Business continuity is undergoing a major shift in priorities away from IT and towards organisational culture. Stuart Fagg reports
For the business continuity community, the past few years have been characterised by major change as a host of new threats raised its profile and elevated its importance within organisations. Globally, events such as the London bombings in 2005, the outbreak of SARS in 2003 and major concerns over the threat of an avian flu pandemic have sharpened focus on the changing nature of business continuity. Indeed, prior to the September 11 attacks in the US, the human element of business continuity was rarely considered. London, SARS and the pandemic threat have changed that to a certain extent, but while newspapers continue to give coverage to avian flu, it has slipped off the radar of the mainstream media in Australia.
That, some business continuity experts believe, is leading to concerns that the avian flu pandemic is “another Y2K”, a big ticket risk item that is potentially swallowing huge amounts of never-to-be realised investment. Indeed, according to Julie Priest, a partner at Deloitte’s enterprise risk services practice, the avian flu threat may turn out to be “Y2K with wings”. However, according to business continuity professionals, the pandemic threat has shifted the business continuity goalposts considerably. “Pandemic planning has caused a paradigm shift in the way that business continuity people are thinking,” says Ed Davy, senior manager business continuity, at HBOS Australia, (a part of the HBOS global financial services group, which acquired BankWest in 2003). “Rather than just planning for the sort of day-to-day issues like loss of premises or loss of IT systems that have historically occupied us up until now, we now find we’ve got lots of new ‘people issues’ to consider. That certainly has been a big driver for us over the last 18 months to two years, and it’s been quite an eye-opener for us working in business continuity in the bank.”
As a division of UK-based parent HBOS, the Australian operation has been able to access a global network of business continuity planning and impetus, a luxury some Australian-based organisations do not enjoy. Indeed, some observers contest that business continuity struggle for attention until a major incident hits Australia. “We are fortunate in that our parent company in the UK takes the pandemic threat very seriously, and is keen to offer all assistance to help us ensure that we are fully prepared,” Davy says. “We have regular pandemic planning teleconferences with them on the phone every couple of months and they provide us with a lot of information as to what the UK is doing in terms of addressing this particular threat.”
Pandemic exercises in practice
That link has also allowed the Australian operation to participate in the world’s largest pandemic exercise yet; held in the UK last year and run by the three major financial regulators. At present, there are no plans to replicate such an exercise here, perhaps due to the heightened risk climate in the UK. “We were able to participate in the tripartite pandemic exercise in the UK[a six-week pandemic simulation over 22 weeks late last year, and involving 70 financial services firms and around 3,500 people] back at the end of last year,” Davy says. “We were fed certain parameters and asked to model what we thought the impacts would be on HBOS Australia, and feed these back into the UK for HBOS to help form its responses in the exercise.”
In terms of planning for HR disruption caused by a pandemic or other major event, firms with international networks and those with experience of dealing with the SARS outbreak across Asia in 2003, have a distinct advantage, particularly in garnering the all-important executive support and focus required to drive change in continuity attitudes.
“As part of our regular operational risk reviews of regulated financial institutions, APRA has been assessing the adequacy of pandemic planning in the financial sector,” says David Lewis, general manager at the Australian Prudential Regulatory Authority (APRA). “And I’m happy to say that, for the most part, financial institutions in Australia– particularly those with international networks – are well-advanced in their pandemic preparations. Following their SARS experience, many of the Asian banks stand out as leaders in the field.”
Risk management and business continuity
Business continuity also appears to be something of a unique risk management activity in that there is a relatively high level of cooperation among competitors, particularly in banking. “We’ve recently been invited to attend the banking industry’s Business Continuity All Finance Forum Meetings,” says Davy. “These are extremely useful because you get the chance to sit down with like-minded people in a closed environment and share your experiences and war stories. It’s an opportunity for people to talk about incidents where things maybe didn’t go according to plan and share what was learned from it. I am a great believer in that sharing of information and the good thing about it is that the barriers really do come down; and as we’re all facing the same threats, why not work together?”
While organisations in the financial services sector are making leaps and bounds in terms of integrating human issues into continuity planning, in other industry sectors, activity in this area is sporadic at best. “Financial institutions across the board tend to be the leaders in this space,” says Andrew Fry, business unit manager, business resilience and continuity services at IBM. “They’re certainly integrating not only IT but also resilience and continuity culture among their staff. So their staff are aware of their plans and are actually involved in the testing; and we’re talking hundreds of staff, not just a couple of people. So I think from a financial point of view, yes they’re looking at the human capital side. There’s pockets in other sectors. I mean really, once you get past financial, the general market, regardless of the sector, typically focuses first on IT. But I think there is a gap at the moment between organisational continuity as opposed to IT continuity.”
A wider view
While the current focus of business continuity is on the pandemic threat, experts caution against planning for particular scenarios in isolation. “The issue isn’t so much whether we’re hit with pandemic. The issue is can an event occur where people don’t want to come to work?” says Rob Goldberg, partner at KPMG. “That could be pandemic, it could be a whole series of things that might happen to influence the fact that people will not come to their place of work. There’s still some basic blocking and tackling around business continuity planning that needs to focus on the more holistic elements of continuity, rather than scenario planning.”
Some experts couch this approach in terms of scenario planning versus resource loss planning. While scenario planning focuses specifically on the event, resource loss planning covers the entire enterprise –buildings, staff and technology. According to Saul Midler, managing partner at Linus Information Security Solutions, the resource approach represents the “new school” of business continuity management and helped organisations such as Cantor Fitzgerald – a UK-based broker that lost more than 600 staff in New York on September 11, yet was back in operation just two days later – recover quickly.
“No one could possibly have thought of the scenario that two airplanes could cause structural integrity failure of both World Trade Centre skyscrapers resulting in the collapse and complete destruction of the precinct,” Midler says. “The businesses that did survive did so because they adopted a resource loss philosophy that included office facilities, technology systems and of course staff.”
As business continuity planning continues its expansion across organisations, new approaches and techniques are starting to emerge. The threat of a pandemic has much of this development, given the unique challenges it presents, but other events – such as the September 11 attacks in the US– have also contributed.
“Beyond the usual backup DR site for data recovery and office space, we know that locating and recovering our people in the first instance is absolutely vital,” says Peter Mihaly, head of corporate security and life safety for US bank JPMorgan in Australia. “To that end, we’ve also introduced – on the basis of lessons learned in New York– personal evacuation kits for staff which include facemasks, light sticks and wallet cards with key telephone numbers.”
IBM’s Fry added that technology is presenting its own options, particularly regarding scenarios that may preclude staff accessing buildings and networks, including the creation of “virtual workplaces”. “The willingness of an employee to come to work is key,” Fry says. “It’s not just whether they can or can’t. You might have a site available, a recovery centre with three hundred seats, but if one person walks in that door, and there’s a quarantine on that zone which is enforced by other agencies, it doesn’t matter. You’ve got an issue. You may not want to go over there. In those circumstances, it’s key that there is a virtual workplace set up where they can still be effective, operate the workforce, and manage the logistics of a crisis. That is very different to just running a day-to-day business with access to your PC from home … it’s very different to running it in a crisis.”