Business continuity (BC) is not well understood in the business community, though it is one of the most vital components of good corporate governance. Many companies believe that having a back-up IT site in close proximity to their main IT installation is good enough, but nothing could be further from the truth.
In the event of a catastrophe, such as a fire or a large flood - this would be inadequate. Most business continuity consultants advise a minimum of 10 km-15 km distance between mirror sites.
And it's not just IT that's involved in a comprehensive business continuity strategy. What happens if a building burns down? What happens to the people who work in the building? How can they be redeployed quickly and efficiently so the business can continue operating?
WHAT IT MEANS
 SMEs do not have BC or DR plans
60% of companies think they are ready
|
In the aftermath of the first attack on the World Trade Center (WTC) in the mid-1990s, the security services cordoned off the areas adjacent to the WTC for weeks afterwards. Many companies were unable to get access to their premises and went under. Years later - September 11 2001 - few businesses had a similar problem because BC practices were more widely observed by then.
Insurance is necessary but won't help businesses become operational quickly. In the time it takes a business to rebuild it may have lost its market share and be unable to continue operating.
When the offices of Cazenove & Co, a large multinational stockbroking firm, burnt down a couple of years ago, the company was up and running again in three hours, thanks to its foresight and planning. It stayed on its continuity service provider's site for six weeks.
During the power-shedding exercises in Cape Town earlier this year, when the power utilities were unable to supply peak demand power, many businesses suffered and those that didn't have continuity plans suffered the most.
Many large companies in SA - notably the banks and other financial services providers - have comprehensive business continuity systems. But there are many that don't. Many pay lip service to it or have convinced themselves that they are further ahead of the curve than they really are. Most SA companies believe they are ahead of their peers in terms of information security, but a study by management consulting firm Accenture shows there is a significant gap between their perceived level of security and the actual security measures. In fact, 60% of S A companies believe they would rank in the top 30% in terms of the effectiveness of their information security measures.
According to Accenture senior manager Charl Louw, this illustrates the unwillingness among some companies to face the truth of their information security. He says a comprehensive risk assessment can show if companies are securing their information assets sufficiently. According to the study, information security risks are often overlooked in favour of other operational and business risks.
In general, global companies with an SA presence are further along the adoption curve, with higher awareness and better procedures and policies in place that their local counterparts.
Companies in the communications and hi-tech industries, where theft of digital content is a big concern, and in financial services industries, with concerns around phishing and identity theft, have the best security. The study found that all financial services respondents have appointed a director responsible for information security. Financial services companies showed a generally higher expenditure on security than other industries, with 58% of respondents spending more than 5% of their budgets on information security.
ContinuitySA director Jorgen Nielsen says few companies are totally BC and disaster recovery (DR) compliant. "Less than 5% of large corporations are ready for anything," Nielsen says.
"All companies have some aspects of BC in place, with perhaps a smattering of DR procedures for good measure, but most would not be able to recover their businesses in the case of a disaster," he says.
There are a number of reasons for the lack of BC planning in SA. The biggest is the lack of understanding and knowledge.
"Many companies see BC and DR as an IT function and ensure their data is safely stored offsite," says Nielsen. "Some even have mirrored, or back-up, servers ready to take the processing load if the company's main servers are out of action, but make no plans as to how, how many and where employees will go to run the business."
BC and DR costs money, effort and time, and executives are loathe to commit to something that seemingly delivers no return. Because they don't understand the importance of BC and DR, these programmes suffer from budget restraints and a lack of resources.
Additionally there previously was no accepted global standard for BC and companies simply chose what they wanted to implement. Today this has changed with the imminent ratification of BS25999, which covers everything companies need to know and do in terms of BC and DR preparedness.
Though only a few large corporations have a complete plan in place, Nielsen says he doesn't know of any SMEs that have developed a viable programme. This is dangerous for the SMEs as well as all the companies they deal with.
However, the Gauteng government has recognised its importance and is in the process of establishing BC measures that will introduce resilience to key business processes.
According to Shaun Nel, director of technology & security risk services at Ernst & Young, governments that adopt customer-centric views focus on ensuring more effective service delivery.
Nel says BC demands a thorough understanding of business processes and the identification of those that are critical to organisational survival.
"These core processes are singled out and measures introduced to ensure they can continue to run even in the event of the unanticipated," he says.
