- March 13, 2020
- Posted by: IBA LLP
- Category: Articles, Risk Advisory
Prevention is better than Cure and in this world of uncertainties where one can’t prevent events from happening, being prepared is analogous to prevention
A disaster, be it natural or man-made, throws life off track in myriad ways. Whether it’s the tsunami in 2004, Asian financial crisis, internet virus attacks or a physical health danger like recent COVID-19 outbreak, they tend to disrupt businesses in an unprecedented manner. Not only is there widespread turmoil and anxiety amongst employees, customers and other stakeholders but companies do suffer substantial financial losses. According to latest UN estimate, Covid 19 alone could cost global economy upto $ 2 trillion in 2020 which is a huge leap from research by insurance giant Swiss Re which pegged economic losses from natural and man-made disasters at USD 306 billion back in 2017.
These disasters also bring to light a critical point that planning for catastrophe is essential. It must not be neglected and should be high up on the priority list, since the costs of being unprepared are always higher than planning. In recent times, COVID-19 has served as a wake-up call for companies worldwide to address these challenges. According to Mercer’s ‘Business Responses to the COVID-19 outbreak’ survey (it has insights from over 300 companies from 37 countries),24 percent of companies are still in the process of drafting an initial business continuity plan. That’s not all – the survey also highlighted that 27.2 percent of companies presently have no business continuity plan and are not preparing one in the near future.
To safeguard interest of the stakeholders planning for business continuity is a must in these uncertain times. Disaster Recovery (DR) plans, offshoring data centres in locations across safer zones, or even outsourcing them to cloud service providers completely are some of the ways in which business continuity is being achieved by businesses across the globe. A case in point is Japan, where earthquakes/ floods occur frequently – here, companies have moved their data centres to Malaysia
Contrary to popular belief, Business continuity planning does not have to be a lengthy exercise and require too many resources . Rather it is a policy integral to survival of any business.
They say ‘Prevention is better than cure’ – so why not save lives and preserve data without causing damage?
.
What is a Business Continuity Plan?
By definition, a Business Continuity Plan (BCP) is a document that outlines how a business will continue to operate during an unplanned disruption in service. This document is way more comprehensive and offers contingencies for processes, assets, human resources and all other aspects of a business.
In most cases, these plans contain a checklist that details supplies and equipment, data backups as well as backup site locations. Certain plans also mention the administrators’ contact details, as well as key personnel and backup site providers in case of an emergency. In a nutshell, it is a plan of action that helps to run businesses in the wake of short-term and long-term disasters.
An integral part of a BCP is a disaster recovery plan that includes strategies to handle IT disruptions in networks, servers, personal computers or even mobile devices. The plan must ensure productivity in times of disasters, so that key business processes are not disrupted, or the disruption is at a minimum. In fact, the plan must also have manual workarounds, so that operations are not stalled until computer systems are under restoration.
Here are the three key aspects of a good business continuity plan:
● Provision for capability and processes, so that a business has access to applications regardless of local
failures.
● Building on a plan to keep things running during a disruption, or during planned events such as scheduled backups
or system maintenance.
● Establishing a process to recover a data center at a different site if a disaster destroys the primary site
Why is BCP critical?
You might run a small business or handle a large corporation, but nothing comes before customers. It is critical to be prepared for exigencies and have a contingency plan ready. The biggest challenge today for most companies is to retain existing customers, and at the same time, tap into prospects.
Today, IT is critical for most companies, but this transformation has also brought about vulnerability to cyber attacks and other failures. To begin with, business continuity plans can help with minimising disruptive cyber incidents. For example, such a plan will include ways to defend against these risks, protect critical applications, and recover from breach in the most effective way. In short it provides an answer to questions which arise at the time of such exigency and provides a simple to understand steps customised to the business.
Let’s now speak about exponentially increasing data volumes. Decision support, data warehousing, data mining and customer resource management can require great investment in online storage. According to the IBM Redbooks Business Continuity planning guide, typical yearly growth of new data in an enterprise is in the range of 40% to 70%. What it essentially means is that larger the data to manage, there’s more data to recover.
According to IDC, an infrastructure failure can result in a loss of USD $100,000 an hour, while a critical application failure can cost USD $500,000 to USD $1 million per hour. Data recovery is no longer a one-dimensional approach. According to a research, lack of proper planning does not promise recovery in the medium term, even if the disaster is tackled using some immediate measures. This requires a business continuity plan customised to Company’s business in order to identify and address challenges in processes, applications and IT infrastructure.
An effective BCP can minimise disruption and enhance business continuity. Yet, developing a comprehensive BCP may not be an easy task. This is because each business is structured differently and has a unique culture supported by an equally unique set of processes and regulations. On top of it their systems are highly integrated and distributed across hybrid IT environments. People and technological variables are different for each industry and Company and on top of it a unique network of information and process flows which also is very typical of an organisation.
There are several companies that find it difficult to evolve their resiliency strategies quickly to address today’s challenging business demands. Skeptics may question the extent of preparedness and what if the scenarios created in BCP are not able to address the real life threat that the business may face. They are all justified in questioning but even acknowledging that the threat exists is a good starting point. Each organisation may not be able to achieve a fool proof contingency plan but even Lewis Hamilton cannot guarantee 21 of 21 F1 podium finishes each season.
Hence it is good to have a plan and a process of revisiting in case of any substantial changes in the environment in which the business functions. A tightly sewed plan is best but even creating a boundary with broad directions should be a good starting point.
In conclusion
At the end of the day, every plan must trickle down from the top. Keep in mind that it is important to involve the senior management when creating and updating the plan; it must not be solely delegated to subordinates. In addition, if review and testing of the plan is done from time to time by the senior management, it will remain relevant for a longer term. User awareness is equally critical. If the stakeholders are unaware about the plan, how will they ever be able to react appropriately in critical situation ? Although the nuances typical of an organisation are best known to the management, consultants experienced in the domain play a very important role of brining things in perspective. Just an open dialogue at times is sufficient to bring out chinks in most robust of the plans. Outsourcing the creation of BCP is also a good option for Companies which can not spare their internal resources and also want an experienced team to provide insights.