The Police Crime Technical Support Unit says South Africa loses hundreds of millions of rands every year through computer crime – even in certain years exceeding the total lost through cash-in-transit heists.
Local organisations are taking business continuity seriously and have started to fill in the gaps in their continuity strategies because they are beginning to understand the intricacies of it and the impact it can have on the normal running of the business.
Up until recently many organisations were simply duplicating the mistakes of the past because they did not take business continuity seriously and merely paid it lip service. Many local large organisations were putting their eggs in one basket and were focusing purely on IT to fulfil their continuity needs.
Other businesses had an offsite capability as well as the staff required to operate these, but it was too much of a disruption to their business to test these facilities, so in the event of an emergency, the sites failed to fulfil on the continuity promise.
Dimension Data’s new security unit – INSECS. The ‘men in black’ – (back l to r): Cassie Liddle, Ciske van Oosten, Wernher Eksteen; (front): Gary Middleton, Dimension Data’s Security Business Development Manager
Distributed business processes
Today what we are seeing in South Africa is large financial organisations splitting their multiskilled resources across the enterprise and in different locations, moving to distributed business processes. For example, one local communications company has a call centre split across four geographical regions with multiskilled staff in each centre.
There has been a resurgence in the market with particular focus on business recovery. In the past organisations would tend to secure their IT infrastructure but neglect the business processes and the people required to operate them. With the shift in focus of business continuity out of IT and into the boardroom this has changed.
Companies today are challenging their recovery capability and probability. There is a lot of realistic testing going on, again elevating the process above simply IT, and the result is that many more companies are distributing their leadership and other resources. One of the key criteria that is making this new wave of business continuity consciousness a reality is that boardroom bonuses are dependent on it.
This sort of behaviour is not limited purely to the large local enterprises such as banks, insurers and retailers. Medium and small businesses are also taking part in the new uptake of this necessary practice. In some ways it is easier for these organisations to ascertain the need, establish a plan and implement a solution because their processes are simpler. They are exhibiting the same willingness to take business continuity seriously as their larger, more complex brethren.
Supply chain continuity
Also pushing the uptake of business continuity and the need to take it seriously is the fact that companies are forcing their trade partners to be a part of the programme. Many organisations today will not trade unless their partners can prove that they will remain up and running in any eventuality.
Although many of our lessons come from North America, South Africa's primary cause of disasters is not Mother Nature. Between 70% and 75% of local disasters are technology-related. This increases as organisations become more reliant on technology with disasters primarily taking the form of database corruptions, hardware failure, localised fires in computer and UPS rooms, and theft.
Having said that, some organisations have declared disasters due to the World Summit currently underway in Sandton. For them all the potential risks that the Summit brings to their doorsteps are too much and so they have pre-declared disasters.
Outsourced business continuity
Many of these organisations have been able to take advantage of the outsourced business continuity model where either all or portions of their continuity processes and resources are supplied by a third party. It allows them to rapidly alter their continuity plans, ensures they are properly maintained in accordance with the King II report, and lets them safely effect business process changes that might include database alterations, opening a new division or implementing a call centre.
With the growth of online trading the minimum any company should do is an impact analysis - be it conducted in-house or by a third party vendor. And organisations attempting to go it alone should be aware that about 75% of all recoveries fail the first time, which emphasises the need for testing and retesting.
Locally the market looks good to maintain operations, largely due to September 11 and the King II report that have made the market mature a lot faster than it ordinarily would have. Although some companies still pay lip service to business continuity and implement slapdash plans and procedures, as a whole, local business is taking it seriously. This is particularly true of financial institutions, which are spending about 15% of their annual IT budgets on business continuity, roughly 10% more than other industries.