Disaster Recovery or Business Continuity Management?

 Disaster Recovery or Business Continuity Managemen...: Disaster Recovery or Business Continuity Management (BCM)?
My research has necessitated this informative piece. Often times when engaged in discussion with professionals about business continuity, their reoccurring idea has been disaster recovery and this has been the position of scholars, business executives, accountants and many more professionals. This then suggests that there is an informative or communication gap within this discipline and this explains for the reason why it has received little or no attention in developing economies of Africa and Asia...

Disaster Recovery or Business Continuity Management (BCM)?

Disaster Recovery or Business Continuity Management (BCM)?

My research has necessitated this informative piece. Often times when engaged in discussion with professionals about business continuity, their reoccurring idea has been disaster recovery and this has been the position of scholars, business executives, accountants and many more professionals. This then suggests that there is an informative or communication gap within this discipline and this explains for the reason why it has received little or no attention in developing economies of Africa and Asia and as such many business leaders especially in Africa still do not recognize the starting point in developing these capabilities. There is need to establish that there is a significant difference between disaster recovery and business continuity while the former is reactive, the later is proactive in nature.

Prior to the September 11 attacks which awaken the need for business continuity management, disaster recovery has been the order of the day. Business continuity management has evolved significantly over the past decades following the terrorist attacks of September 11 and subsequent events. Epidemics such as the H1N1 influenza also bring BCM to the forefront since they can potentially bring a business to a halt. However, BCM has evolved from what is known to be disaster recovery. Disaster recovery is defined as “the restoration of computing and telecommunication services after an event has disrupted those services. Some scholars identified disaster recovery as mainly focusing on getting hardware, software and data up and running after a power failure. Ginn (1989) also described disaster recovery as a process required to enable survival and recovery from a disaster to a computer centre. Again, experts suggest variations of this definition, but a common point from the definitions is that disaster recovery is a reaction to a disaster and its responsibility lies solely with the IT department of the organization. These views focus more on restoration after the damage has been done with dependencies on IT infrastructures. Moreover, disaster recovery planning often overlooks the human element which is a critical resource for business survival and actual performance of the critical business functions. As disaster events were encountered and businesses were failing to fully recover based on their disaster recovery plans, it then became evident that disaster recovery has been short-sighted, limited and insufficient in so many capacities.

Disaster recovery programmes are not sufficient to protect business from the threats of business failure or act of bankruptcy following a major disaster event, rather taking a preventive measure to lessen the risk of a disaster occurring seems to be a more proactive and strategic view. It is for these reasons that gave birth to business continuity management.  Although, both terms seem to be used interchangeably, there is a distinction between them. While the former is reactive in nature with focus on technical recovery process, the later integrates strategic preventive and proactive measures. The emphasis has now shifted from reactive (recovery) to proactive (preparedness) to minimize disasters and its impacts through proper planning. It is however important to note that, many effective continuity strategies have emerged from disaster recovery efforts in the IT function during the past decades and many of the same principles as applied to disaster recovery are today been applied to BCM. In essence, an effective business Continuity management and emergency programme therefore encompasses the elements of both disaster recovery and business continuity planning.

Business continuity management has evolved over the past four decades to embrace a more comprehensive preparedness and protective measure. The convergence of crisis management, business continuity and infrastructure protection best practices has given strategic direction in the domain of enterprise resilience and a cross company perspective. BCM’s rising importance and IT based history have created internal debates about who owns the BCM function and how BCM relates to a company’s existing risk management efforts. Business Continuity Management is now identified as complementary to a broader Risk Management (RM) Framework that aims at identifying the business risks and the consequences from their occurrence and further as a subset of the entire enterprise risk management.

