Recent world events have demonstrated the serious disruption that can be caused by a break in information flow in a 24-hour, seven-days-a-week global economy, writes Rick Cudworth, Partner at KPMG. If there’s one thing that’s certain when it comes to developments in business technology, it’s that 24/7 system availability will continue to be at the top of the business agenda. Now more than ever, interaction between customer and company takes place through technological channels, be they call-centres, email or the Internet. These channels have overtaken traditional face-to-face contact. Over the next five years the importance of these channels to customer communication and quality of service will increase, simply because they allow businesses to become more accessible to their customers in a highly cost-efficient way. But, despite this, few companies are able to measure the cost of IT failure to the business, and with the range of security threats that can bring a business down, information availability remains a tough nut to crack. Recent world events, regulatory pressures and stronger corporate governance mean that business continuity has again become a hot topic. The difference is that now the risks and threats are greater and unspecific, organisations are even more dependent on complex technology and, with the growth of the Internet to support customer transactions and relationships, they are increasingly intolerant of down-time.

The growing challenge of 24/7 availability In the summer of 2002, KPMG conducted a survey of FTSE senior executives on the importance of different customer contact channels to their businesses. The key findings reinforce the growing supremacy of technology in facilitating this interaction, and the ongoing difficulties faced by businesses in measuring costs.  Of those surveyed, 94 per cent of businesses said that their customers now use call centres to contact them, with 88 per cent of those questioned using email and 66 per cent also using the Internet. This compares with more traditional methods, where only 43 per cent of customers still use branch networks. What’s more, 38 per cent of companies now also generate up to 10 per cent of their revenue via the Internet.  When questioned on the need for 24/7 access, 52 per cent of respondents described continuous information availability as critical to customer service today, rising to 85 per cent when asked if it would be critical in three years time. This underscores the premise that continuous customer access to information will be a growing requirement, and that continuous system and information availability across multiple channels will be imperative.  However, despite the growing importance of ‘always open’ technology channels, 75 per cent of businesses had no way of measuring the cost of IT failure to the business, although 80 per cent felt that it would be beneficial to be able to better relate the performance of IT to quality of service.  Equally, while 69 per cent did have technology-based service level agreements in place to help monitor IT performance, only 23 per cent actually employed metrics to measure the cost of IT failure. Half of these had lost more than £100,000 from IT failures in the last year, owing to loss of sales and customers or due to service penalties incurred. The research shows that whilst organisations are striving to improve information availability to customers, and do recognise that technology failures will directly and materially impact on service to customers, they still need to take more vigorous steps to monitor IT performance and be able to directly link it to business performance. What’s more, as the range and severity of security threats grow, the need to have effective means of protecting the IT infrastructure and, therefore, continuous availability becomes imperative.

11/09/01 – The world has changed Nobody could have predicted the disaster that hit the World Trade Center in September 2001. It was an unprecedented event and even the most thorough business continuity efforts could not have prepared for such a widespread disaster scenario. However, a number of lessons learned from this event are significantly changing the way we look at business continuity and system availability. The first major differential was the scale of the disaster. The entire Manhattan business district was evacuated, leading hundreds of firms to invoke their recovery arrangements and attempt to relocate to alternative sites. Many firms had contracts for syndicated space at recovery sites outside Manhattan, but found that they had been beaten to it by other firms when they attempted to invoke because the recovery companies had sold the same space numerous times to firms within the same area. Despite their hefty annual payments, organisations had no guarantee of recovery space. Secondly, until this point there had been a general move towards consolidation of space and centralisation of group functions. What was seen during the World Trade Center disaster was that those firms that had distributed functions (for example, where two mirrored data centres based in different locations shared the day-to-day load of the business) could continue to operate seamlessly, even if one location suffered a total outage for a number of days. Firms are now readdressing their longer-term strategies and are building continuity back into their day-to-day business operations.

Lessons for availability There is a variety of business continuity strategies that organisations can adopt. At a high level, these range from resiliency-based rapid recovery options through to plan-based slower recovery options. These options come at great variances in cost, and one of the greatest challenges lies in deciding how much to invest in business continuity. Some different recovery strategies include:  a mirrored site for immediate failover with minimal downtime;  an outsourced hot site – a dedicated space with the technological infrastructure set up and ready for restoration of the last day’s data;  an owned site in a different risk zone (ie not in an area likely to be affected by the same risks) for use as a back-up;  a reciprocal agreement with another organisation to provide recovery workspace;  a cold site where equipment and communications will be sourced and installed when needed at the time of the incident. The level of recovery that is most appropriate to your organisation depends on how much down-time you can tolerate and the complexity of the technology and operations that support your critical activities. If you can survive without operating a business activity for up to five days without incurring major loss then you should look to develop sound back-up and recovery plans and procedures that are thoroughly tested and proven, and good contingency plans for business recovery.

