Return on BCP
By Yong Ai Lei | Thursday, November 29 2007 If you are not careful, spending and planning for business continuity can be a never-ending journey. How do you know when enough is enough?
Asia prepares for swine flu pandemic
Even as the headlines regularly scream disaster, IT executives in Asia are struggling to guarantee 100 per cent uptime, or to confidently demonstrate the financial return from properly planning for the worst.
According to Eugene Wee, research manager for IDC's Asia-Pacific IT Services Research, many Asia-Pacific business executives have the mentality that investing in business continuity planning (BCP) is unnecessary because nothing untoward has yet happened. "Often it takes a jolt to a company to realise the importance of investing in business continuity and disaster recovery," he says.
However, our uncertain times mean that more enterprises around the world are reviewing their BCP. They are increasingly taking a proactive approach to not only recover IT systems during incidents, but also to ensure constant operational resilience.
"People once used to first look at disaster recovery only when their computers went down, and then worry about how to recover their IT systems," says Norris Hickerson, vice-president, data centre and engineering services at COL, a provider of data centre services. "Now, they want to know how the business recovers before the worst happens."
Avoiding the tech-trap
Achieving business resilience can come with a high price tag. While maintaining high business availability, IT executives are also required to predict and measure the financial return.
"These are opportunities to optimise IT capital investment with minimal BCP investment as add-ons. Individual initiatives on BCP are usually not cost-effective," says Dr Goh Moh Heng, president, Business Continuity Management Institute (BCMI), a provider of business continuity and disaster recovery training.
One approach to avoid unnecessary over-spending is to plan ahead, which is during the major IT initiatives such as technology refresh, consolidation of data centre operations and shifting of operations, he notes.
At Singapore General Hospital (SGH), the city's oldest tertiary hospital, a tiered approach is used for determining its BCP investment. Loh Yong Ho, director of operations at SGH says senior management at SGH first rank all IT applications in terms of the availability required, then identify the truly critical applications that require a speedy recovery to keep the hospital going.
"SGH's primary focus, as a public healthcare provider, lies in providing lifesaving care rather than keeping an eye on the bottom line during a disaster," says Loh. "All aspects of the hospital's BCP are thus aligned to the priority of putting patients first."
Some applications, like the eportering system that uses personal digital assistants (PDAs) to page the porters, and the e-menu application that captures the day-to-day patent's menu orders, are not the priority. But applications like the enterprise resource planning (ERP) system, patient database, digital imaging system, electronic medical records (EMR) system, and the outpatient appointment system, are critical to keep the hospital running. Thus, these applications are mirrored, at real-time, to an off-site location to ensure availability.
Risk and rewards Before companies embark on putting together a business continuity plan, they should firstly do a business impact and risk analysis. Then they should formulate their business continuity strategy, and decide what tactics to implement, says Hickerson. "Companies should evaluate their business to check risks that one can plan for and risks that one can't, and those that are too expensive to mitigate against," adds Henry Ee, founder and director at BCP Asia, and country representative for Business Continuity Institute (BCI) for both Singapore and China.
Companies should measure impacts on reputation, operational and staff workload, as well as the implications for customers and suppliers.
"The question is how much risk you want to take, and what are the implications should the worst happen," notes Steve Wallage, managing consultant at the UKbased research firm BroadGroup Consulting.
"For a small business, there is a point where business continuity becomes so expensive that it is easier to just shut the business down and start up somewhere else."
Wallage suggests one approach for the analysis is to statistically rank the incidents in terms of risk and impact to business; the greater the potential impact, the larger the investment.
Ee adds that was how Far East Flora, one of the largest flower and plant retail chains in Singapore, mitigated its annual incidents after a record-high rainfalls in December 2006.
The flash flooding washed away the company's most profitable period in the year. The deluge gave them no time to salvage their stock. Consequently, they were unable to fulfil a large number of orders during that peak period, leading to significant revenue loss.
Since the disaster, the company has started studying incidents that happened in the previous year, to decide how to ensure business continues for any future such crises.
"If a critical business function contributes US$10 million in revenues, companies need to ask not how often it fails, and whether it is worth spending five to per cent of that amount to protect that revenue," he adds.
Another area that most enterprises overlook in BCP, is the supply chain disruption, Ee adds.
