AnalysisBusiness continuity: It is not possible to guard against every risk

There is no such thing as a risk-free operating environment. The recent natural disasters in Burma and China, and smaller-scale interruptions such as power cuts or flooding, serve as a reminder of the need to plan for the unexpected. Stephen Pritchard writes in the Financial Times that Ernst & Young’s 2008 IT Internal Audit survey found that executives listed business continuity threats as the third most important risk facing their organizations. The threats posed to day-to-day operations by disasters —man-made and natural — have become all the more real, as organizations rely on sophisticated IT and telecommunications, often coupled with outsourced business processes. “As things become more automated, [CIOs] are concerned that a small component of an application or of connectivity could be lost,” says Richard Brown, a partner in the firm’s technology, security, and risk services business. “A small incident can easily escalate.”

Pritchard writes that this poses a growing challenge, both to IT departments and to organisations’ chief financial officers and chief risk officers. Relying simply on an IT back-up strategy to safeguard critical data, along with physical security measures to protect staff and buildings, is no longer enough. Instead, businesses need to design their infrastructure with resilience in mind, but at the same time plan for the unexpected. It is rarely possible to provide the highest level of data protection to every application. The cost of doing so would be prohibitive. “Organizations’ plans need to be based on a prioritisation of applications and data,” says David Luff, senior vice-president for software engineering at vendor CA. “If it is a low priority application, it might be OK to recover over a 24-hour period,” he says. Nonetheless, pressure is increasing for organizations to keep key services running around the clock, both as a result of consumer demand and often, official mandates. At the same time, the recovery window — the time an organization could tolerate being offline without a significant loss of trade — is narrowing. “In some industries, especially financial services and healthcare,” Pritchard writes, “the ‘recovery point’ has moved further back in time, forcing organizations to ensure they can restore more years’ data than was previously required.” Ray Stanton, global head of business continuity, security and governance at BT, says that “On the consumer side, organizations have already realized that consumers are less tolerant of downtime, but it is now also clear in the enterprise space that