July's London bombings have brought the issue of business continuity once again into the spotlight. As the first sustained terrorist threat in the UK since the IRA strikes of the 1990s continues, companies are experiencing at first hand the threat of wide-area terrorism to their businesses. London Police Commissioner James Hart has further fuelled concern with his recent estimate that only 50% of City firms have adequate contingency plans in place for such events.
This concern is not new, and in fact there is renewed pressure from both direct and indirect regulations. For example, the revised Companies Act tightens up on corporate governance in relation to risk, and this year's Civil Contingency Act made it the duty of category one public services, which include local authorities, to have proven business continuity plans in place. Furthermore, the pressure is not confined to individual compliance: the FSA this year is conducting a benchmarking project aimed at testing the resilience of the financial sector as a whole.
Clearly business continuity is an issue that cannot be ignored, but July's events have revealed a number of challenges that businesses had not previously thought about. Until a few months ago, many companies considered themselves to be up to date with business continuity, with sufficient plans in place. Now they are finding that these plans need to be reviewed to consider factors above and beyond those raised by a conventional attack. For example, can recovery organisations guarantee sufficient capacity to support multiple demands from businesses across a large area?
Previous plans to cope should the capital be hit by a terror attack were based on experience of the IRA bombings, where blast areas were typically quite small, with perhaps an 800-yard radius. However, the London bombings highlighted the new threat of coordinated, multiple, simultaneous attacks, with the potential to affect a wide area and lock down the central transport links.
What do you do with perhaps thousands of members of staff when a city centre transport network is locked down, and what are your obligations as an employer? There can be only two choices: either cater for staff needs by having a contingency plan that involves bringing private transport solutions (if allowed access) to a pre-agreed location, and/or providing hotel accommodation, or alternatively, ensure that you have arranged an alternative workplace outside the affected area that keeps your staff out of harm's way and close to home, rather than the normal office. Indeed there is already increasing customer demand for recovery centre facilities outside the M25 - the area being deemed safe by the Government in the event of an attack on the scale of 9/11, and this is likely to continue to grow.
In terms of impact, the London bombings essentially closed the transport network for one day. As this was near the weekend, many organisations allowed staff the day off or let them work from home, with only critical users asked to attend. Had there been any hint of chemical or biological attacks, this period would have been extended to weeks, or even months, bringing completely different connotations to staff logistics.
Mobile communications in London were affected by the bombs of 7 July, both as a consequence of their being temporarily disabled by the authorities (due to concerns over their possible use as trigger devices) or due to sheer volume of usage. As a result, landlines were swamped. Naturally, every continuity plan has communication at its heart during the invocation stage. Over-reliance on mobile phones, and the question as to what you then do if landlines are also unavailable, needs real consideration. This is one for the Tier 1 communication providers, such as BT, and has actually been an ongoing debate in the industry for the last year.
With so many honed continuity plans, there were a significant number of companies who placed their third party business continuity contracts on standby or even 'invoked' on 7 July. Many of these were not directly affected by the incident but invoked on the basis of the perceived threat.
This raises the issue of what would happen if organisations invoke because of a perceived threat, and, by doing so, impact the recovery ability of businesses that are actually affected. This particularly applies to syndicated services that have high subscription ratios, or operate an equitable sharing scheme that may see available space divided among the 'standby' and actual invocations.
The rights of clients in terms of standby versus invocation, or the ability to invoke based on perceived rather than actual incidents, are issues the industry as a whole, or certainly individual providers, need to be clear on. In my experience it may be the smaller firms that are most at risk as, unlike larger companies, many have not yet developed business continuity plans because the process is perceived to be complicated and expensive.
Key points
Firstly, it is important to ensure that senior management are behind your business continuity planning. This is a good way to prevent the process from stalling, and also to ensure it becomes part of the organisation's culture.
Think about your company's motives for having a business continuity plan - is it because of industry regulation or pressure from customers? A realistic balance must be achieved between the costs of a plan and the risks of not having one.
Business continuity should not just be seen as an extension of a business's IT function. It is a management process across the entire company, of which IT disaster recovery is just one part. It is up to human resources departments to have a key role in ensuring that staff are suitably informed and trained.
It is vital to identify how long your business can survive before returning to normal operations, and this should be seen largely from a financial and customer retention perspective. Keep your plan simple, because if it becomes too complex it will not work. Continually review, amend and challenge it, and treat it as a living process. It should be tested and fully documented at least once a year.
Finally, customers are increasingly demanding that suppliers have a continuity plan, so it could even make the difference in winning a large deal.
- Mike Osborne is operations director of ICM Recovery Services, Tel: 0870 121 8300, www.icm-computer.co.uk