For most corporations in both private and public sectors of the country, focus has been on the traditional view of recovery after a disaster with heavy reliance on insurance. There are certain risks that cannot be protected by insurance, but can only be managed by business continuity or contingency planning. Although, insurance on the short term will provide compensation and support in loss events, it does not provide or guarantees organisational resilience. However, long term issues such as reputation damage, loss of market share, public and investor’s perception and customer confidence are not indemnified by such insurance. It is so saddening that as a Nation we are still of the traditional view of disaster recovery. There is no guarantee that your business or enterprise will return to normal following a disaster if you are waiting to implement recovery procedures. Usually, recovery plans don’t take into consideration human resource element, rather it is limited to IT facilities and back ups. Further lesson from 9/11 is that organizations need to think of the company as a whole, including people and processes, as well as IT. Prior to 9/11, many firms in the United States did not really take account of staff in their plans.  Having remote data centers is very good, but if there are no staff, or absent key staff as a result of an incident, this can bring an organization to its knees. After the collapse of the world trade center, staffs were evacuated and backup facilities were without either primary or back up personnel to execute the BCP and keep the business operating. This places the need for employee consideration in terms of communication, transportation and welfare in BCP planning and not just focusing on IT and data recovery centers. 

The attitude of Nigerian businesses towards BCM connotes the saying” we want to incur the losses and then our insurance will pay”. The question is why would you want to suffer losses that have strategic implication on your survival and continuity when you can be proactive, plan ahead and minimize losses that will erode investments and losses which would have been potentially invested in the provision of public goods?

 Disaster recovery Vs BCM

• While BCM will provide protection against unforeseen and anticipated disruptions to business, thereby limiting impact and losses both financial and otherwise, companies with dependence on disaster recovery are exposed to the severe losses (Investment, human resources) arising from a disaster event.

• While BCM provides strategies to continue operations irrespective of any disaster, Disaster recovery plans suggests that a temporary or permanent closure of business operation in the event of a disaster event.

• Usually, there is a gap between the occurrence of a disaster and recovery. While this gap exists, the business is open to reputation damage, negative public perception, share and stock devaluation, litigation and so on. However, with BCM, no gap created as business resumes operation immediately while implementing the BCP.

Overall,  it is clear that dependence on disaster recovery is a short-sighted strategy, hence a well thought, prepared and holistic strategy will not only minimize the risk of business disruption, but will also minimize liability exposures, reduce financial loses as well as operational and reputation loses. Government agencies and parastatals across all levels together with business enterprises must have a change of focus to pursuing BCM rather than relying on recovery. Unless we prepare in advance, a crisis/disaster event will inevitably shut down flow of business operations. It is unlikely that businesses without an effective BCM strategy will react positively during such an event and the probability of survival and recovery is next to zero.

Insurance Vs Business Continuity Management (BCM)

Insurance Vs Business Continuity Management (BCM)

Adelakun Oluwafemi Adeshola MBA Risk management, AIOR, ARMA

Many scholars have argued the relevance of insurance to business considering the unpredictability of events and disruption to business and conclude that all that is needed to buffer for losses is Insurance. This view is true to an extent, but short-sighted as it doest not give consideration to long term  issues of continuity and sustainability. Insurance often provides support and recovery aid following a known loss or disaster event. while some some companies struggle to recover after a loss even after being indemnified by their insurer, some automatically goes into ceassation following a disaster event. it is therefore important to understand the role of insurance within an enterprise and accord it importance where necessary. More often than not, organisations rely heavily on insurance and have replaced the need for continuity strategies with reliance on insurance. Businesses don’t see the need for business continuity strategies or they are ignorant of the need for BCM.  Traditionally, insurance only provides indemnity against tangible losses while the intangible loss which affects the business on the longer term is not covered. This is much aligned with the concept of disaster recovery. However, most businesses don’t tend to recover even after the insurance aid/indemnity. Often times, there is a gap between the time of incident and recovery and competitors who are more strategic will leverage on this for competitive advantage. Following the complexity and stiff competition within our current market and operating environment, it is unwise for business to still rely solely on insurance as a guarantee for indemnity against losses, rather, the focus should be on how business will continue and resume operation in the face of disruption or disastrous event. This strategic view is what is known as Business Continuity Management (BCM). Businesses which focus on recovery rather than continuity will always be a strong advocate for insurance. Although, insurance on the short term will provide compensation and support in loss events, it does not provide or guarantees organisational resilience. However, long term issues such as goodwill, reputation damage, loss of market share and customer confidence are not indemnified by such insurance.

