Mark Vernon reports from London on the affect of the latest terrorist attacks on business continuity planning for financial services companies.
London is still reeling from the aftermath of the July 7 bombings and the unexploded bombs that were a near-miss two weeks later. Much has been made of the mythical "blitz" spirit of Londoners like myself, though in truth there aren't as many people on the tube and in the shops as usual. However, for all the inevitable nervousness, business operations have not been disrupted.
Of course, the London bombs did not destroy any of the city's commercial infrastructure, though many firms were on standby as the extent of the damage became clear—particularly the capital's financial institutions that are so vulnerable to systems going down. And it has provoked a reassessment of business continuity planning (BCP). What has emerged from that is interesting. In short, BCP is increasingly seen as a bread-and-butter issue, not one that is a reaction to exceptional, if horrific, events.
Research shows that terrorism is not the primary reason why companies are concerned about business continuity at all. Rather, they simply want to know that they can rely on IT systems, come rain or shine. The tightening regulatory environment is also encouraging increased investment in BCP. In fact, according to disaster recovery specialist SunGard, only five percent of businesses in the United Kingdom say that terrorism poses a primary threat to them at all. That figure has dropped from over a third in 2003.
Financial firms emphasize continuity instead of "recovery"
"9/11 caused people to focus on just one of the drivers of business continuity spending, and two years ago this event was still at the forefront of people's minds,' says Keith Tilley, UK managing director and senior vice-president Europe at SunGard. "This year's survey reflects a trend towards a more pragmatic view and the reality that terrorism accounts for a small number of our customers' problems.It's encouraging to see a trend towards a more pragmatic view. The more mundane incidents—power outages, software or hardware failure—can have just as devastating effects."
Banks have also become much more sophisticated in the strategies they adopt to ensure continuity. A combination of reactive and proactive measures is now the norm; that is, there is less of a tendency to see the issue as one of disaster recovery and more as one of business continuity—involving high availability infrastructures often delivered by managed services. "Backing up the company data once a day no longer constitutes an effective contingency plan, because it can take days to recover the information for staff to use," continues Tilley. "As technology becomes ever more complex and our reliance on it increases, recovery of critical applications should take seconds at most, not days." The goal is that for all but catastrophic disruptions, staff should not even be aware of an interruption.
A good example of this lesser incident was experienced by Royal & SunAlliance, an international insurance group. Last year, a fire in a tunnel in Manchester, in northwest England, caused a major disruption to telephone lines in Royal & SunAlliance's main offices. 130,000 landlines across the region went down for a whole day and communications problems continued throughout the following week.
This was a serious incident for two reasons. First, rerouting calls is a complex matter. So, a company without the capability to work around any outages would simply lose its calls. Indeed, the problem is compounded since following any incident there is inevitably an increase in the number of calls people make—often by landline since the mobile networks become jammed. The second reason the incident was serious is that it compromised the bandwidth available to Royal & SunAlliance.
Luckily for Royal & SunAlliance, SunGard had recently upgraded a recovery center some distance from Manchester, and outside the impact zone of the fire. In short, bandwidth was restored within two hours of the incident being reported, and within four hours all telecom services were fully operational, and servers and desktop PCs were in place for staff to use.
This seems typical of the post-9/11 attitude towards disaster recovery. Not because of terrorists, but because of all the other hazards a business may face, it has become business as usual.