In your opinion, how should companies best assess and implement business continuity and disaster recovery planning?
CG. The fundamental first step of a BCM program is to truly understand what makes your organization ‘tick’: what are the critical products and services that define you as an organization? Then, you can explore the various options for keeping those things going. Writing the actual detail of the plans and procedures is almost the easy part. Finally, you need to test. A plan without a test is a piece of paper! Testing proves that what you’ve done really works, that your staff understand what’s expected of them, and it gives your customers confidence in your ability to service them.

BM. We have recently seen catastrophic natural disasters, acts of terrorism and outbreaks of disease. How has this impacted on business continuity planning?
CG. The BCI advocates flexible and adaptable plans. We don’t recommend you have forty different plans for forty different scenarios (what if the real incident is scenario 41?). Instead, the planning – but especially the testing – you do should allow your organization to react to any interruption. Certainly, you need to assess realistic threats, and plan and test for the most likely ones. We all know that pandemic flu is a real possibility – every organization therefore needs to establish how it might operate with a quarter of its staff missing. Similarly, we can all see the evidence of altered climate patterns, so we need to consider flooding and how we will continue to operate if our premises are under water, or if our staff can’t get to work because the roads are closed. But what if there’s an extensive power cut, such as in the USA and Italy in recent years? Or if there is a severe, 1963-type winter? We need to evaluate all of these scenarios, which we might not have done a few years ago. That's part of the skillset needed in today's continuity planning: situational analysis, risk assessment and the ability to influence others in the organization to take certain actions.

BM. Can business continuity practices affect financial performance? If so explain how.
CG. Yes, I firmly believe they can. Certainly in the financial and retail industries, more and more customers are asking for proof of a continuity capability before placing business. If a supermarket, say, wants to place an order for a thousand widgets, it wants to know that those widgets will arrive come what may. It’s no use to them to have empty shelves because their supplier hasn’t delivered: they want surety of delivery. There have been several well-documented cases of JIT (just in time) industries coming to a standstill because a supplier has failed to deliver. With pressure on margins, this is no longer acceptable. Good BCM might be the difference between you winning that contract and not.

In the financial world, I’m seeing increasing numbers of organizations investigate business continuity and risk management capability before they do things like invest their pension funds. In that context, BCM has stopped being optional.

BM. How have BC practices changed over the past five years?
CG. One of the important things is that people have really begun to be open about talking about risk and crisis. We used to pretend it would always happen to someone else, so we didn’t need to worry. The world, though, has got so interconnected and so high-paced that we have to accept that it is our problem. In terms of creating continuity strategies and plans, the key aspect is the growing professionalism of the industry, led by the BCI, means that there is education, training and professional development which just didn’t exist several years ago. This had led to more people seeing BCM as a career. That focus has led to better understanding and better testing. It’s also helped drive the technological advancements that I mentioned earlier, as people engage in discussion and innovation.

BM. With businesses striving to keep disruptions to a minimum and customer confidence high, how do you see business continuity evolving in the future?
CG. The BCI sees business continuity developing into a mainstream business practice. We believe that BCM will become part of management training, both at MBA and undergraduate levels. Ongoing professionalism will mean that more and more high-calibre staff see it as a career option, and these things will feed off each other. I think we will see the big recovery companies improve their range of service offerings, to provide better, more affordable recovery options for small businesses. I think that more organizations will see it as a competitive edge (or a competitive necessity), and they will demand high-quality, low-cost continuity solutions, as they do with every other product they buy. I think the BCM industry is on the crest of a wave: our challenge is to ride it.