'Business as usual?'
While we can never expect 100 percent security against all potential risks, we can ensure that we are as prepared as possible to minimise the disruption and costs should the worst happen.
HSE spoke to Dr Goh Moh Heng, Executive Director at the Disaster Recover Institute Asia (now President BCM Institute), to discuss the importance of business continuity and the best ways for organisations to put in place an effective strategy.
HSE. Working primarily in Asia, you must have seen the idea of disaster recovery and business continuity take on a new significance in light of the 2001 tsunami. How well prepared is the region’s business community to cope such an incident
GMH. In general, most businesses in Asia, other than the multinationals and financial institutions doing business in the international financial market, are ill prepared from a business continuity perspective. For example, the leisure industry was the hardest hit industry in Phuket, Thailand.
Unfortunately, the number of tourists dropped substantially in the aftermath of the tsunami incident. With the recovery of the economies from the economic recession and the lack of business continuity planning at organisational level, the preparation for a community-wide disaster and the public and private coordination will continue to be a challenge to most Asian countries.
HSE. How is preparing for a terrorist attack different?
GMH. The fundamental difference between terrorist threats and natural disasters or power outages is the intent. The terrorist groups of today tend to focus primarily on ideological differences, preying on public fear with the purpose of causing severe damages and fatality.
Businesses and governments can put in the best security measures, and even educate the public, but no single city or community will be totally free from the risk of a terrorist attack. This was demonstrated by the 11 Septemeber attacks on the World Trade Centre and the attack on a public school in Beslan, Russia, of recent years.
In Asia, the Bali bombing, the attack on Jakarta’s Australian embassy and the bombing in Southern Thailand continue to reinforce the proximity of the threats within the region. Although power outages cannot be totally prevented, they can be mitigated as far as businesses are concerned. An organisation can implement back-up uninterrupted power supply (UPS) and stand-by generator systems to prevent any adverse impacts resulting from business disruptions arising from the power outage by the utility providers. Businesses that continue to operate in areas prone to natural disaster can mitigate the risks posed by duplicating or locating their critical business functions away from the areas prone to such disasters.
Ultimately, the threats posed by natural disasters and power outages may be more predictable and can be mitigated from a business perspective. But the threat of the terrorist attack is perpetual and can never be fully mitigated; one can never predict when and where terrorists will strike. Organisations must continue to monitor the threats and be prepared with plans that will deny them access to their operations for a specified time period.
HSE. Do you feel there is a lack of awareness on the part of organisations – both in the public and private sectors – about the importance of disaster recovery planning?
GMH. From an organisational perspective, we would recommend disaster recovery planning to refer to the recovery of critical technology and IT infrastructure. Business continuity management should refer to a strategic management process and programme to ensure the continuity and recovery of critical business functions. This clarification is intended to differentiate between disaster management from a community point of view, as against continuity and recovery from a business organisation perspective. When it comes to the organisational aspect, yes, there is largely a lack of awareness in the private and public sectors, certainly in Asia..
HSE. So how can an organisation get started on a disaster recovery plan? What factors should they take into consideration, and how do they decide which systems and business units are mission-critical?
GMH. Keeping in mind the above definition of disaster recovery planning and business continuity management, organisations should focus on developing a business continuity plan and, in conjunction, develop a complementary IT disaster recovery plan. Organisations should seek to understand the risks faced by the organisation and its business units, and establish the related financial and non-financial impacts. Each business unit must be able to determine the maximum length of time of disruption before it suffers a significant loss, during the peak business processing periods.
The next key factor is the type and quantity of resources (hardware, systems and applications software and people) required to recover and resume business operations. Businesses require information for daily operations and decision-making, and hence the next key factor will be the vital information required. Last but not least, interdependencies between different business units and sub-units must be determined.
HSE. What role do risk and threat assessments play in preparing for a disruptive event?
GMH. Risk and threat assessment is an important aspect of business continuity planning and management. Over a period of time, the risk faced by an organisation may change. Business continuity management is primarily concerned with the risks that threaten to disrupt critical business functions and result in significant losses to the organisation. Organisations must assess the degree of risk and decide on the course of action to control and reduce these risks. Management may choose to accept a certain level of risk, or choose to implement mitigating or recovery measures in anticipation of the potential threats.
HSE. And how can risk management strategies be employed to mitigate these threats?
GMH. The effectiveness of risk management and business continuity strategies varies and is highly dependent on the organisation itself. For example, for an international hotel chain operating in Phuket, management may be aware of the possible risk of their facility being made inoperable due to disasters such as the recent tsunami. In this case, the management may choose to accept the risk and continue to operate and do business in Phuket. They may also accept the risk that there will not be a continuity strategy to continue operations when a disaster strikes, but continue to operate with sufficient insurance to enable them to rebuild a new building. On the other hand, if it is a local hotel business operating only in Phuket, then the management should obviously consider building more hotels in other major cities in Thailand (and perhaps even in other parts of Asia).
Such a continuity strategy will enable the organisation to continue to do business, albeit losing revenue from the hotels in the effected vicinity. Risk management in the business continuity arena focuses on the reduction, prevention and avoidance of threats. DRI Asia has always advocated the building of resiliency into the business processes and infrastructure before starting to plan for the business continuity aspect. The last and least advisable option is to transfer the risk to the insurance.
HSE. Disruptive events are by their very nature unpredictable. Given that terrorists tend to change their tactics on a regular basis, and that natural disasters are difficult to forecast, how crucial is it that companies develop a flexible plan that can be adapted to a number of different scenarios?
