BCM: logical backward integration from disaster recovery

IBM offers it. Wipro offers it. Satyam offers it. The demand for disaster recovery services is growing by the day, says DHIRAJ LAL

ACCORDING to the US-based Disaster Recovery Institute (DRI), a disaster is “a sudden, unplanned, calamitous event causing great damage or loss.” Examples of recent disasters in India are the Orissa cyclone, the Bhuj earthquake and the Mumbai riots. In the business environment, even relatively minor events could be termed as disasters if they prevent the organisation from providing critical business functions for some period of time. Examples of such events are a fire, an Internet virus, telecom or power failure, even unanticipated resignations of key employees. Depending on the severity of the events, they can result in major consequences for the organisation which may include loss of life, revenue, market share, public image and customer confidence—and lead to the eventual closure of the business. As per Accenture, “Some estimates suggest that around 40 percent of businesses experiencing a disaster never re-open, and almost 30 percent of those that do re-open close within two years.”

While Disaster Recovery (DR) refers to the aspect of recovering from a disastrous situation (and is more reactive), Business Continuity Management (BCM) is more proactive. This involves anticipating potential disasters, and proactively putting in place actions and activities to either reduce or totally eliminate the risk to the business from such events. It’s the old adage brought to business: prevention is better than cure. In that sense, DR and BCM are closely intertwined, and together they offer a comprehensive approach to both reduce the vulnerability to a disaster and mitigate the impact of said disaster on the organisation.

It is recognised that organisations may not be able to provide the normal level of operations in the event of a disaster. However, the objective of an effective BCM plan is to ensure that the organisation is able to at least perform all mission-critical activities, i.e. the functions that are non-negotiable for key stakeholders such as:

• customers (e.g. account balances to phonebanking customers on a real-time basis)
• suppliers (e.g. committed payments to be made on due date)
• employees (e.g. salary received on payroll day)
• regulators (e.g. statements filed and reporting done on due dates)
• investors (e.g. financial results declared on due dates)

Ultimately, the intention is to return the entity to normal operations as soon as possible.

The key elements that need to be managed in a DR situation are employees, facilities,

assets, technology and data. Technology and data, being intangible, are more challenging to manage, and need specialised skills which are often provided by IT companies. As a matter of fact, this dependence continues to increase as companies get more reliant on technology and automation.

Given the huge interlinkages between business continuity and DR planning, this provides a great opportunity to IT companies that provide DR services to also backward integrate into offering BCM services. In this way, they are able to effectively provide an end-to-end offering to customers, and not only help with thought leadership in conceptualising the business continuity strategy, but also help in working out the details, implementing the plan, identifying and training resources, and testing periodically.

In India, big tech companies have already started offering integrated DR and business continuity services. IBM’s web site states that, IBM Business Recovery Consulting Services offers “expertise to effectively assess risks, implement recovery strategies, and reduce the impact for a customer organisation in the event of a prolonged outage.” EMC recently ran a seminar on business continuity. International consulting firms such as Pricewaterhouse Coopers, Ernst & Young, KPMG and Deloitte already offer consultancy on BCM and DR.

So what do you need to do to put in place an effective BCM plan? Assuming you have backup plans in place for the five stakeholders above, does that mean you will be able to restore a minimum acceptable level of operations? Or do you need to do more? Do you have to evaluate any potential risks that your business faces? Understand the critical activities and service standards which your stakeholders would expect, even in a disaster? Assess what the recovery time objective (RTO) is, i.e. how long you can afford not to perform critical activities without losing goodwill or revenues? Consider the impact on the business of not performing these activities? And then plan well in advance for each situation, e.g. how you would respond to a fire vs a technology breakdown (each would have a different impact, and hence a different response)?

These might sound like simple questions, but as always, the devil is in the details. In reality, the approach to address these questions really forms the essence of an effective business continuity plan, and provides the basis on which all subsequent decisions must be made. Does the organisation need a hot site or can it manage with a cold site? Could employees simply work from home instead? What systems and data are needed during a disaster, and in what priority? How many workstations, printers and servers would be required?

It is in order to address such issues that DRI and the Britain-based Business Continuity Institute (BCI), the two main bodies recognised as the world leaders in providing knowledge on BCM, have collaborated to propose the 10 professional practices for BCM Practitioners (see box).

This brings us to the question: why would a company want to outsource BCM when it could develop these skills in-house? Some key factors for the Build vs Buy decision are:

Option

• In-house or Outsource

Size

• Large or Small

Geography

• Spread out or Localised

Nature of Business

• Highly diversified or Relatively similar

Degree of change

• High or Low

Just like the legal function, some companies outsource this function, some do it in-house. The reality is that it takes more effort to create an effective BCM programme than to update and run it on an ongoing basis. Also, in order to do justice to this function, there is a need to keep abreast of the latest developments and thinking in the field, and learn from the experiences (read ‘mistakes’) of other companies. However, unlike the legal function, there is a huge scarcity of trained BCM experts.

Certification for business continuity planning in Asia is provided by DRI Asia (http://www.driasia.org), the Singapore-based affiliate of DRI, which is recognised as the world’s leading certification body for BCM services. DRI Asia also runs courses in India from time to time. BCI offers membership to BCM practitioners to confirm their expertise as BCM professionals. Taken together, the total number of professionals who have been accredited by either DRI or BCI across the world is estimated to be about 3,000. Since BCM is a relatively new field, this number is minuscule compared to other certifications such as the CISA, which boasts of a global membership of 30,000+. A random scan of web sites indicated a large number of vacancies for BCM professionals, particularly in the US.

Clearly, there is only one way this field can go. Up.

Dhiraj Lal works as the head of business continuity and global process integrity at the BPO operation of a large American financial services company. He is CISA and Six Sigma Green Belt certified. The views expressed by the author are his own. He can be contacted at dhiraj@dhiraj-lal.com