Greg Inge warns that despite years of warnings, Australia remains unprepared to cope with the business impact of a global health pandemic. In the following article, first published in Strategic Path magazine, he outlines the key elements of a successful Business Continuity strategy.  Greg (CISM) is Director, Business Assurance, for CQR Consulting www.cqrconsulting.com, an Australia-based company that specialises in providing independent Information security services to customers in Australia, Asia, Europe, the UK and the US.

Kerry Packer had an intuitive grasp of Business Continuity planning.

In 1990, while playing polo at Warwick Farm, Sydney, the “Big Man” suffered a heart attack that left him clinically dead for six minutes. At the time, very few ambulances carried a heart-starting defibrillator, so it added to Packer’s legendary luck as a casino king hitter that the ambulance which responded to his emergency call had one fitted.

After he recovered, Packer donated a reported $1.5 million to the New South Wales Ambulance Service to fund equipping all the State’s ambulances with a portable defibrillator. As well as being a magnanimous gesture, the donation also increased the odds that a "Packer Whacker" would be aboard the next ambulance Kerry had recourse to.

As the pre-eminent strategic asset of Australian media giant PBL, Packer’s longevity was an important part of the organisation’s Business Continuity as he prepared son James to take the reins.

On a more mundane, but no less critical level, the primary purpose of Business Continuity is to provide for the protection and restoration of business and IT facilities and to reduce the consequences of any incident.

Risk Management

Business Continuity is not just about dealing with a disaster, but with all levels of incident or disruption. Disaster Recovery Planning (DRP) is just one component of Business Continuity Planning (BCP). It is about using contingency planning to manage down the risk to the business of exceptional circumstances.

BCP should allow the business to continue to operate during incidents or disruptions.  These may range from external threats such as a terrorist attack, a natural disaster or a pandemic, through to localised and more common incidents such as loss of key IT systems or specific skill sets within a department.

An effective Business Continuity management program has the following five key elements:

1. A governance structure establishing authorities, roles and responsibilities for the program;
2. An impact analysis to identify and prioritise the organisation’s critical services and assets;
3. Plans, measures and arrangements to ensure continued availability of critical processes;
4. Activities to monitor the overall readiness for the organisation; and
5. Provision for the continuous review, testing and audit of Business Continuity plans.

CQR Consulting has assisted many organisations to perform risk assessments and develop management frameworks to ensure that identified risks are addressed in an effective and timely manner.

Risk Assessments are generally undertaken within the framework of the Australian standards AS4360:1999 or HB231:2000. However other risk assessment methodologies and frameworks may be used, depending on the organisational objectives and requirements. 

Other frameworks include CQR’s internal risk assessment and management methodology which is based on ISO 27001 (formerly AS/NZS 7799), or the NIST Risk Management Guide for Information Technology Systems.

Business Continuity Planning

CQR Consulting provides ongoing services for a number of customers that require BCP, DRP and risk management.  CQR has significant exposure and experience in assessing global BCP and DRP scenarios and impacts through the work we undertake in the US, UK and Europe.

As a result, CQR utilises a range of methods to assist with Business Continuity, depending on the customer’s situation. These range from physical presence at a customer site through to providing Web portals with supporting tools, templates and procedures for customers with globally distributed operations.

Through the use of best practice programs such as the BCM handbook HB 221:2004, viable Business Continuity management programs focus on three complementary features:

1. Risk reduction with the management of risks to prevent an incident and/or disaster.  This is done by identifying and assessing the risks faced by our clients at their premises which could result in an incident and/or disaster
2. An Emergency Plan: This is achieved through crisis management of the incident when it occurs (Incident Management) to lessen its impact and to prevent it from developing into a disaster
3. A Business Continuity plan: This plan is the fast, efficient resumption of essential business operations by directing the recovery actions of specified recovery teams.  Three elements to consider comprise office services; Information Technology; human and other resources.

Business Continuity Overview

The first step to build a Business Continuity plan is to identify which operations and supporting activities need to be restarted after an incident and/or disaster, the maximum acceptable time limits by which they must restart and the resources needed to restart them.

It is also essential to identify contingencies for the required resources, including alternate approaches to operations and to select a cost-effective strategy for resuming normal operations.

Once these steps are complete, develop the Business Continuity plan to guide and direct the resumption of operations. Next, test your plan, train your staff in how to use it and maintain the plan so it remains perpetually current and relevant to your operations.

The Business Continuity program must ensure the integration of business requirements into the IT Disaster Recovery plan, so that the IT department can provide services required by the business in recovery mode. It is also essential to recognise that the roles your people play are critical to ensure maximum benefit to any business when implementing a Business Continuity Management program.

You need to appoint appropriate personnel within the departments to own the Business Continuity program.

Identifying application systems owners within the business is important to collect information about the value of applications in relation to the ability of the business to function. This process also quantifies the impact on the business if the application and the information it maintains are lost or unavailable.

Building your Business Continuity Plan

The actual documentation process is simplified by implementing a set of tools and templates to assist the business in gathering the necessary information to construct useful and accurate plans.

Core components include a questionnaire relating to key risks and the likely impact of various incidents (Business Impact and Risk Assessment). This is followed by a workshop, which seeks to identify the critical elements within the business unit such as key staff, assets and IT systems.

The information from these sources is then used to populate the main body of the Business Continuity plan, a process that should take from three to five days of effort.

The final part of the plan is for each business unit to insert information relating to alternative ways of functioning without access to these critical elements.

