Mirroring other initiatives around the world, much emphasis has been placed on corporate governance in South Africa. This has further highlighted the requirement for the wider business continuity planning discipline.
Some studies show some alarming statistics. After the World Trade Centre bombing in the USA, there were 260 companies affected without business continuity plans. The impacts varied for those companies from damage to assets through to simple denial of access. Within a year, 150 of those companies failed. Some years later, only 4% of the companies had survived.
A separate study was carried out in 1998 in the UK, with similar results. Their findings were that 40% of companies suffering a disaster without a tested plan would fail outright, a further 40% would fail within 18 months, and a further 12% would fail over a 5 year period.
People generally think floods, fire etc when considering a disaster, but in today's modern world a disaster could be caused by viruses, hacking or technological failure. A good example is eBay, which suffered a 22 hour outage as a result of a denial of service attack. There was a resultant drop in revenue, but the real issue was the immediate 25% drop in its share price.
Jorgen Nielsen, FBCI Director, Business Continuity Solutions at MGX
Just what is business continuity planning?
Broadly speaking, even though the emphasis has changed from IT recovery or disaster recovery planning (DRP) to that of business continuity planning (BCP), the same approach is recommended:
* Perform a risk analysis and implement effective risk management in order to reduce the likelihood of a disaster occurring.
* Perform a business impact analysis to identify the critical processes and the underlying infrastructure required by the critical processes.
* Create a business continuity strategy taking all factors into account, such as cost, risk transfer, practicality etc.
* Implement the strategy by obtaining an off-site recovery capability, and...
* In parallel, write and test the business continuity plan.
After the plans are written and tested, a maintenance program must be implemented to ensure the ongoing viability of the plans. Periodically, one should perform a fresh risk and impact analysis, to ensure all assumptions are still valid and that the plan meets the business requirement.
Underestimating the skills required a common error
With the maturing of the industry and the level of complexity inherent in many organisations, the level of skill required to successfully manage and implement a business continuity program has also increased. There have been numerous examples of companies expending major effort and expense on their BCP program without showing the desired result. A common mistake is to purchase a software package designed to perform impact analyses, write plans, etc.
The incorrect assumption is then made that the package will provide the expertise and much of the effort required to successfully implement a business continuity program. All of the better packages do provide a level of recorded best practice and assistance, but none replace the expertise and experience of skilled individuals.
Another common mistake made in SA is to delegate the task to either an individual without the required training and experience (often with no succession planning), or to multiple staff members whose day-to-day objectives are not compatible with the requirements of the continuity planning task. These plans then become token offerings with little chance of being successfully implemented when they are required.
For these reasons and following international trends, many SA organisations have outsourced much of their business continuity requirements to specialist companies. With formal qualifications being offered and recognised around the world, the selection of a business continuity partner has become a risk free exercise.
The future of business continuity is bright, both in SA and abroad. As the industry matures further and with greater emphasis on corporate governance and risk management, we will see more companies taking a practical working approach to business continuity, with real plans and solutions in place. As hardware continues the pattern of being faster and cheaper, and affordable fast networking becomes available, we will see more systems being split geographically over multiple platforms that provide both redundancy and protection from lost information.
For details contact Jorgen Nielsen, FBCI Director, Business Continuity Solutions at MGX on tel: (011) 808 3200 or e-mail: Jorgen.Nielsen@mgxgroup.com