However, while 34 per cent of organisations (the largest percentage) cite terrorism as a reason for developing a business continuity plan (BCP), as few as two per cent of invocations are as a direct result of terrorist attack, according to figures from SunGard.
Daily 'threats' are more prolific and many organisations ignore the costs of these occurrences. Research from the Business Continuity Institute (BCI) in 2003 revealed that 26 per cent of all companies were affected by the loss of key people, 24 per cent suffered a loss of IT capacity, 17 per cent suffered negative publicity as a result of a continuity issue and 16 per cent were affected by a loss of key skills.
Becoming aware of business continuity Sadly, rigorous BCPs are the exception rather than the norm, especially in small-to-medium sized businesses. Yet the annual cost to the UK economy of routine problems experienced by business, from train strikes to bad weather, is far more significant than that attributed to any terrorist attack to date.
Such problems are occurring more frequently, yet they are regarded by most businesses as if they were acts of God – things that happen over which there is no control. This is a naive attitude, totally inappropriate in this global economy. Unless UK plc becomes more aware of growing operational risks and adopts business continuity as a core component of corporate behaviour, the UK will continue to suffer an unnecessary loss of business, and the effect throughout the economy will be severe.
Awareness of business continuity is low, so why do banks or Business Link not discuss such risks with new business customers? They discuss tax, liabilities and insurance, but business continuity is not deemed an issue. The threat of loss of key personnel increases (especially as the economy improves) while recent internet virus threats have raised the chance of global email collapse. How would a business cope, particularly one with close, online partnerships with its suppliers and customers? Insurance companies also have a role to play, particularly given their clear understanding of risk, an understanding that has seen insurance rates soar over the past two years. According to the BCI, there has been a significant rise in the communication of BCPs to insurers, from 16 per cent in 2002 to 29 per cent in 2003. For many industries, such communication has not been a way of reducing premiums, but their only chance of attaining premiums from a sector desperate to minimise exposure to risk.
Insurers are inconsistent, though, as they demand continuity from some 'high-risk' industries such as construction, while offering no advice to others, particularly service-based businesses.
Business continuity information should be a core component of the annual renewal notice to ensure risk awareness throughout the business community.
Understanding and education
Even when there is an awareness of the need for BCPs, too many organisations appoint risk managers with little or no experience. Sourcing information and advice is a challenge and the fragmented nature of the business continuity market has led to the creation of many different associations with no cohesive message or vendor-neutral information. The government has, in fact, created excellent documentation, which is available across a number of websites (see below). However, availability of this information is not widely publicised, nor are the sites listed when searching the internet for 'business continuity'.
Instead, organisations are overwhelmed with vendor-specific information.
There are several steps an organisation can take – with little investment – to prepare for the unexpected. The base of good risk management is an acceptance of the need to imagine every possible disaster scenario, from the failure of a delivery van to complete site destruction – and implement a solution based on risk versus business cost.
Risk assessments must include any close business alliances. Indeed, according to the BCI research, 55 per cent of companies claim the demands of potential and existing customers are driving BCPs.
In this integrated 24/7 world, there is a growing recognition that one organisation's problem can have potentially damaging effects on the business of partners, suppliers and customers.
With no mandatory business continuity standard, it is hard for organisations to ascertain the thoroughness and applicability of their business partners' BCPs. Nor can they feel confident that the BCP is regularly updated. The BS7799 IT security standard does address the important issue of IT systems availability, but there is a clear opportunity for an international continuity standard that goes beyond BS7799.
Terrorism is raising awareness of the need for business continuity, but it is the daily disruption to business that needs to be addressed if the UK is to minimise unnecessary business loss. The government must improve awareness through partnerships with industry, such as banks and insurers, as well as Business Link, supported by independent, accessible information. UK organisations need to recognise the need for rigorous business continuity to mitigate the risk of increasingly regular 'acts of God' – preferably using an international business continuity standard to provide a guaranteed level of continuity.
Graeme Howe is event director for Business Continuity Expo
Ten questions on business continuity
In many ways, your business can be severely compromised as a result of internal and external forces and, on average, your business will be affected by a significant business continuity issue once every four years. According to the BCI, the main areas to focus on when reviewing how you should protect your business are:
1.What will you do if you lose the services of one or more key employees?
2.What will you do if some key employees cannot get to work at critical times?
3.What will you do if you lose key skills from your business?
4.Who are your most important customers?
5.Why do they choose to trade with you (it is rarely simply because you are the least expensive)?
6. How could your service delivery to your key customers be disrupted and what contingencies can you put in place to ensure continuity? Your information
7. How will you be affected if you lose key information (customer databases, billing information, company performance information, regulatory information)?
8. How will you be affected if your IT or telecoms infrastructure is compromised?
9. How would you be affected by the failure or disruption of a key supplier?
10. How would your customers be affected if one of your key suppliers let you down?
Rank these key questions in order of priority
Rate their recovery by cost and time
How long could you survive without trading?
Would you know where to go for help in analysing these risks or putting a plan in place?
A three-point plan can help you to reduce or even eliminate the impact of the issues identified.
1.Take your business continuity planning seriously, involve all critical functions of the business and do not leave potential problems out because you think that nothing can be done to eliminate or reduce the impact of those problems. Update your BCP regularly and keep it practical.
2. Involve your insurers and keep them informed. They can help in risk protection and you might receive substantial reductions for your business insurance costs if you can show that you have reduced the likelihood and/or impact of any risk to your business.
3. Speak with and consult experts. Do not take an amateur approach to business protection.