Businesses today are more dependent than ever on their suppliers. Most enterprises do not have large inventories. On top of that, they also have tight deadlines, so there is very little room for manoeuvre.
Ee said this was what confounded the Japan-based scientific research firm Riken, when an earthquake damaged the manufacturing plant of its supplier in March. The damage also disrupted the domestic production for several major Japanese automakers.
"While the manufacturing plants for Toyota and Honda were not affected, their suppliers, who manufacture the auto parts, were," says Ee. "As a result, they had to shut down their plants, as they didn't have a back up plan for supply chain."
Making sound investments
In the case of Behringer, a professional audio equipment provider, ensuring its 10,000 distributors can place orders online, is a key driver for maintaining higher availability.
The company's Internet ordering system is expected to go live in October and will not tolerate any down-time, says David Brown, CIO, Behringer. The management realises that, if they are unable to maintain availability during a disaster, it could mean losing customers and substantial revenues.
"We aim to increase the availability of our systems from 98 - 99.99 per cent, with zero tolerance for downtime" says Brown.
"If we fail to service the customer, they may go some where else."
However, this would entail additional costs, as the company's ERP system will need to be reviewed, being closely tied to the ordering system. Brown notes he is looking at options to manage this expense.
Currently, all the company's data and applications are centralized in a data centre in Singapore.
One option is to fully outsource the entire disaster recovery process, corporate data and applications, to a service provider.
Wallage notes that outsourcing may be cheaper in the long-run, in some instances. "Companies tend to look at initial costs, which may be cheaper to build your own, but there are additional costs for upgrading and flexibility," he says.
"External consultants may also have expertise to provide a better service. In terms of total lifetime costs, it can be cheaper to outsource."
The second option involves mirroring a series of selected applications in their current systems. Only the essential applications are made available immediately in the event of a disaster.
"The cost justification is based on (the potential) lost of opportunities and customer service," says Brown. "We have a short product development cycle, so the time-to-market is critical."
Wallage said a good cost-saving tip was to locate the disaster recovery sites away from town centres, where rental and manpower was likely to be cheaper. "There is a strong psychological and cultural desire to have data centres close to existing offices. Companies can, in fact, enjoy cost savings by having their IT backup outside the city or even outside the country, depending on factors like telecom reliability and political risk," he adds.
Finding ROI in BCP may be a challenge, but ultimately it is part of good corporate governance to build real business resiliency.
Wallage said you don't have to break the bank, but you should take prudent steps for business continuity.
CERTIFICATION FOR BUDGET BCP
There are ways to ensure that business continuity planning (BCP) does not make a huge dent in your budget, as shown by the Singapore General Hospital (SGH) when it became TR 19 certified.
Technical Reference 19 is a business continuity and disaster recovery framework developed by the Singapore Business Federation.
"Business continuity solutions need not necessarily be expensive. We were cost-conscious and hence opted for partial consulting," says Loh Yong Ho, director of operations at SGH.
"Our other aim was to get our staff engaged with the whole BCP process, and this seemed the best way to encourage them to take ownership."
The hospital appointed a BCP coordinator from each of the hospital's most critical 20 departments. They attended a two-day introductory workshop on BCP principles, as well as a half-day workshop on conducting business impact analysis and developing business continuity response plans.
In all, the hospital spent less than US$33,300 on training and consultancy for the TR 19 certification, says Loh. Subsequently, SGH management defined the most critical functions in the hospital, and each department brain-stormed on the best business continuity responses.
Norris Hickerson, vice president, data centre & engineering services, COL notes frameworks and standards like TR 19 and BS25999 (an independent standard for BCP released by the British Standards Institute) have helped companies in their business continuity planning, with detailed, specific recommendations, as well as to benchmark against industry practice.
With its business continuity plan in place and TR 19 certification, SGH now has a macro view of how the hospital will react in the event of a crisis . "Before we embarked on the BCP certification, the departments" business continuity plans were done in isolation. It was akin to a jigsaw puzzle. With a hospitalwide business continuity plan in place, it allows us to form a holistic tapestry of how the hospital will manage and recover from a crisis as a whole," says Loh.
"For instance, when SARS hit, a lot of measures were ad-hoc and impromptu. With TR 19, we don¿t have to nail down to a particular scenario when a critical function is down. We have fine-tuned our response plan to react based on the various functions in the hospital," adds Loh.