The second part of Jillian Simms' look at business continuity management gives examples of what firms can do to ensure they are ready for the worst




Getting the right balance between risk and reward is rarely easy. Nowhere is that more true than with business continuity management (BCM).



In our experience, firms often charge in and think of the solution first. Perhaps they sign a contract with one of the many reputable disaster recovery solutions providers (or even, heaven forbid, one of the few less reputable ones). Or perhaps they build themselves an all-singing, all-dancing, back-up site of their own.



A better approach is to start with questions. What does the firm do normally? How does the firm do it? Who does it? What do they need to do it? What does it cost the firm if they can't do it? Are there other ways they could do it? Now we're getting somewhere.



Business people, including lawyers, love talking about themselves and what they do. If a firm can understand their concerns and design a BC plan that meets their business needs, the partners will buy in, they will continue to own the problem and they will quickly see a return on their investment.



A director of the London office of an international law firm recently explained that the firm had decided to cancel their subscription to a contingency site, regarding the cost as unnecessary - instead, everyone would work from home at the time of a disaster. They were yet to gather each department's requirements, but the IT servers were based elsewhere and they had spent a great deal on having a comprehensive remote access capability.



Home-working is often a good arrangement for a small firm, but this firm had not considered whether an office employing almost 900 people could realistically operate in this way. How would they manage incoming telephone calls, distribute incoming and outgoing documentation, manage work flow, conduct client meetings and maintain confidentiality? Perhaps most importantly, where would they go to make decisions and organise everything? Someone's home? An Internet café? Or would it be handled out of one of the overseas offices?



A better approach would have been to conduct a business impact analysis with each of the heads of department. Such an analysis is a structured assessment designed to identify which business activities would be affected by disruption and how quickly they would be affected. Effects to consider include damage to reputation and breaches in regulation, as well as loss of revenue.



The assessment would help the organisation understand which aspects of the business should have priority when it comes to recovery and how quickly they need to be recovered. It should also give an appreciation of how much money is at risk and so how much should be spent on protecting it.



Once an organisation has an understanding of the problem, it is better placed to select the solution. We have helped numerous organisations implement solutions, ranging from wholly owned contingency sites, contingency sites syndicated from disaster recovery suppliers, displacement of key staff to other offices within the organisation, transferral of the work (not the people) to other offices, reciprocal agreements between organisations and home working.



Similarly, the IT solution does not always mean having back-up data and back-up servers - some businesses need some systems to be replicated in real time, as recovery is too slow. For others, it is quick enough for a new server to be acquired or shipped in after the incident.



Once the solution is implemented, it needs to be documented and communicated. Too often, only the head(s) of IT and facilities will know the details of the recovery plan, and if they are not available no one knows what to do.



But the only way an organisation can really be confident that a plan would work when needed is by thoroughly testing it. Too often, tests do not reflect realistically the circumstances that would be faced at the time of a disaster.



The BC plan of the London office of a US investment bank is to transfer business activities to the New York office at the time of a disaster. This plan was comprehensively tested one Tuesday morning when the operations team in New York processed all the London transactions, the New York traders confirmed oversight of the trading books, and the New York sales people communicated with the London office's clients. The New York team agreed that they would not like to work London hours for too long, but they could certainly do it for a few days. This organisation is now secure in the knowledge that the plan should work if it is needed.



An organisation based across three buildings in the City built itself a contingency site about an hour's drive outside the City. Members of the IT team tested to see that the technology worked from the contingency site and business representatives visited to check that it was an appropriate working environment. But when they conducted a full test of an outage of one of the buildings, they found out that the telephony had been structured in such a way that they could only deliver calls to the contingency site if the calls were diverted away from all three normal buildings.



In conclusion, when establishing BCM, assess the requirements of the organisation, implement solutions which are appropriate, document and communicate the solutions, and test to make sure they will work when needed. And remember to review and refresh everything regularly - people, technology and business activities are always changing.



Jillian Simms is a director of Cornwood Risk Management