GMH. This is also very subjective to the business organisation and environment. Due to a constraint on valuable financial, human and other types of resources, businesses will do well to consider planning based on the worst-case scenario to develop their business continuity and recovery plans. Generally, this enables the organisation to develop continuity and recovery processes and procedures that will enable them to recover and resume critical business functions and operations – thereby addressing between 70-80 percent of the incidents during a disaster.
In most organisations, between 20-30 percent of business functions or operations are critical during a disaster. Other situations occurring during a disaster may be addressed by drilling management and the recovery teams to enable them to make the relevant decisions as the situations develop. However, others may argue that you need to have different plans for different situations (such as fires, tsunamis, earthquakes, floods, chemical spillages and even terrorist attacks using weapons of mass destruction, bombs, biological or chemical weapons). To a certain extent, such arguments are valid. The emergency response procedures will differ, but the continuity and recovery processes and procedures for each organisation’s business continuity plan remain similar. Under such situations, the organisation may choose to develop different emergency response plans for each different disaster situation, with the continuity and recovery processes and procedures intact – that is, the core of the BC plan remaining the same.
HSE. What threats does the rise of cyber-terrorism pose and how can we guard against it?
GMH. This again is a very subjective situation and the impact depends on the organisation itself. For organisations such as eBay, Google and Yahoo where their business model and livelihood is built around the internet, a cyber-attack on their internet applications (or even worse, on the internet infrastructure itself) will absolutely destroy their business. However, for organisations that are not so dependent on B2C and B2B applications, the impact will be minimal if proper control measures are in place to minimise technology risks and risks leading to information loss.
Arguably, the best safeguard against this threat now is prevention through continuously educating staff and the public to safeguard their respective workstations against all forms of viruses and worms. However, from the business continuity practitioners’ point of view, the safeguard measures are best left to the info-security experts. The BC professional’s responsibility is to assess the degree of risk and the effectiveness of the control measures deployed. If management accepts the risk and agrees that current measures are adequate, then no further action needs to be taken other than to monitor and review the cyber-threats periodically. However, if management deems the risks are not adequately addressed, then the BC professional’s role is to evaluate the continuity and recovery options available, and develop the related plans and procedures.
THE DISASTER RECOVERY CHECKLIST
First and foremost, senior management support is essential as BCM should be driven from a business perspective. The BCM project will be successfully implemented, and continue to be successful as a programme, when there is a central control and coordination. The organisation must continue to take an active approach in BCM – in other words, the organisation should pre-empt the threats and prevent the risks if possible.
The next most essential component is a corporate-wide BCM framework supported by an industry-proven BC planning methodology. The framework serves to guide the organisation during the BCM planning and programme stages. Following on from this, the next key component will be the establishment of a strong project leader to oversee the BCM project and lead the organisation in the BCM programme. This person should preferably be a very senior member of the management team. The BCM project and programme leader shall in turn be assisted and supported by a BC coordinator.
The fourth critical component is the need to identify and evaluate the threats to the organisation, and the adverse impacts associated with the risks resulting from those threats. In other words, an assessment of the risks and impact to the business is essential.
After identifying the risks and impact to the business, the next logical step is to establish the business requirements, which will help the organisation ensure critical business functions and processes can and will continue operating during a disaster. These include the recovery windows for the critical business functions, the vital records, the resources needed and the interdependencies between internal entities as well as external entities.
The next step, of course, is to develop the BC plans that will detail the processes and procedures to ensure the continuity and recovery of critical business functions.
Following this, the BC plans must be integrated with the organisation’s emergency response, crisis management and IT disaster recovery plans. First and foremost, the organisation needs to ensure the safety and protection of staff, hence the close link to emergency response activities. The disaster needs to be managed centrally, hence the link to the corporate-wide crisis management plan. This area should also incorporate a communications plan that will address issues related to stakeholders – shareholders, customers, suppliers and staff family members. Last but not least, most businesses are highly dependent on IT applications nowadays, and hence it is only logical to ensure a good BCM programme is supported by an adequate DR plan.
Any BCM plan or programme is useful only if it is effective. It will only be effective if the business can continue and recover critical business functions and processes. Therefore, the next logical and essential component is to ensure that the staff and the continuity and recovery team members are trained so that they understand clearly their respective roles and responsibilities when disaster strikes.
The effectiveness of a BCM plan or programme can only be verified by conducting tests. This constitutes the next essential component. The primary purpose of a test is to identify which parts of the plan are inadequate – not to prove that the plan works. In practice, a good test should determine the organisation’s capability to react to specific disaster scenarios, and inevitably, different scenarios should be progressively used to verify the readiness to face different disaster situations.
This leads us to the importance and the need to extract findings from the tests to update the BCM plans and programmes. After each test, the business units and BCM teams are to evaluate the results from the tests, and to make changes to the plans, procedures and processes to overcome problems identified during testing. In other words, the BCM programme should continuously review the ability of current BCM plans to ensure the continuity, recovery and survivability of organisations. However, because of continuous changes to the internal and external business environment, organisations need to conduct regular tests to verify deficiencies and keep plans current.
Associate Professor Goh Moh Heng is the Executive Director for Disaster Recovery Institute (DRI) Asia, the Asian representation for DRI International. In 1997, Moh Heng was responsible for bringing DRI International’s Certified Business Continuity Professional (CBCP) professional certification to Asia. Prior to establishing DRI Asia, Moh Heng held senior positions with a number of reputable organisations. During his career with the Government of Singapore Investment Corporation, he was responsible for all aspects of its business continuity and contingency planning. At Standard Chartered Bank, he saw to the global implementation of its business continuity management programme; prior to this appointment, he managed the business continuity practice at PriceWaterhouse (now known as PriceWaterhouseCoopers).