Knowledge 
Articles / White Papers
Time to review your business continuity plans?
Andy Jones, 21st January 2009
In the light of the recent events in Mumbai, the increasing threat of terrorism and civil unrest, and the potential disruption arising from the Satyam scandal, companies are likely to be dusting off their business continuity plans to ensure that they are robust and up to date.
This is especially the case where companies have offshored parts of their organisation and particularly where those functions are located in India. Management will be asking themselves whether they will be able to continue their normal operations in the event of a terrorist attack, civil unrest or other unforeseen event in the vicinity of their offshore operations. As was seen in the case of the Mumbai, events can move very quickly, leaving management with little opportunity to react. Plans have to be thorough, well thought through and regularly tested.
Whilst most contracts with offshore suppliers have detailed clauses covering the requirements for disaster recovery plans and facilities, how many companies have actually reviewed those plans in detail or, indeed, tested them thoroughly to ensure that they will be adequate if invoked?
Often, action is only taken to implement robust plans after an event. The severe flooding in Mumbai in July 2006 almost caused a major US bank to shut down after its data centre in the city was paralysed and its Florida operations were hit by a hurricane at the same time. Many companies, including Telekurs and Cap Gemini opened operations in other locations as a direct result of the disruption.
One UK payroll outsourcing company was much more prepared when the explosion at the refinery in Hemel Hempstead in December 2005 wiped out their headquarters. They were up and running again within hours and were able to maintain services for their clients. This was a direct result of robust, tested business continuity facilities and planning.
There are many factors to take into account but here are a few questions that might be worth considering:
- Have detailed plans been prepared and copies provided to all employees?
- When were the plans last reviewed?
- Is it clear which activities will continue in the event of invocation and which will be suspended?
- Where will those activities to be continued be performed?
- How will staff travel to the disaster recovery site? Will it be possible to reach the site?
- Is all your data regularly backed up and accessible in the disaster recovery site?
- Do your management and staff know who to call in the event of a disaster?
- Does the third party vendor require all its suppliers to have adequate plans in place?
Whilst many of these questions might seem common sense and the answers taken for granted in most organisations in developed countries, when applied to offshored operations they often need an expert view with local knowledge and experience of the supplier.
When you have outsourced functions to a third party supplier, how do you know whether adequate plans exist and how seriously they are taken by management and staff? How do you know how often plans are reviewed and thoroughly tested? How do you know whether the alternative site is in a suitable location and that staff, equipment and data can quickly be recovered? In a country the size of India, how long would it take to get staff from one major city to another in the event of serious terrorism, unrest or natural disaster? Would airports be open and would your staff be able to get flights? Indeed, could they even reach the airport?
The Satyam scandal raises even more questions and will be making companies think long and hard about the financial stability of their suppliers and what they would do if they become insolvent. How do you ensure that vital functions and services are maintained if the supplier is unable to continue in operation? Should companies be contracting with alternative vendors for business continuity purposes so that they don’t have all their eggs in one basket?
These are all issues that require expert advice and independent review. After all, management are ultimately responsible for their disaster recovery plans, even when functions have been outsourced. This is particularly the case for regulated financial services companies e.g. the UK’s FSA handbook states:
“If a common platform firm outsources critical or important operational functions or any relevant services and activities, it remains fully responsible for discharging all of its obligations under the regulatory system” (SYSC 8.1.6)
and specifically,
“the firm and the service provider must establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities where that is necessary having regard to the function, service or activity that has been outsourced.” (SYSC 8.1.8 (11))
It is very easy for management to sign an outsourcing contract, transition the work and then sit back and assume that everything is being taken care of by the supplier but this is just not good enough. In this day and age, they need to be pro-active about their disaster recovery plans and regularly review the arrangements at their suppliers. After all, do you want to be the CFO, CIO or HR director that has to explain to your Board or the regulators why you were unable to submit your accounts or regulatory returns on time, or why your IT systems were down for an extended period, or why your suppliers or staff were not paid? Such events can have a crippling effect on a company which most organisations can ill afford in today’s economic environment.
If you need assistance with any of the issues discussed in this article, Alsbridge plc would be delighted to assist. We have the expertise, knowledge and tools to ensure that you are well prepared for all eventualities and are the only truly independent adviser in the outsourcing market. Please feel free to contact the author, Andy Jones on +44 (0)20 7242 0666 or via email at andy.jones@alsbridge.eu
Contact
How can Alsbridge plc help you?
Please get in touch to discuss your business needs.
Europe Head Office:
+44 (0)20 7242 0666
Email: enquiryEUR@alsbridge.eu
US Head Office:
+1 (214) 696 6410
Email: enquiryUSA@alsbridge.com
