Business feels the fear

‘Business continuity' is always an entertaining subject for any lunch debate. Give the diners a few minutes and the stories start to pour out: the Internet pipe into Canary Wharf that is a single point of failure; the ‘secure' tape backups stored in New Orleans warehouses; the fire in the telecoms tunnels under Manchester that cut 130,000 phone lines.

The list goes on: the disaster recovery plans that were locked in the data centre; the data centre operator that had not backed up its client's files for eight months; the emergency generator where the diesel supply had turned to water.

These true stories – and many more like them – were told by senior managers attending a recent Information Age lunch on business continuity, sponsored by services operator BT. But while those swapping stories allowed themselves to enjoy a moment of schadenfreude, the debate also clearly demonstrated that a new mood of realism has entered the world of IT management.

In this darker world, threats to business continuity are no longer viewed as unlikely, once-in-a-lifetime events or ‘disasters'. Rather, they are ever present, unpredictable, and difficult and expensive to manage or mitigate against.

Moreover, IT itself has become so embedded into all business activities that almost all ‘discontinuity' events have IT implications. The problem is further complicated because so much of IT is now outsourced, and these suppliers often outsource again, making any assessment of risk across that chain extremely difficult.

The result: businesses are having to make ever more complicated contingency plans and must expect an ever greater range of potentially damaging events.

Example after example illustrates the point. One expert, for example, Bruce Levinson, the director of the Cyber-Security Project in the US, recently argued that, sooner or later, the "cyber levees" will break and the Internet will suffer a catastrophic, widespread failure. How many business processes could survive the loss of the Internet?

Another ‘probable' danger comes from a very different direction: medical experts are bracing themselves for an epidemic of Avian flu, with the likely result that critical staff will be ill or will wish to stay away from public places and work from home. Without full support, critical IT functions could then fail, bringing many businesses to a halt.

Anticipating the impact of such events is not straightforward. When the tsunami struck Sri Lanka on Boxing Day 2004, for example, one offshore data centre was initially unaffected because it had been safely built well away from the sea. But staff abandoned their posts to help those who were affected.

 
 

INFORMATION AGE ROUNDTABLE DEBATES

This article is based on a recent Information Age lunch, sponsored by BT, which delivers business continuity through consulting, recovery and resilient data centre services. In accordance with the ‘Chatham House' rule, attendees at the lunch are not identified in this article.

Information Age hosts monthly lunch debates for readers to discuss some of the burning issues in IT today. If you are interested in attending future lunches, please email our events manager, Imogen Craig: icraig@information-age.com.

 

 

Recent incidents – whether hurricanes, tidal waves or terrorist attacks – have led to a rapid rise in demand for specialist providers of business recovery services. Several delegates recounted examples of how headline events had frightened their management boards into releasing business continuity funds. In the US, service providers, such as Sungard and IBM, report their services were ‘invoked' by large numbers of customers after Hurricane Katrina.

While these investments may be reassuring to some, the big conundrum remains: how much planning is enough, and how much is not enough? While one manager from a large, publicly listed construction company conceded his organisation is almost exclusively concerned with maintaining the payroll and little else, another lunch attendee said his business has even planned for the possibility that sunspots will bring down communication satellites.

Developing a clear business continuity policy, and setting appropriate budgets, is now one of the more demanding tasks of IT management. In many cases, this involves attempting to comply with new regulations as well as assessing acceptable risks. One IT manager said: "Making a case to the board is hard, but it is even harder to go before investors, regulators or even a court to explain why investments were not made. That's what we try to tell them."

According to Gartner, the IT advisory company, about 4% of IT budgets are spent on business continuity contingencies, a figure that is set to rise. But very few IT directors spent anywhere near that amount.

Douglas Smith, head of customer contract security for BT Global Services, was among those who argued that before companies can determine what they should spend, they should carry out a thorough assessment of the many risks. Only then does a gamble become an acceptable, calculated risk.

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics