In a previous blog in this series, we spoke a little about the importance of Business Continuity exercising from the viewpoint of business users. Because it’s so important we would like to tie up this series themed around the cost of doing/ not doing Business Continuity Management by expanding the discussion look at the ICT Service Continuity exercising dimension.
In an earlier blog we mentioned the importance of ICT and business working together, but the reality is that most organisations still have a long way to go in achieving this. One common problem that can manifest, is that when the business specifies that process A has be recoverable within, say, two days, ICT plans for two days without taking into account that the total 2 day timeframe has to include the recovery of the people who make the process happen—and where they will work.
The ICT and Business Continuity teams thus have to work closely in developing their plans, and the same principle holds true in exercising.
The second key point we want to make is somewhat more contentious. In the previous blog on exercising, we indicated that the ability to test the Business Continuity Plan in a flexible mannner was vital, partly because companies are risk-averse, and shy away from running a full interruption exercise. Their concerns are understandable and, for many, the risk of running a full interruption exercise on which something does go horribly wrong is too high, especially considering that the chances of a full interruption event actually happening are low.
However full-scale exercising of the ICT environment should at least be seriously considered when the stakes are high and time urgency is a key driver. The point is neatly illustrated via the Tale of Two Banks.
Bank A takes its ICT Service Continuity very seriously and periodically switches off its production servers and runs on its ICT Service Continuity systems for a full week. When the fateful day did eventually arrive, Bank A suffered a very public and massive IT outage, but it was able to get its systems up and running within five hours and ran on them for three months while its data centre was reconditioned.
Bank B, suffered the same problem and took a whole day to get back up—and was sued by its clients for nearly R1 billion for lost business. In the banking industry, minutes, not hours can cause irreparable damage to the organisation – financial, reputationally and in lost productivity.
The former had actual experience of what to do, and had used the opportunity of its periodic exercising to hone its performance; the latter had state-of-the-art equipment and facilities but no practical experience.
The Tale of Two Banks clearly demonstrates the return on investment that organisations can achieve if they put in the time and effort to prepare for, and exercise their ICT and Business Continuity solutions.
If you are interested in learning more about our tailored training and exercising solutions, please contact ContinuitySA on +27 11 554 8000 or click here and we will contact you.