The aftermath of11 September has highlighted the importance of disaster recovery plans, say Rory Graham and Nick Simms
Most of us can remember what we were doing when the news reached us of the attack on the World Trade Centre last September. Suddenly, the words `disaster recovery' hit home for many companies - this was the first time the need for business continuity planning really made sense.
Since last September, many anecdotal stories about inadequate business continuity plans have come to light. For example, businesses found their back-up facilities had been double booked or there were serious breaches of security. Here in the UK, many discovered that their disaster facilities were sited in inappropriate locations, such as close to London's Canary Wharf - a potential target for terrorists.
There is a real need for business continuity in terms of giving added value to both insurers and their clients. It encompasses disaster recovery, but goes well beyond it. In addition, many businesses have a regulatory duty to ensure they have a business continuity plan and it appears that the Financial Services Authority will be closely scrutinising financial services companies for such plans in the near future.
Many people regard business continuity as a form of insurance. In reality, it is different, but complementary. Business continuity is actually a management technique for developing and ensuring the ownership of policies, procedures and plans that enable an organisation to continue to meet the key needs of its stakeholders at all times, whatever the circumstances. In other words, good business continuity reduces the likelihood and impact of potential disruptions and ensures that critical processes can be resumed quickly - when prevention fails or, as on 11 September, when prevention is outside the control of the organisation.
Chief executives suddenly became interested in disaster recovery as a result of 11 September but, where the wider implications were not grasped, this interest quickly disappeared. Many disaster recovery suppliers, far from benefiting from the tragic events in New York, found the final quarter of 2001 to be one of the most difficult.
Firstly, insurance brokers must get their own house in order. This means embedding business continuity into the culture of the organisation. The starting point for this process is senior management commitment.
Other key elements include identifying the contractual, legal and regulatory obligations of the firm and assessing the financial and reputational impact of non-performance for any reason. They should also develop strategies both to reduce the likelihood and size of disruption and to ensure the rapid restoration of at least a minimum level of service within the narrowest possible timeframe.
They should also keep strategies under constant review to meet the changing shape and requirements of the business and test procedures and plans to ensure that assumptions are valid and plans work.
Secondly, brokers need to encourage their clients to embed business continuity into their culture. Instead of taking copies of client's disaster recovery plans to show insurance underwriters, brokers should be asking for evidence that business continuity is part of the ongoing management of the business and that testing of the disaster recovery plans is regular and thorough.
Brokers should confirm with clients that any recovery sites are far enough away from the normal locations not to be affected by the same disaster. In addition, they should ensure clients have checked how many times any suppliers of shared disaster recovery services have resold the facilities and how the vendor will allocate resources when demand might exceed supply. This is particularly relevant for large-scale disasters such as 11 September, or the Bishopsgate bomb in the City of London, when many companies sought to invoke recovery plans simultaneously.
The third implication is that brokers should encourage clients to re-examine their business interruption insurance (BI) in the light of their business continuity. Too often, BI and business continuity are developed in isolation, yet both can be used for managing risk. There are, however, far more interesting opportunities. For example, a tried and tested disaster recovery plan might enable the client to restructure its BI cover. Even better, a convincing approach to business continuity might reduce overall insurance premiums.
Brokers should therefore see business continuity as a means of becoming closer to their clients and developing and preserving long-term relationships with substantial benefits on both sides.
Business continuity v disaster recovery
From an underwriter's perspective, good business continuity has three benefits. First, it reduces the likelihood of an insurance claim by reducing the risk of disruption. Second, it shrinks the size of any claim by ensuring the victim is able to recover quickly and it ensures that the victim becomes operational quickly. Finally, this in turn helps to protect their reputation and cash flow, and ensures continuity of premiums.
Unfortunately, in practice good business continuity is rare. Instead, most organisations focus their efforts entirely on the disaster recovery element and do nothing to reduce the likelihood and impact of disruption. While this approach appears to provide the underwriter with the second and third of the benefits described above, in practice it does not.
Disaster recovery, as the name suggests, is concerned with recovering from major catastrophes, not preventing operational incidents or creeping failures. As a consequence, it is not seen to provide value on a day-to-day basis. Management is therefore unwilling to invest time and money in something that provides the prospect of little return, particular when budgets are tight. Consequently, staff are unwilling to invest time validating the assumptions behind the plan and to participate in testing.
This vicious circle means organisations that focus solely on disaster recovery rather than the wider business continuity aspects have little confidence in the plans and, if invoked, the plans tend not to work well, if at all. Disaster recovery might usefully be seen as the equivalent of waiting until your teeth have fallen out before investing in an electric toothbrush.
Rory Graham is a partner at Osborne Clarke, and Nick Simms is a director at Cornwood Risk Management