Canadian firms admit they should be doing more about business continuity, so why aren’t they?
Written by Vawn Himmelsbach, on 26-10-2007 13:22
Average user rating
(0 vote)
Manitoba suffered almost a dozen tornado touchdowns in June, including a nasty twister that wrecked havoc in the town of Elie, only 35km from Winnipeg. The province is also a prime target for ice storms and power outages due to severe weather.
“We’re not going to get hurricanes or earthquakes here, but beyond that, all bets are off,” says Guy Corriveau, director of disaster management with the Winnipeg Regional Health Authority.
Winnipeg is built around a train track, and CN alone carries 80,000 loads of dangerous goods through the city every year – and that doesn’t include dangerous goods from other carriers. The city also has a Level-4 virology lab. “The lab itself doesn’t present a threat, but how do you think Ebola gets in and out of that lab?” he says. “And it’s downtown Winnipeg.”
While the city may not be known for pandemics or terrorism, it’s had to deal with accidents surrounding the transportation of biologics, planes landing on downtown streets and two train wrecks in the past five years. “I’m not sure we should care whether it’s a bad guy or not a bad guy,” says Corriveau. “What we’re primarily concerned about is consequence management.”
Business continuity involves a lot more than backing up data. In the
event of a pandemic flu, how do you continue providing health services
if a third of your staff is not there? If the streets are flooded, how
can an ambulance navigate its way through the streets?
The WRHA has a detailed business continuity plan in place to keep
operations up and running in the event of a disaster. But many Canadian
organizations still don’t plan for disasters, even though they admit
it’s their biggest concern. If the risk is so high, why isn’t it a top
priority?
They know they should be doing more about business continuity but
aren’t following through, says David Senf, director of Canadian
security and software research with IDC Canada. Only 25 per cent of
Canadian firms have a plan that’s regularly tested, according to a
recent survey. Roughly four per cent of IT budgets are currently
allocated to business continuity, which includes hardware, software,
services and internal labour. But firms believe it should be much
higher than that — about 90 per cent higher (at around seven per cent
of their total IT budget).
“Most firms in Canada do not have a fully implemented and tested
business continuity plan,” says Senf. “That being says, most firms have
some level of planning in place in an ad hoc sense.” But roughly 15 per
cent of firms have no plan in place whatsoever.
This is because they don’t have the available budget, nor the policies
in place that would help govern how many resources are allocated to
business continuity planning.
Another issue is that management isn’t as responsive as it could be.
“That’s why they aren’t getting the budget, that’s why the policies
aren’t in place, that’s why they’re doing ad hoc plans and untested
plans,” says Senf.
The survey found that Canadian firms are more concerned with small
disruptions than large-scale pandemics and terrorist attacks. But they
have an inability to differentiate between threats, and this is a
contributing factor to the lack of commitment to business continuity
planning.
“Firms have to get better at understanding what the impacts are, and
that comes down to doing threat modeling,” says Senf. This involves
looking at all vulnerabilities to all systems in all areas of the
business and what possible threats could exploit those vulnerabilities.
A computer virus, for example, may be less damaging than a disgruntled
employee. “If a firm is doing an ad hoc plan it’s hard for them to
identify what those big threats are,” he said.
What Canadian business leaders identified as their biggest risks were
IT system failures, security breaches, power outages, fires, weather,
employee theft or damage, pandemics or diseases, terrorism and
earthquakes.
“What’s the biggest threat? Us,” says David Dobbin, president of
Toronto Hydro Telecom, which provides redundant network capacity and
data transport to clients in the Toronto area.
“[We] know all these things are out there, yet 90 per cent of firms
identify they’re under-spending on disaster recovery today,” he says.
If they don’t have a plan that’s been tested to ensure it actually
works, it’s no better than not having a plan in place at all.
Firms should develop a high-level plan that identifies their biggest
issues, he said, and conduct a risk assessment that looks at which of
their assets are most vulnerable and need to be protected. They should
then look at whether they have the capabilities to do this in-house; if
not, they should look for an outside provider.
Larger firms, however, appear to be more prepared than their smaller
counterparts. In a recent survey of Canadian executives in the Toronto
area, AT&T found that 77 per cent have a business continuity plan
in place, 54 per cent of which have been updated in the past 12 months.
This isn’t surprising, considering SARS, the blackout in Ontario and
the ice storm in Montreal, says Dave Deneaux, general manager of
AT&T World Services Canada. These occurrences may have sparked them
to take business continuity more seriously – but 21 per cent of those
surveyed still don’t have a business continuity plan. And while 31 per
cent of respondents have actually suffered from a natural or man-made
disaster, 34 per cent don’t consider business continuity a priority.
“The bottom line is they have to make sure they have a plan in place,”
says Deneaux. “They have to make sure it’s not static, that it’s a
dynamic plan and it’s constantly being tested.” Firms will develop a
plan and test it once, but then their environment changes (say, for
example, they move over to a voice-over-IP environment or converged
network) and oftentimes they don’t adapt the plan (17 per cent of
respondents have never actually tested their plan). When you make these
changes, you need to reevaluate your business continuity plan because
it changes the structure of your business, he says.
And this is an ongoing process. “What we’ve been doing is pouring the
concrete and establishing the best possible foundation we can in order
to provide health services in the face of disasters,” says WRHA’s
Corriveau.
In 2002 the WRHA created the director of disaster management position
and built a plan based on the American National Fire Protection
Association 1600 Standard. It also established a management structure,
which was a huge undertaking, considering about 27,000 people are
involved with the WRHA. During a hazard assessment and vulnerability
analysis, it came up with its top three priorities: the outbreak of a
global pandemic, a dangerous goods incident and severe weather.
Canada has undertaken an effort to develop a Canadian version of the
1600 Standard. “In the Health Act there’s a conspicuous absence of
disaster management,” says Corriveau. “It’s more of a voluntary
practice.” If business continuity is legislated here, he added, getting
buy-in from management would no longer be an issue.
(0 vote)