There are certain risks that cannot be protected by insurance, but can only be managed by contingency planning. This is not to say that businesses should not have insurance covers, but it should not be the main strategy, hence, the level of insurance cover required should be subject to the outcome of the business impact analysis (BIA). It might interest you to know that developing a sound BCM strategy provides cost reduction to businesses in diverse areas especially with premium payments on Insurance. Sound BCM demonstrates to an insurer that an organisation is proactively managing its business risk. This is because, business continuity management helps to identify inherent business risks, and moreover, the ability of a business to recover and mitigate losses is often a requirement of insurance policies in most developed economies which should be the case across global business domains. Hence, organisations with comprehensive business continuity strategies are categorised as those with lower risk profile, as such this will help them in securing lower premium. Alternatively, the very exercise of embarking on a BCM programme may mean that you are confident enough to buy less business interruption insurance. 

Overall, the required operational resilience that will enhance sustainable business growth and operational efficiency is attained via Business Continuity Management.

http://www.femiadelakun.blogspot.com

Business Threats and the Hidden Cost of Down Time

The complexity of our business environment, coupled with our lack of clarity on where risk exists and how to measure it, makes it extremely difficult to know what we should be doing about business continuity.

This familiar complaint summarizes the challenges of putting together a comprehensive business continuity, availability, and security strategy. You need to understand all your business requirements, your risks, the impact of downtime, and the right balance of risk reduction versus cost for any new solutions you put in place. While high-impact disasters can put you out of business, events such as security breaches, viruses, hardware and software failures, human error, and inadequate IT processes more often threaten continuity and take a toll on the everyday performance of your business. IT service outages can also result from planned downtime or from business volatility, such as unpredictable peaks in IT demand and changes in the business model. It’s important to understand the full range of risks to your business and IT environment, and look at the impact if something goes wrong. Only then can effective planning begin.

Have you ever measured the cost of downtime to your key business applications and processes? If your online storefront goes down, it’s easy to measure the financial impact of lost revenue. But how do you measure the loss of credibility with your customers? If employees lose e-mail for an hour, the impact may be minimal, but as time goes on, the cost in lost productivity can increase exponentially. And what is the impact if data is lost? Lost customers, revenue, reputation, and shareholder value are likely results, and onerous regulatory fines and litigation costs may follow.

Findings shows that, downtime is costing large U.S. companies about  3.6% of their revenues per year, with manufacturing organizations losing $154 million (9% of revenue) and financial services organizations losing $222 million (16% of revenue), how much more Nigerian businesses with unestimated value in losses owing to down time. It is time we take a comprehensive strategy at mitigating downtime, there by enhancing operational resilience which has a positive impact on bottom line and efficiency. Each line of business has unique requirements for business continuity, availability, and security. However, at Uptime Consulting we will help you define your risks and needs, so you can make smart decisions about Business Continuity investment and why

Business Threats and the Hidden Cost of Down Time

The complexity of our business environment, coupled with our lack of clarity on where risk exists and how to measure it, makes it extremely difficult to know what we should be doing about business continuity.

This familiar complaint summarizes the challenges of putting together a comprehensive business continuity, availability, and security strategy. You need to understand all your business requirements, your risks, the impact of downtime, and the right balance of risk reduction versus cost for any new solutions you put in place. While high-impact disasters can put you out of business, events such as security breaches, viruses, hardware and software failures, human error, and inadequate IT processes more often threaten continuity and take a toll on the everyday performance of your business. IT service outages can also result from planned downtime or from business volatility, such as unpredictable peaks in IT demand and changes in the business model. It’s important to understand the full range of risks to your business and IT environment, and look at the impact if something goes wrong. Only then can effective planning begin.

