One emerging trend which is clearly identifiable is the number of U.S. companies, many of which lost primary IT systems in the attacks, which are now looking to both replace their systems and introduce mirror sites to protect against future disasters. Often these mirror sites are going to be sited not in the U.S., but somewhere in Europe. Increasingly U.S. companies are also looking to split their operations between the U.S. and Europe to allow for continuity of client service and to provide a contingency service.
Cemented in a long-standing “special relationship,” with a shared language and business cultures, the U.K. also can offer American organizations the important flexibility of labor laws, which are far less restrictive than the rest of the EU.
Another explanation for the U.S. looking to its U.K. neighbors for assistance now is the U.K. telecommunications industry’s reputation for rapid response on previous occasions like the major U.K. bomb attacks in London’s Bishopsgate and in Manchester. Both of these incidents devastated large areas and caused disruption to many for months – and for some businesses, years – and yet customers were up and running within hours as a result of action by communications suppliers.
In future-proofing your business security you should be seeking telecommunications resilience levels that meet the demands of your organizations’ intensive eBusiness applications.
What Organizations Should Be Asking Suppliers
In looking for new mirror or satellite sites, directors should be looking at the next generation of business parks, which will be offering the total-solution on site. The ideal strategic location offers the occupier a choice of flexible, communications-ready units. Long term building provision and immediate access to higher levels of broadband network capacity enables a company to expand on site, with the minimum of disruption to either labour supply or business facilities.
Also on the checklist for tenants should be resilient access network facilities for every customer on the site, along with extensive switch, transmission and broadband capacity, which can carry voice and data communications utilizing the very latest technology.
Assessing Risks
To place the nature of risks faced by organizations in context, insurance statistics demonstrate that only two percent of business disasters are due to terrorism and only eight percent of those as a result of malicious acts. By far the bigger risks are fire, flood, theft, air conditioning failures and power cuts.
A more detailed example of just how one small incident for one organization can be another one’s disaster is the large U.K. insurance company which decided not to store its server equipment in the main office, preferring instead to place it in a little-used basement away from harm and damage. Above the basement was a restaurant, which leased space from the insurance company. Everything was fine, until the industrial dishwashers sprung a leak and drenched the supposedly safely stored servers and rendered them and the systems useless.
This example demonstrates that the average organization faces a plethora of risks as a result of its normal day-to-day operations and systems, rather more than terrorist attacks. An important starting point in managing disruption, whatever the cause, is to establish a culture that will identify and manage those risks that could cause it to suffer stoppage and to embody this in the business continuity planning process.
An organization has many elements that comprise its mission critical processes and functions. These can include suppliers, customers, shareholders, and IT systems as well as external influences such as government departments, regulators, competitors, trade bodies and pressure. All of these relationships and dependencies should be factored in to the planning process.
There is a continuum of possible reactions when a disaster strikes:
• Do nothing – in some instances the board may consider the risk commercially acceptable;
• Change or end the process – though this does depend on what ultimate impact this will have;
• Mitigate your losses by implementing procedures to reduce future risk.
Business Continuity Planning
This is an approach that seeks to improve organizational resilience to interruption, allowing for the recovery of key business and systems processes within the recovery time frame objective, whilst maintaining the organization’s critical functions
It is this final step that organizations are taking now. The realization that downtime can be planned for, and in the case of the Twin Towers attacks where lost revenues for the companies affected are estimated at £1,000,000 an hour, is cost effective.
When companies look at business continuity they need to identify mission critical processes and functions. It is important to determine what the impact would be upon the organization’s goals if these were disrupted or lost. Once having identified those critical processes and functions, a risk assessment should be conducted to identify the many threats to these processes. Whatever risks the organization faces, the effects of disruption share a commonality: loss of critical system(s), site or personnel or denial of access to systems and premises; all will produce similar disruptions to business (i.e. - being unable to operate has the same result, whatever the cause).
A definition of what constitutes a ‘disaster’ for the organization should be agreed and included in the plan. It is important to differentiate between an interruption and a ‘disaster’. There should be a clearly laid out escalation procedure setting out how a ‘disaster’ is declared.
Risk assessment is used to determine the internal and external threats that could cause loss or disruption and their likelihood of occurrence.
Making An Example Of The Finance Industry
One UK industry that really has been forced to take risk assessment seriously is the finance sector and we can learn some very important lessons from their preparations.
Following the stock exchange tumbles of the 1980s and mid-1990s The London Stock Exchange (LSE) issued a new listing rule to ensure that all companies trading on the LSE have in place an adequate system of internal control in order to facilitate the management of business risk. The Turnbull Report, commissioned by the LSE, is a guide to assist companies to apply the combined code and determine the extent of their compliance.
The most significant change brought about by the Turnbull Report is the requirement for listed companies to report on the review of all internal controls, including financial, operational and compliance controls and risk management.
The Turnbull report’s effects were to make financial institutions widen their definitions of risk from just what physical disasters might happen to look at the risks involved in confidentiality, integrity of information, security risks from hacking and internal fraud.
Again taking the New York attacks as examples, those organizations that recovered quickest were the big finance houses. This was not a function of their size, but more that they had business continuity plans in action that allowed them, for example, to swap business to their European offices overnight.
Typical Emergency Response And Operations
Working in conjunction with communications suppliers, organizations look to identify the development and implementation of procedures for responding to and stabilizing the situation following an incident, including establishing and managing an emergency (or crisis) operations center. It is important to establish what are the potential types of emergency and what responses are needed to deal with them. These will cover the initial actions that will be taken to protect life and property and follow through to salvage and restoration.
An emergency or crisis operations center will need to be established to enable the effective management of any incident. In establishing this, the following must be considered:
• Location of the operations center;
• Design and equipping the center;
• Command and decision authority roles during an incident;
• Communications requirements.
It is essential that a procedure be established for command and control of the incident.
The procedure must include plans for:
• Opening the Emergency operations center and its security arrangements;
• Scheduling of the teams to man the center and the supply of food and welfare facilities for the teams;
• The management and operations of the center;
• Closing down of the center when the crisis has ended.
There will be many calls upon the operations center and it is important to develop, implement and exercise emergency response and prioritization procedures. This includes the determination of priorities for actions in an emergency. This must include the first aid and medical procedures to be taken if appropriate.
Finally
Just like many things “use it or lose it” applies equally to business continuity planning. It’s not enough to go through the planning without the rehearsal. Its estimated by the U.K. insurance industry that 70 percent of businesses fail to recover their systems and business operations at the first rehearsal – so if your first “rehearsal” is the actual disaster you risk total failure
Business continuity planning is on the up and, based on the uncertain world we live in today, should be an integral part of any corporations’ operations.
Kim Hackett is vice president of U.K.-based, British Telecom’s locations and inward investment division.
