As terrorist bombs rocked London on July 7, Steve Mellish, head of business continuity at J Sainsbury, activated the UK supermarket’s emergency responses.
Key executives and IT personnel convened a crisis meeting to discuss safeguarding employees and securing essential operations. Security was tightened at J Sainsbury central London headquarters and delivery vehicles caught in the traffic gridlock gripping London were ordered back to the nearest depot. Stores near the bombsites were evacuated.
Developments were relayed to head office staff by using the public address system.
It was all in a day’s work for Mr Mellish, one of an emerging breed of corporate officers charged with reducing companies’ exposure to multiplying outside threats and, if their systems are hit, invoking a fall-back plan.
He had a busy 2005. Since the July London attacks alone, Mr Mellish and his three-person business continuity team have mobilised against potential disruptions to the J Sainsbury Edinburgh operations from demonstrations against the G8 summit, the failed July 21 bomb attacks in London, a fuel crisis and a Brazilian beef recall. Now he is dealing with the looming spectre of avian flu and the personnel implications should pandemic strike.
In a way actuarial tables never could, the litany of recent disasters has viscerally brought home to companies that bad things do happen, and underscored the importance of sound contingency planning.
“World events have focused companies on business continuity planning,” says Rich Cocchiara, chief technology officer in IBM’s business resilience and continuity services practice.
Headline-grabbing elemental catastrophes such as the Asian tsunami and Hurricane Katrina or terrorist outrages such as the September 11, 2001 attacks on the US and the 2004 Madrid bombings have left companies rattled. However, the rising tide of hacking intrusions and computer viruses, besides mundane, everyday wildcards such as power outages, IT failure, fire and good old-fashioned human error, pose the greatest operational risk, say experts.
Large companies face one security breach, virus or hacking incident, with the potential to cause major business disruption, every three days, estimates Dean Lamble, worldwide director, business continuity and availability services, at Hewlett-Packard.
So-called disaster recovery planning is a long-established cost of doing business among financial services companies crunching time-sensitive data and high transaction loads, facing a correspondingly high cost from enforced downtime.
But the increasingly IT-intensive nature of business has dramatically increased the stakes of emergency planning across the economy.
So, 16 per cent of US companies hit by disaster incurred daily losses from $100,000 to $5000,000, a study released in September by US telecommunications carrier AT&T found.
Yet the AT&T survey, and a similar poll of UK businesses conducted this summer by Cable and Wireless, the UK telecommunications company, revealed woeful complacency.
Almost a third of US companies and 37 per cent of mid-sized UK companies said they had no business continuity plan. More than 40 per cent of US firms said they had no redundant servers or other standby capability, while 38 per cent of UK firms said they did not replicate data off-site.
It could be “disaster fatigue”, but Mr Mellish suspects companies remain reluctant to invest in mitigating hypothetical risk, despite evidence it could represent a ruinous false economy.
The apparent negligence reflects business continuity planning’s reputation as complicated and pricey, adds Mr Mellish, also chairman of the Business Continuity Institute.
“There’s a job to do getting across that it’s actually very simple common sense.”
Companies can easily fit employees with home working capabilities by issuing take-home laptops, notes Mr Lamble – a provision just one-third of UK companies surveyed by Cable and Wireless had made.
Business continuity vendors such as IBM, Hewlett-Packard and SunGard Availability Services offer remote back-up datacentres that automatically kick in if customer sites are incapacitated, so operations are not affected.
But they are also turning things around by couching bundled business continuity services – straddling firewalls, virus-throttling software and off-site redundancy – as a way to maximize uptime and gain competitive edge. “It‘s about asset optimisation,” explains Mr Cocchiara.
That is something Mr Mellish can identify with. Walking through central London on July 8 and encountering a functioning J Sainsbury amid rows of shuttered businesses showed the company’s punctilious business continuity planning had paid off, he recounts: “We were the only retailer to stay open for normal hours.”