The risk of unforeseen events causing financial failure has driven companies to develop - and shareholders to demand - both disaster recovery and business continuity plans; nevertheless, those in the field note with concern that not enough is being done to ensure the organisation could, in fact, survive a disaster.
TAKING CHARGE
Continuity SA`s MD Allen Smith notes that many companies still equate business continuity with disaster recovery, a task to be fulfilled by the CIO or IT department.
"Business understanding of the terms `business continuity` and `disaster recovery` still bear the imprint of the past, with many senior executives seeing the change to business continuity as an image makeover rather than a fundamental shift in practices," he explains.
As a result, says Smith, several companies still have IT in charge of business continuity efforts and assumptions are made of the business without proper assessments.
Chamu M`kombe, IBM`s business continuity and recovery services manager, agrees. "Senior management needs to understand that business continuity is not just about IT, it`s about the business. Disaster recovery, which takes care of the systems and data, is intertwined in a business` ability to continue following disaster, but it is by no means the only focus. At the end of the day, if a business is to recover from an event, it will need the buy-in of the board while planning is still under way."
ACTING HOLISTICALLY
So what should the business continuity plan entail? Jeanine Osborne, business continuity and recovery services lead for HP SA, says it should seek to address four key areas of the business: people, process, technology and location.
"You have to have a holistic understanding of your business before you can even begin to look at creating a continuity plan. Every risk evaluation, recovery proposal and strategic outcome must be measured against these four key areas as without one, the rest will surely fail," says Osborne.
FINDING DEFCON
With this in mind, a risk analysis needs to take place encompassing a broad range of disruptions and disasters. These should be measured against the potential impact on the business and consequent costs, says Sagaran Naidoo, CA`s storage business unit manager. "If you are motivating for budget for a generator, for example, then assess the impact a power shortage would have on the business if electricity was intermittent for a week and calculate the cost to the business - including revenues lost - and present these together. At board level, potential impact and cost matters, ultimately resulting in a favourable outcome," he explains.
All too often, however, organisations base their business continuity plans on a worse-case scenario rather than identifying different levels of disruption and planning towards these accordingly.
But, says Strattice MD Janine Hutton, companies need to investigate and assess all areas that the business is reliant on to ensure appropriate plans are in place to deal with the disruption should it occur.
"Few businesses consider the impact that communications-related disruptions could have on the company despite a general understanding that South Africa`s telecommunications infrastructure is unstable. However, every company is reliant on communications - be it voice or data - and would undoubtedly be hurt financially if its communications channels went down.
"Does this mean the company needs to implement its business continuity plan, evacuating the building and moving to hosted facilities? Definitely not. It`s a risk that can be mitigated ahead of time."
IN THE DETAIL
The success of a business continuity plan will, like most other business endeavours, depend on the planning. Unfortunately, in creating these plans, there is no `one size fits all` as different businesses will always have vastly different requirements. Nevertheless, detail and establishing appropriate actions will always be mandatory.
Naidoo says he likes the `Defcon` plans of the US government. "Here you have five distinct levels of disruption, each with its own action plan. Companies should look to create something similar, so that whether it is a power failure or the company`s headquarters having burned down, there is an appropriate plan of action."
Another aspect to consider is emerging health risks, according to Citrix SA country manager Nick Keene. In Asia, the bird flu pandemic created much panic and many people refused to go to work, despite a well-organised government response to the health issues. In South Africa, reports of extreme drug-resistant TB have been well publicised, yet few businesses have considered how they will address a pandemic`s impact on the workforce. "Luckily we have seen a significant rise in the adoption of mobile technology among businesses and this could be used to enable employees to work from home”. Nevertheless, it has to be planned for, with identity and access management set up well beforehand. If companies try to address this at the time of crises, the costs quickly escalate," Keene warns.
Planning detail comes back again to Osborne`s people, process, technology and location. Each area has its own requirements and must be investigated accordingly to provide the best outcomes. All the same, EOH`s divisional director of technology consulting, Hubert Wentzel, warns that a business continuity plan should never cost more than an actual disaster would cost the company.
THE BEST-LAID PLANS
The one shortfall that businesses throughout the world appear to have in their business continuity plans is a lack of communication and testing. Having carefully formulated the plans - and added the requisite risk mitigation section to the annual report - companies for some reason leave the rest to chance.
Says Osborne: "Communication and testing is absolutely essential. The workforce needs to know what their role is in an emergency, who to contact and where to go. Without this chaos ensues. Back-up facilities need to be tested and recovery times measured against desired outcomes. Testing provides insight into areas that may have been missed and brings practical knowledge to all those involved. Companies should test and revisit their business continuity plans at least once a year."
Moreover, Smith urges listed companies to give more detail to shareholders on their plans as those companies who have planned appropriately will not only protect their shareholders, but benefit from greater shareholder confidence.
"Annual reports should not feature a `copy and paste` paragraph on risk mitigation and business continuity; instead, it should provide enough detail so that shareholders can make an educated guess as to the longevity of the company and the security of their investment. Internationally, listed businesses that do business continuity properly, detail their efforts to shareholders and have a risk manager at board level, command a share price premium of up to 12%, for the simple reason that their investors have confidence," he says.
|
Post a comment
|
Login.
Business Best Practise