Have you ever measured the cost of downtime to your key business applications and processes? If your online storefront goes down, it’s easy to measure the financial impact of lost revenue. But how do you measure the loss of credibility with your customers? If employees lose e-mail for an hour, the impact may be minimal, but as time goes on, the cost in lost productivity can increase exponentially. And what is the impact if data is lost? Lost customers, revenue, reputation, and shareholder value are likely results, and onerous regulatory fines and litigation costs may follow.

Findings shows that, downtime is costing large U.S. companies about  3.6% of their revenues per year, with manufacturing organizations losing $154 million (9% of revenue) and financial services organizations losing $222 million (16% of revenue), how much more Nigerian businesses with underestimated value in losses owing to down time. It is time we take a comprehensive strategy at mitigating downtime, there by enhancing operational resilience which has a positive impact on bottom line and efficiency. Each line of business has unique requirements for business continuity, availability, and security. However, at Uptime Consulting we will help you define your risks and needs, so you can make smart decisions about Business Continuity investment and why

Is your business at risk?

There are many risks that can affect an organization's ability to continue their day to day biz and these can affect organization of all size across all sectors both directly and indirectly. Recent research conducted by  London chamber of commerce  reveals that over 70 % of small business in UK often do not consider the  risk they are exposed to as well as do not have contingency and continuity plan in place to mitigate such risk.

More often than none, businesses are usually caught up with it this “it cant happen to us” syndrome and  has even become a major challenge for businesses especially small and medium sized business in developing strategies to protect them against the risk that challenge their continuity. In the past organisations have witnessed and experience crisis event that had severe impact of their critical assets. You might say my business is not exposed to any disaster or risk event. This is absolutely incorrect, the truth and the fact is all business at some point will face events that challenge their continuity. However, let me remind you that crisis is no respecter of the size of your business, when it strikes, it has both micro and macro impact on your business. The dynamic and ever changing environment where we operate has called for a more strategic consideration for business leaders to begin to plan for the unexpected. Lack of preparation for the unexpected event can severely disrupt the operation, continuity, and effectiveness of your business as disabling events can come in all shapes and varieties. They can vary from the more common calamities like hard drive corruption, building fires or flooding to the rarer, yet more severe and often longer lasting disruptions that can occur on a city-wide or even national basis; events such as disruptions in transport (bomb attack, oil crises, metro shut-downs, transport worker, strikes, etc.), infrastructure weakening from terrorist attacks, or even severe loss of staff due to illness like a pandemic flu. All of these strike a blow at an organization's struggle for business continuity.

For small businesses the impact of the above mentioned and even lesser disasters can hit much harder. For example, unexpected non-availability of key workers alone could be catastrophic, potentially causing as much disruption to business continuity as technological hardship, especially if it occurs during the height of the company's busy season. If only one person is trained to do particular and/or essential tasks, their unexpected absence can severely disrupt productivity and efficiency.

Drawing inference from the case of Noah in the Bible, he and his family were able to survive the disastrous event of the flood that took over the entire world, not basically because he was a child of God, but because he was proactive and planed for the flood. This holds true in planning for the unexpected even though, Noah had expected the flood, but when it will happen he did not know. He was able to survive because of his pro-activeness to the anticipated event.

The question for business leaders today is what steps or strategies are you putting in place to protect your business, your investments and business reputation? 

Think about this. It is better late than never, because risk is inevitable for all business. Thus, developing strategies for your  business continuity will prepare your business for any potential disaster, crisis or incident and help ensure that you will be able to maintain continuity of your business practices, and reduce or even possibly remove the impact such calamities could have on your business. Not only will your data, hardware, software, etc., be better protected, but the people that compose your organization will be better safeguarded; financial losses and reputation damage will be avoided. In addition, you and your employees will be informed and rehearsed as to what actions to take to immediately start the recovery process and ensure business continuity if disaster strikes.

With so many potential business disasters and disruption in the hanging and dynamic environment businesses operates today, it seems unwise not to take actions to prepare for and try to prevent the devastating impact of any catastrophe.

