‘Mundane’ risks drive business continuity planning
While businesses worldwide are being reminded of the risks posed by terrorism, it is the more mundane – and likely – problems of power outages and system failures that are driving companies to implement business continuity plans.
This is one of the key findings of KPMG’s research into business continuity planning, based on a 73-question survey of 249 organisations in the Asia Pacific region. The Asia Pacific Business Continuity Management Benchmarking Survey found that more than one in three companies – 37 per cent – believed their level of risk exposure had increased because of the rise of terrorism. Nine per cent had directly or indirectly experience of terrorist activities, but the number affected by hardware, software and communications failures was much greater.
The report notes that typically, companies implemented
ITsystem focused business continuity plans as a response
to the Year 2000 software threat and have now had to consider
other risk types, such as health (SARS), and physical (terrorism).
Peter McNally, Asia Pacific security partner at KPMG, said
directors were turning their attention to terrorist risks, “but
down on the ground the more likely IT failures were driving
business continuity planning”.
The survey found that executives often don’t understand their companies’ supply chain relationships, he added. A further worry is that the average tolerance of system failures or power outages was thought to be seven hours or less. “There was this great swag of companies that thought if they could recover from a failure in seven hours or less, they would be OK,” Mr. McNally told TBI. "Problem was, they didn’t know how much a failure costs for each hour of downtime. So how do you really know it was seven hours or less?” This uncertainty also meant that companies did not know how much money they should be spending on continuity planning.
While 93 per cent of respondents reported they were aware of risks to their business, only 58 per cent performed regular risk assessments, and less than 45 per cent had disaster recovery or crisis management plans.
KPMG defined an evolution from rudimentary crisis management plans through disaster recovery, to business continuity plans. Mr. McNally said even when companies claimed to have full business continuity plans in place, the survey revealed they often fell short of what was required by failing to include plans for testing, which can range from role-plays and workshops through to full simulations of disasters.
Another shortcoming was failure to consider the impact of downtime or system outages at key – especially sole – suppliers. “We found that very few organisations considered this a due diligence issue when they were engaging key suppliers.” One strategy was simply to arrange alternative suppliers but increasingly, specialisation made it necessary to collaborate with suppliers, Mr. McNally said.
“If you’ve got a key supplier and you’re depending on interconnectivity of systems in the supply chain, then you should be looking at data links and make sure you’re doing all that you reasonably can to make sure systems are robust. You might also need to consider the risk from the supplier’s supplier.”
The Asia Pacific Business Continuity Management Benchmarking Survey also found:
- 74% of companies manage business continuity as a corporate or risk function outside the IT department – considered best practice;
- almost one in three organisations did not or rarely reviewed or tested them; and
- 81% of organisations said they had enhanced their business continuity plan because of current world events.