Businesses are spending big on facilities and plans that will help them recover in the wake of disaster, but are they spending wisely? In today’s world of power crises, cyber hackers, terrorism, and increased climatic threats, businesses are responding with various means of recovering their mission-critical functions should such an event prevail. But what are they doing about prevention and protection?
There is no doubt the ability to recover business functions is important but isn’t it better for everyone if the disaster is prevented? Of course it is impossible to prevent a severe storm occurring, but it could be possible to prevent this causing a business “disaster.” Preparation is not only about being prepared to recover, it’s also about preparing the organization to resist or counter the impact of a potentially disastrous event.
Businesses should give equal focus on preventative as well as recovery strategies. European businesses are already embracing this concept, but in the U.S. the focus is still on provisioning of recovery capabilities.
Most disasters begin as relatively insignificant events and escalate into more significant situations. Even terror attacks begin with the assailant identifying vulnerabilities in infrastructure or process. In most cases such vulnerabilities can be reduced, or eliminated entirely.
Security issues may be those that first spring to mind, but this is not the only area where vulnerabilities may exist. The failure of various management and operating processes can equally contribute to the cause of a disaster or the magnitude of the subsequent impact. Poorly defined business processes and communication mechanisms combined with staff panic in the event of a relatively minor incident can quickly escalate into a major disruption.
American businesses seem transfixed on providing alternate office facilities and duplicating IT systems. Many businesses outsource their recovery operations by contracting one of several recovery site providers operating across the country. They develop plans for moving staff to these recovery sites if a disaster would occur. Those that have these facility agreements, with tested plans in place, are seen at the forefront of best practice. The truth is that many disasters can be prevented, not through businesses spending ever-greater sums of money but through spending money more wisely.
Money spent on recovery capabilities is usually only realized in a disaster. However, money spent on organizational resilience, including the elimination of business vulnerabilities, can have a number of consequential benefits in terms of increased business efficiency.
Many business facilities, infrastructure, and processes have what are termed “single points of failure.” These are localized points in the business systems or processes that if impacted, can cause the stoppage of an entire end-to-end process or the cessation of business as a whole. Earlier this year, in the United Kingdom, a localized fire in a cable duct in Manchester caused a most unpredicted result. One impact of this event was the loss of the equivalent 911 emergency services telephone number. This particular duct happened to constitute what could be interpreted as a single point of failure for the end-to-end emergency services operations in the UK.
To use this example as a metaphor for current practices, the approach to planning for disaster in this situation may be to make provision for recovery of the service within a period of time (say one hour). After this time, during which no service would be available, an alternate number may be provided (say 922) for people to call. Clearly this approach would have its own issues. The better approach may be to identify the vulnerability and re-design the systems to remove the single point of failure, making the end-to-end system resistant to failure or attack.
The consolidation and centralization that occurred in organizations throughout the 90s constitutes one massive single point of failure for many businesses. This point of failure is clearly the office premises themselves. The treatment for such a point of failure is no different than if it was a single IT application or critical piece of machinery. The solution is distribution. A company that spans multiple geographically dispersed premises has an inherent degree of organizational resilience, or resistance to disaster. For this reason we may well see a reversal in the immediate future of some of the organizational consolidation trends that were implemented during the last decade.
An area of business resilience that must be given adequate attention is health and safety. All businesses have a responsibility to their staff and any member of the public in their care. As staff knowledge is one of the key assets of any business, it is in everyone’s best interest to take action in this area. A simple flu vaccination for staff members can prevent, or greatly reduce, the impact of a flu epidemic. This type of action, combined with adequate succession planning and role sharing can prevent disaster through the removal of a specific vulnerability. Health and safety is about protecting staff and ensuring the business’s access to the knowledge they hold.
If it is recognized that disasters can occur from exploitation of business vulnerabilities, and that these vulnerabilities could be identified and remedied, then must not the business take a degree of responsibility for the event?
We are all stakeholders in businesses and government organizations, and any impact to the continuance of their operation can impact our livelihood. Whether we are employees, shareholders, taxpayers, or simply customers, the unavailability of business affects us all. All businesses rely on other businesses by way of supply chain or utility provision. An impact to one organization can send ripples throughout the economy that impact us all.
The key to disaster recovery could well be prevention. We can all play a part in encouraging the organizations, in which we hold a stake, to shape up in terms of their disaster management strategies, and give some thought to building some disaster resistance into business operations.
Andrew McCrackan is the founder of Continuity Assurance International and author of a Practical Guide to Business Continuity Assurance, Artech House, Boston, 2004.