INFORMATION TECHNOLOGY failures remain among the biggest causes of downtime for business continuity (BC) managers, and are at the core of BC planning, but many organisations are now doing far more to plan for staff welfare, says a survey of continuity managers.
However, the report found there is still a need for a lot more testing of scenario plans, with many BC plans still just on paper.
IT was closely followed by natural disasters and then loss of utility services as the biggest interruptions of the past year, according to the Continuity Forum’s Benchmarking Survey of 2007, released to members late last year.
“These results show that BC is now more people-oriented, rather than IT-oriented, as it was in the previous years,” said Marilena Salvo, a spokeswoman for the Continuity Forum, with similar reports produced in 2000 and 2003.
Although IT failures were still the major cause of downtime, she said pandemics and other threats that affect staff safety directly are now given greater consideration, and plans to deal with the aftermath of such disasters are more sophisticated.
In fact, a pandemic was perceived to be the biggest threat, with terrorism now less of a concern than in previous years, although it was still the fourth biggest worry.
The report notes that two similar surveys from Macquarie University and KPMG found the main cause for concern was centred on IT, which in this survey was the second biggest concern, virtually equal to natural catastrophes.
“This trend might be less significant for organisations that are more reliant on their infrastructure, such as those in the manufacturing sector,” it states.
Although there were some promising signs thrown up by the report, it said there were still too many organisations (20 per cent) without a business impact assessment (BIA) of the various risks to business continuity, and more than a third had not updated their BIA in the past 12 months.
Ross Piper, joint head of corporate risk at Macquarie Bank, told a banking risk forum last month that it should be obvious that business continuity plans should primarily be about human beings.
“People think it’s all about IT, but without people, the infrastructure means nothing,” he said.
One of the more important changes in the maintenance of business continuity, he said, was the shift in “ownership” to each business unit. This was particularly important in a company like Macquarie, which had a very decentralised management structure, with many different businesses within the group.
“The fundamental change that we have had is about ownership. [The role of the BC area] is to facilitate good business continuity. There needs to be ownership, and understanding and accountability within each business,” Piper said.
He also stressed the need to “test” and “challenge” those who must implement the BC plans, and establish whether you have contingencies should anyone of those tasked with carrying out the plan not be able to do so.
Even more fundamental than determining whether and how you are going to be able to keep people working, he said a plan needs to take into account the very first requirement for employees involved in a major disaster — the need to contact family members, and perhaps to leave work and see them. “Safety of people is paramount,” he said.
Some of the factors that will be important in BC management in future, he said, was utilising new technology to allow greater flexibility in work arrangements, ranging from off-site data centres and work areas, to use of more powerful mobile devices.
He said this was also one of the biggest challenges. “Almost week-to-week for us, it seems there is a continual shifting of goalposts about options [for infrastructure and technology use].”
Macquarie Bank hadn’t got to the stage of “super sites” for recovery and data storage, but these may become economically viable in future, he added.
He said recent issues at their Canadian sites had also shown how close regional offices could also be very dependent on each other, with the incident in the Canadian offices having knock-on effects in their US offices.
In the Continuity Forum survey, about 45 per cent said the maximum allowable “outage” was less than 24 hours, and 10 per cent said it was less than an hour.
Piper said for Macquarie Bank, however, there was “a variation in downtime tolerance” across its businesses, often depending on the financial exposure of that business, which was one good reason for each business to have its own recovery plans.
The survey also found that most respondents were using the Australian and New Zealand Risk Management standard 4360 as their benchmark, rather than several other specific business continuity standards.
See www.riskmanagement magazine.com.au