Business continuity: It is not possible to guard against every risk

which despite safeguards, managed to affect both the master and back-up databases. In the case of the retailer, a fault in a new storage area network — installed in part to improve resilience — was behind the problem. Neither glitch could have been predicted. Instead, success or failure came down to how well the companies concerned were able to deal with a crisis. “In both of these cases, technology was an enemy we didn’t know about,” explains Gary Curtis, global lead for Accenture Technology Consulting. The bank was able to minimise its trading losses because it had a strategy for dealing with failure, while the retailer is now able to operate its stores for up to forty hours without connections to its central systems. “You have to plan for failure at a business continuity level. Technology people have to do what they can to put in the redundancy and back-up mechanisms, but there has to be a plan for these things not working, and for keeping the business open,” Curtis points out.

To do this, writes Pritchard, organizations should consider not just business continuity planning, but putting together emergency response teams that can be mobilized if a situation does arise. Such teams need to be multi-disciplinary. The head of IT should certainly be a member, but so should an organization’s head of operations, the risk or security chief, the head of human resources and probably key personnel from public relations and facilities. Although the CEO should take responsibility for ensuring there is a business continuity plan, the CEO might not be the best-placed person to lead an emergency response team. “Who is in charge will depend on what is important to the business,” says Neil Ellett, a business continuity specialist at PA Consulting Group. “In a consulting or professional services firm, consultants would carry on with their jobs, so the person to put in charge is probably the head of HR.” There is another aspect to business continuity, though, beyond simple command and control. Firms need to test, and continue to test, their preparedness. Many do not. “Often the CEO says: ‘We need a business continuity plan, and we need it yesterday’,” says Ellett. “So the company rushes out and does a plan, but nobody reads it.” Nor should companies treat a plan as static: technology, business processes, key personnel and regulation all change. Moreover, so do the risks.

According to Ragnar Löfstedt, professor of risk management at King’s College, London, companies and public sector bodies often put too much emphasis on protecting against a recurrence of the most recent threat, rather than planning for the next problem, or for the unknown. This can lead to a lack of flexibility, as well as a misallocation of resources. “Companies that put in place measures to deal with terrorism found they were ill-prepared for natural hazards,” he says. Rather, they need to put in place structures that can cope with the unexpected. “Organizations need a strategy that allows them to be better prepared across the board.”