THE CASE FOR BCM - Its relevance to the Nigerian Business

THE CASE FOR BCM - Its relevance to the Nigerian Business

For Nigeria, the relevance of BCM should increasingly become an issue of concern for proactive, forward thinking and strategic organisations. Many Nigerian organizations ignore business continuity management or are ignorant of the need for this initiative for a number of reasons considering that, Nigeria as a whole is not prone to natural disasters such as earth quakes, tsunami and hurricane, forgetting that crisis or disruption is not limited to natural disasters. It is important to note that business disruption are not limited to natural disasters, but its causes are multifaceted including human generated interruptions. The British standard (BS25999) identifies a range of internal and external risks that could negatively impact on the operations of organizations; including fire   outbreak, system failure, power outages, flooding, industrial action and strikes, succession failures, communication failure and any other events.

For instance the flood experienced in Nigeria over the past three (3) years is an indication that time and season are changing, the unimaginable is becoming imaginable, and the unanticipated is becoming reality. However, Nigeria in recent past has not witnessed such a degree of rain storm. Reports had it that most offices became inaccessible especially in Lagos, properties were destroyed, lives were lost and business activities became paralysed. In 2010, the flooding displaced more than two million people and inn 2011 over 102 people were believed to have died from the flood.  In 2012, NEMA figures show that 7,705,000 people were affected by the flood between July 1 and October 31 2012 with death figures of 398 people. In Kogi sate for example, the most recent flood disaster rendered more than 600,000 people homeless. Property worth more than 2billion naira was lost and business and commercial activities were paralysed especially those involved in fishing and rice farming. The education sector was equally affected as some primary schools were shut down due to the sinking of school infrastructures and facilities.

This event will have a life time impact on business and families affected. Most importantly, businesses locate on the island close to the sea metropolis should begin to strategically think of the worst case scenario as experienced in Japan drawing inference on the fact that the Japan earthquake erupted from the sea.

Again, the trend and frequency of bombings in Nigeria in recent times should be a wake up call for Nigerian organisations. Yes some businesses might say they are not affected by the bombings as they are not located in the northern region. This is very short sighted because no one knows when Lagos or their region will be the next city of attack. It is therefore necessary to take a proactive approach to planning and preparing. Between October 2010 and March, 2013, Nigeria had witnessed over twenty different bomb attacks and explosions by terrorist in different locations with notable attacks on the United Nations office, police headquarters, Kaduna attacks as well as the Christmas day bombings in Abuja. For example the bomb attacks in the northern region of Nigeria will have a life time impact on business, lives and families affected. Also communication network Giant, (MTN) was equally affected, its network mast were been bombed which significantly interrupted its service delivery as it became a crisis they had to deal with. Not only were they losing customers to competitors, they incur substantial losses, reputation and brand damage. These losses were as a result of the absence of business continuity strategy. However, if business continuity management strategies were in place, this would have reduced the impact of such event.  Not only has Nigeria recorded loss of lives and property as a result of these events, but these events have strategic implications for businesses and the nation as a whole. From the international community, Nigeria is gradually becoming a terrorist environment and this has a direct implication for foreign investments.

Furthermore, the recent Dana crash as well as its emergency response clearly shows the absence of BCM in the aviation industry and lack of coordination amongst emergency agencies in Nigeria. This should indeed be a wake up call for the air force being a major stakeholder in the aviation industry and the Nation as a whole. The crash and its responses thereto send a negative signal to the public and to the international community on the effectiveness and preparedness of the air force, emergency agencies and the aviation industry at large.  This then becomes imperative for the Nation to embrace Business continuity management, plan for different kind of disaster with a view accord importance to continuity planning in the budgets.

The wide-spread of eminent incidents, frequent bombings and terrorist attacks as well as the recent flooding in Nigeria have served to heighten the priority for embracing BCM initiatives, underlining the substantial risk of major operational disruptions to business and operations. The impacts of these crisis events should provide some impedance for a more recognition and acceptance of BCM initiative as a strategic function both in the public and private sector.