Released by: The Edge
Date: 25 June 2007
The catalogue of mega disasters since the new millennium began ranges from SARS, avian flu, typhoons, earthquakes, tsunami and flash floods to terrorism (9/11 and worldwide targeted bombings) and corporate governance failures (Enron and WorldCom).
Malaysia too has not been spared. The tsunami on Dec, 26 2005, the floods in Johor last December and the Taiwan earthquake, which disrupted communications when undersea telecommunications cable was cut, took a toll on both people and business.
A Gartner survey of IT managers in 2000, for instance, indicated that around 60% of companies globally do not have a business continuity plan and strategy in place to mitigate the effects of a disaster. Research also shows that two out of five companies that suffered a disaster usually did not last five years. It is unlikely that the situation is any different today.
Therefore, companies need to embrace business continuity as part of corporate diligence and management accountability. Sadly, many Malaysian companies are still inadequate when it comes to preparing for business continuity and its importance for the organisation's future survival.
What exactly is business continuity and how should one go about developing it? Business continuity, or sometimes called contingency planning, is a management process that zeroes in on all the potential flash points that are likely to disrupt, damage or destroy a company's operations and established reputation, brand name and its operational excellence. It also outlines the appropriate solutions to
counter such external threats. A good business continuity programme sets the stage for a company to be vigilant and prepared for the worst, which in turn ensures that it becomes more resilient against possible future threats.
A business continuity programme is much like the emergency instructions one gets on an airplane. Put simply, it is a detailed series of steps to take in the event of a disaster and only kicks in when a crisis occurs. But to many an old fashioned manager, business continuity itself is nothing more than an IT buzzword, not worth their time or their effort.
Blueprint for risk and disaster management
Business continuity is actually less about technology and more about it being a part of the overall management of risks when doing business - consider it as an integral aspect of the operational risks. It ensures that the business goes on despite a disaster. Aside from it being a blueprint for disaster management, business continuity also enhances the organisations' business processes and deliver
a more consistent performance overall.
But first, one must begin by formulating the strategies for business continuity and then embed them into the organisation's processes. A flexible framework or a detailed checklist for business continuity should include information pertaining to the organisation's historical, current and future status, possible vulnerabilities and likely threats, the potential risks and the alternatives that are
available for disaster recovery and management to be a success.
The blueprint should also encompass potential (think the unthinkable) disaster scenarios, risk analysis and business impact reports, remedial timelines and costs versus risks and critical applications. It should also feature a comparison of actions taken by the competitors, identify the gaps, possible needs, the funds required and then create and develop a well-defined set of disaster recovery
procedures. The list is ever evolving because the requirements for an organisation to be in a state of preparedness will change over time.
Technology Disaster
It is not just natural disasters that make business continuity plans necessary. With technology underpinning many a corporation's activities, hacking and digital blackouts can cripple the organization. Critical mission businesses such as airlines and banks are particularly vulnerable to this threat.
For example and not surprisingly, banks now have to comply and put in place some business continuity guidelines to forestall possible disruptions to their activities. Bank Negara Malaysia sees this initiative as less about IT disaster recovery and more about responsible business planning. It also stipulates that the "recovery time objectives" and "maximum tolerable downtime" for payment systems
and "critical business functions" should only be four hours. Five "levels of disruption", ranging from a department outage to a nationwide disaster, have also been introduced, requiring banks to make plans to respond to all of them.
Organisations taking the business continuity route should make it a point to first identify all the critical business functions that could be negatively impacted should a disaster or a risk occur. Disruption caused by the disaster could have a strong and material impact on the operations, performance and even the reputation and goodwill of the company concerned. So it is best to prioritise all the
various critical functions that the business relies on.
An annual risk assessment check should be carried out in anticipation of the disruption caused by any disaster and the potential damage that may arise. Factor in the short, medium and long-term periods and visualise all the possible disaster scenarios and your agreed response to each crisis - major power outages, stormy damage, possible bomb blasts, infernos and so on.
Business impact analysis - uncovering business vulnerabilities
A business impact analysis should also be included as part of the business continuity framework and this should factor in all the impact and effect on the operations: the financial costs, the possible loss of income, loss of goodwill, business vulnerabilities, the various levels of obstacles and challenges likely to be faced, the possible time frame for recovery needed, the search for all possible
alternatives and the impact on the staff, stakeholders and shareholders.
Responsibility for the adoption and implementation of the business continuity management lies squarely with the board hand and it should be made wholly accountable for the effectiveness of the plan and strategies prepared. This is because the board's support is crucial for the success of the business continuity programme, as it will trigger the flow of funds and commitment of top management that
is needed to get the whole exercise up and running.
Selling the business continuity concept to a sceptical Board can be a real challenge so it is best to find a uniquely creative and simple way to get the concept across to the powers that be. It helps too if one is fully prepared with all the facts, figures, data, probable scenarios, risk factors, alternatives and strategies that will lend credibility to the proposal.
Remember, getting top management to embrace business continuity will determine whether your organisation sinks or swim when the next disaster strikes.
Dr Wilson Tay is CEO of the Malaysian Institute of Management, the national management organisation of Malaysia. MIM invites companies and professional managers to be members. Contact MIM Membership Support and Outreach at (603) 2164 5255; fax (603) 2165 4681; e-mail:enquiries@mim.org.my or visit www.mim.org.my