Testing the components of your Business Continuity plan is critical to ensure your plan works when it is required. This is done by drafting and confirming a testing schedule for each business unit’s plan. It may also require the creation of a number of key processes and tools to assist the business to maintain and test Business Continuity plans.

Internal communication plays a central role to success. By scheduling meetings between the business and IT, you ensure both effective communications and the creation of results-oriented plans.

The plan development process needs to keep management informed of progress, so that there is full organisational ownership of and engagement with the Business Continuity plan. Regular management meetings are required to re-assess the priority of the applications at a corporate level. This will allow modifications to the critical recovery lists, affecting both BCP and IT Disaster Recovery.

Elsevier: A Business Continuity Case Study

Global publisher Elsevier recognises that Business Continuity planning is part of good business practice. According, the UK-based company has implemented a program to ensure that all its business units globally have Business Continuity plans.

Elsevier is a world leader in multiple-media publishing, including high profile titles such as leading medical journal The Lancet, a weekly magazine that has not missed an edition in 183 years. The company’s 20,000 products and services include journals, books, electronic products, services, databases and portals serving the global scientific, technical and medical communities.

Elsevier, a £3 billion-a-year company based in Oxford, England, has 7000 employees more than 100 locations around the globe.

Each Elsevier site maintains a Crisis Management Plan addressing major incidents that may affect that location.  Information regarding such incidents cascades down through the members of the site’s Crisis Management Team.  Membership of the Crisis Management Team includes the Managing Director/Head of House and the senior managers for the key business units at that location.

Elsevier has adopted a global approach focussing on each business unit.  As outlined above, the key components are completing the Risk Assessment questionnaire, holding a workshop to identify the critical elements within the business and then using that information to populate the main body of the Business Continuity plan. Individual business units then insert information about alternative ways to function without access to these critical elements.

Elsevier has a Global Business Continuity Team which, in conjunction with the local facilities managers, manages the overall process and ensures each business unit develops and maintains its own plan. Although outside the scope of the Business Continuity plans, the responsibility of IT operations personnel for the recovery of IT systems and data centres is closely aligned.

Within each Elsevier business unit, there are a number of key roles.  The most senior manager at each geographic business unit is nominated as the plan owner.

A BCP Coordinator is appointed to coordinate the efforts of various individuals who contribute to creating the plan.  On an ongoing basis, the BCP Coordinator liaises with others within the business unit to ensure that the plan remains current.

Business Continuity Plan Checklist

A typical Business Continuity Plan for a business unit contains the following key sections:

• How crisis and incident management is performed;
• Information about your business unit including critical business processes and critical assets they use (e.g. applications, physical records);
• Contact information for key staff, suppliers and other third parties;
• Task lists addressing key continuity and resumption actions.  These represent what you can do to keep your business processes going;
• Details of alternate work locations and strategies for all key people in the event of a major incident;
• Any reference documentation that is required to support the information contained in the plan; and
• A list of critical telephone numbers, fax numbers and email addresses that are used by external parties to communicate with your business unit;

Expecting the Unexpected

Business Continuity plans provide a thorough process with which to expect the unexpected.

However, despite years of warnings, Australia remains unprepared to cope with the business impact of a global health pandemic.

The 2003 SARS (Severe Acute Respiratory Syndrome) epidemic in South East Asia and Canadian cities provides a textbook example of the commercial impact of an event that is totally unrelated to business operations.

The highly contagious disease, which killed nearly 10 per cent of people who contracted it, caused the extensive curtailment of business travel to South East Asia and Toronto, cancellation of major conferences and 10-day home quarantines for people suspected of having the SARS coronavirus. Accordingly, the business impact was massive.

Members of our team, who worked in Singapore during the SARS outbreak, gained first-hand experience of dealing with the impact of a pandemic. As well as working from home, they were required to present a medical certificate to attend work and had their temperatures recorded twice a day as part of Health Department monitoring.

Since then, CQR worked with a large number of businesses internationally that invested in Business Continuity plans to survive operationally during an outbreak of a pandemic such as the nascent threat of Avian Influenza (Bird Flu). This planning covered security issues as diverse as remote working and identity verification.

In the UK and Europe, businesses were very scared of how a pandemic, or even the threat of one, could impact on their operations. They were asking how to keep their business functioning if Bird Flu hits.

This is a fundamental process of risk management and Business Continuity planning.

Although this risk is not yet appreciated in Australia, a pandemic represents a big problem in this age of global outsourcing. For example, call centre environments are full of people, which make them rife for spreading contagious diseases. A lot of Australian businesses that have outsourced call centres and software development to India need a continuity plan in place in case disaster strikes.

Turning Adversity to Advantage

Indeed, forward-looking organisations are extracting business benefits from Business Continuity budgets.

By asking where they can benefit from investing in risk mitigation, they are reaping improvements in business productivity by allowing people to work from home – a central tactic for continuity in the event of a pandemic. This creates a return on their investment without the pandemic occurring.

Now that’s a result that Big Kerry would have relished.

About Greg Inge

Greg Inge (CISM) is Director, Business Assurance, for CQR Consulting www.cqrconsulting.com, an Australia-based company that specialises in providing independent Information security services to customers in Australia, Asia, Europe, the UK and the US. Greg has more than two decades of experience in information technology, with more than 11 years experience in Information Security. His competencies include security strategies, policies, risk management, Business Continuity and Disaster Recovery planning.