If you cannot tolerate down-time in excess of a few hours, and you depend on complex technology, a strategy that includes a degree of technological and operational resilience will be essential, since traditional recovery will not satisfy your requirements. This is likely to include investment in an IT infrastructure that will replicate and maintain the availability of your information in close to real-time. It is important to remember that in most cases one approach will not be appropriate for every business area. For example, your treasury function may require a high resilience solution involving substantial investment, whereas your back-office functions may be recovered successfully within a week through the use of recovery plans and procedures. However, it should be noted that with ever-more integrated systems it is becoming difficult to apply different recovery and back-up strategies to individual applications, and a strategy for the supporting infrastructure as a whole is increasingly necessary. A business impact assessment is key to helping an organisation invest wisely in business continuity and technology recovery, neither over- nor under-investing.

Steps for protection So what steps can you take to protect against down-time and ensure maximum availability? There is no single solution to business continuity that can be applied to all organisations. Each company should develop its own arrangements that are appropriate to the size and nature of its operations, its risk profile and its appetite for risk against cost of building and maintaining business continuity. The approach laid out in Figure 1.2.1 is organised into four phases that are executed in sequence and thereafter on a cyclical basis. Each phase is broken down into activities and tasks with practical issues and guidance alongside. The steps may be amended to suit, and may be pre-determined by individual methods and tools already in place.

Challenging your business continuity and information availability arrangements Business continuity arrangements must be continually assessed, refined and improved. As you assess your contingency plans going forward, it can help to keep in mind the following critical questions, which will help you to strive for continual improvement of your business continuity capabilities:  Is your business continuity strategy event-driven or risk-driven and stakeholder focused?  How critical is information availability to your success?  Are capabilities for managing business continuity aligned with organisational strategy?  Who are your stakeholders and what is their tolerance for unplanned downtime?  Does your risk management programme address people, processes and technology as well as the extended enterprise?  Does your business continuity strategy eliminate single points of failure?  How do you reinforce key management disciplines to ensure reliable service delivery to all stakeholders?  Are you maximising the use of your facilities to provide the best possible business continuity structure?  How do you optimise the value of information flowing across the value chain?  Does management have timely and independent assurance that its business continuity capabilities are adequate?

Conclusion Over the next five years the criticality of technology channels to providing multiple customer touch-points and, therefore, better service will continue to increase. Down-time is not an option, and this has significant implications for IT-related business continuity, security and risk management. It is no small undertaking, but by following the right steps it should not be too costly or too difficult a problem to solve.

Useful links UK links

www.kpmg.co.uk – the website of KPMG containing details of their products and services and how to contact them for further information.

www.thebci.co.uk – the homepage of the Business Continuity Institute who provide the only recognised accreditation for business continuity practitioners in the UK.

www.survive.com – this website of the membership group for business continuity professionals is a good source of background material, articles, training courses and career information.

www.globalcontinuity.com – this is a global portal for business continuity and IT disaster recovery. You can register here for news and articles relating to all aspects of business continuity and disaster recovery.

www.cityoflondon.gov.uk – the Corporation of London’s Security and Contingency Planning Group is available to assist businesses in the City with the development and exercising of their business continuity plans.

www.ukresilience.info/londonprepared – this website was set up by the government after 11 September 2001 to ensure that London is prepared for an emergency.

US links

www.availability.com – a research site on technology availability and business continuity, which also provides tools such as the ‘Availability Cost Justifier’ and discussions on such areas as the White Paper.

www.disasterrecoveryworld.com – a directory of business continuity and disaster recovery software and services.

www.bcpbenchmark.com – a survey conducted by KPMG and Contingency Planning and Management magazine containing useful statistics about many aspects of business continuity management across different industries in the US (eg organisational structure, frequent failures, RTOs, costs of disruption, methods of maintenance etc). KPMG is the global network of professional services firms whose aim is to turn knowledge into value for the benefit of its clients, its people and its communities. KPMG LLP operates from 24 offices across the UK with more than 9,500 partners and staff. KPMG recorded a UK fee income of £1,373 million in the year ended September 2001. KPMG LLP is a UK limited liability partnership and the UK member of KPMG International, a Swiss non-operating association. For further information on availability services contact Rick Cudworth on 0117 905 4005.