Planning for a business-critical event, such as whole business IT sabotage, terrorism or freak weather damage, is regarded as vital by many businesses. But there is a stark imbalance between the number of companies which see business continuity planning as crucial and those who have installed a plan to deal it, says Sarah Coles
Business continuity management has tended to remain a perennial fixture on the corporate to-do list, especially when there is the rather more pressing matter of a turbulent economy to deal with. The Chartered Management Institute’s (CMI) annual survey into business continuity management (BCM) consistently finds the same thing year after year: the vast majority of businesses say continuity is vital (76% this year), and yet under half have a plan in place to ensure it (47%). Among manufacturers, the percentage is even lower — at 40%. However, several factors are combining to force business leaders to finally tick BCM off the list.
Martin Caddick, head of Marsh’s business continuity risk management practice in the UK says: “Board members have a duty to ensure risk is managed effectively, so they need something visible on continuity. At the same time, auditing firms are starting to ask more questions about continuity.” Insurers are also likely to demand that a plan is in place, and Steven Garrod, a director of Garrison Continuity says: “More and more we get clients who say ‘A customer has asked to see the business continuity plan, and we don’t have one, what can you do by Friday?’”
For most companies, continuity isn’t built in a week. The process starts with identifying what is important to the business. Stuart Selden, manager of the business risk consulting group for insurer FM Global says: “The first step is to understand the key products, brands and markets which make the profit for the business and constitute the key contracts.” This needs to be carried out with input across the business. Garrion Continuity’s Garrod says: “Ideally you need a small group of people who are close enough to understand the process, but far enough away to take a view on criticality. You need someone in operations, IT, facilities and people.”
Y2K fear drove IT protection
Manufacturers then need to identify the processes that go towards fulfilling business-critical contracts, and the inputs that are vital to them. This may include equipment, people, plant, key suppliers, or IT. Next, a risk assessment should be undertaken to identify threats to these inputs. This can include system failure (whether IT or other equipment), terrorism or vandalism, denial of access to site, freak weather, failure of a key supplier, or loss of people from pandemic or a strike. These don’t have to be the result of dramatic incidents. For example, Steven Garrod points out that threats to people can be localised and run-of-the mill, such as a work shift taken out by bad seafood in the staff canteen.
Once these risks are clear, a plan can be put in place to deal with them. This comes in three parts. The first is prevention. Gallaher Group, the fifth largest tobacco company in the world, recently acquired by JT International, put together a plan with FM Global in 2007. The prevention part of the process started with ensuring that new plants had physical protection systems, and old sites were retrofitted with them.
The second part of the plan is flexibility, which is built into the business to provide more options in the event of an incident. A large number of companies have considered this in terms of IT, as much of the BCM industry grew out of fear of the millennium bug, so it provided a focus for early work. In many instances this comes at a relatively high cost, with external suppliers charging around £250 to £500 per person, per year to replicate simple IT systems.
There are some manufacturers for whom IT is central. Microchip manufacturer CSR, for example, must stick to aggressive timelines for research and development so as to be first to market. In order to adhere to these timelines there is no room for any loss of IT, or interruptions to data storage. It therefore built a second data centre at a remote site through NetApp, which mirrors live data storage.
Selden at FM Global says many manufacturers more readily accept the need to spend money on this than any other key part of the BCM process which, he points out, is counter-intuitive in organisations where IT is of far less operational significance than key equipment.
Mothballed machinery doesn’t work
Where a particular piece of equipment is vital, establishing flexibility may mean buying extra machinery. Marsh’s Caddick says: “I had one client with huge rolling machines. There were only three of them in the world, and the other two were owned by a direct competitor. There was a two year lead-time to build this equipment, so the only solution was to buy another. During the two years the equipment was on order they added measures to protect the existing machine, housing it with increased protection.”
If it is prohibitively expensive to buy and mothball extra equipment, Selden says: “If you cannot get another machine, ask is it as well protected as it could be? Have you built strategic stocks to see you through the build time? Have you identified the customers who are priorities for those stocks?”
Denial of access to plant also needs to be addressed. Selden points out: “No company can have mothballed facilities. The economics can’t justify it. Manufacturers have to be more creative.” In some instances it involves looking at manufacturing capability across the business. This may involve some standardisation of products so that other factories can take over production. Gallaher, for example, worked to reduce the variety of brands and packaging specifications in order to develop flexibility across the group.
In other cases a vital single supplier may be the risk. Caddick says: “You may go for multiple suppliers so you have in-built flexibility. That may be an increased operating cost, but it mitigates the risk.”
Alternatively, the loss of key staff may need to be addressed. Caddick says: “It may be a management issue. You may want to keep in touch with key retired people who can be called on in an emergency.”
Once flexibility is established, manufacturers need to work on the third part of the piece: plans that only come into use when an incident strikes. This doesn’t have to be scenario-specific. Garrod suggests: “Rather than thinking about catastrophic events, think about what an incident would leave you with, so you can plan for denial of access to the building, damage to the building, key system failure, a key supplier failure, or loss of people.”
So, for example, if a supplier was threatened, the business could have plans in place for how to deal with it. Caddick says: “You need to establish where an alternative supply would come from. Then you need to work out how you would go about transferring to that supplier, passing over blueprints and tooling. You can have all this in place without actually having to push the button.”
Snow stops six million
These things together produce a workable plan. However, it doesn’t stop here. Organisations have to back it up with training and practice. This isn’t always as rigorous as it could be. The CMI survey found that just under half of those with BCM plans regularly practice for emergencies, despite the fact that 78% of those who do drills, say it revealed shortcomings in their plans. Selden points out: “We test our plans with desktop scenarios. You can learn an awful lot about whether the plan is going to work, and you can use that to improve it.”
In the end, the very nature of BCM is planning for the unforeseeable, so the final result cannot accurately predict the nature of the catastrophe that’s going to befall the business. At the end of February this year, as six million people failed to make it into work because of heavy snowfalls, there were undoubtedly few businesses that could look up a solution in their BCM under the word snow. Instead, those who had been through the process would have made the tough prioritising decisions and had a road map for operations directors dealing with the fallout, while those with BCM still on the ‘to do’ list would have been snowed under.