Blind faith

Business continuity involves a lot more than backing up data. In the
event of a pandemic flu, how do you continue providing health services
if a third of your staff is not there? If the streets are flooded, how
can an ambulance navigate its way through the streets?

The WRHA has a detailed business continuity plan in place to keep
operations up and running in the event of a disaster. But many Canadian
organizations still don’t plan for disasters, even though they admit
it’s their biggest concern. If the risk is so high, why isn’t it a top
priority?

They know they should be doing more about business continuity but
aren’t following through, says David Senf, director of Canadian
security and software research with IDC Canada. Only 25 per cent of
Canadian firms have a plan that’s regularly tested, according to a
recent survey. Roughly four per cent of IT budgets are currently
allocated to business continuity, which includes hardware, software,
services and internal labour. But firms believe it should be much
higher than that — about 90 per cent higher (at around seven per cent
of their total IT budget).

“Most firms in Canada do not have a fully implemented and tested
business continuity plan,” says Senf. “That being says, most firms have
some level of planning in place in an ad hoc sense.” But roughly 15 per
cent of firms have no plan in place whatsoever.

This is because they don’t have the available budget, nor the policies
in place that would help govern how many resources are allocated to
business continuity planning.

Another issue is that management isn’t as responsive as it could be.
“That’s why they aren’t getting the budget, that’s why the policies
aren’t in place, that’s why they’re doing ad hoc plans and untested
plans,” says Senf.
The survey found that Canadian firms are more concerned with small
disruptions than large-scale pandemics and terrorist attacks. But they
have an inability to differentiate between threats, and this is a
contributing factor to the lack of commitment to business continuity
planning.

“Firms have to get better at understanding what the impacts are, and
that comes down to doing threat modeling,” says Senf. This involves
looking at all vulnerabilities to all systems in all areas of the
business and what possible threats could exploit those vulnerabilities.
A computer virus, for example, may be less damaging than a disgruntled
employee. “If a firm is doing an ad hoc plan it’s hard for them to
identify what those big threats are,” he said.

What Canadian business leaders identified as their biggest risks were
IT system failures, security breaches, power outages, fires, weather,
employee theft or damage, pandemics or diseases, terrorism and
earthquakes.
“What’s the biggest threat? Us,” says David Dobbin, president of
Toronto Hydro Telecom, which provides redundant network capacity and
data transport to clients in the Toronto area.

“[We] know all these things are out there, yet 90 per cent of firms
identify they’re under-spending on disaster recovery today,” he says.
If they don’t have a plan that’s been tested to ensure it actually
works, it’s no better than not having a plan in place at all.

Firms should develop a high-level plan that identifies their biggest
issues, he said, and conduct a risk assessment that looks at which of
their assets are most vulnerable and need to be protected. They should
then look at whether they have the capabilities to do this in-house; if
not, they should look for an outside provider.
Larger firms, however, appear to be more prepared than their smaller
counterparts. In a recent survey of Canadian executives in the Toronto
area, AT&T found that 77 per cent have a business continuity plan
in place, 54 per cent of which have been updated in the past 12 months.

This isn’t surprising, considering SARS, the blackout in Ontario and
the ice storm in Montreal, says Dave Deneaux, general manager of
AT&T World Services Canada. These occurrences may have sparked them
to take business continuity more seriously ”“ but 21 per cent of those
surveyed still don’t have a business continuity plan. And while 31 per
cent of respondents have actually suffered from a natural or man-made
disaster, 34 per cent don’t consider business continuity a priority.

“The bottom line is they have to make sure they have a plan in place,”
says Deneaux. “They have to make sure it’s not static, that it’s a
dynamic plan and it’s constantly being tested.” Firms will develop a
plan and test it once, but then their environment changes (say, for
example, they move over to a voice-over-IP environment or converged
network) and oftentimes they don’t adapt the plan (17 per cent of
respondents have never actually tested their plan). When you make these
changes, you need to reevaluate your business continuity plan because
it changes the structure of your business, he says.

And this is an ongoing process. “What we’ve been doing is pouring the
concrete and establishing the best possible foundation we can in order
to provide health services in the face of disasters,” says WRHA’s
Corriveau.

In 2002 the WRHA created the director of disaster management position
and built a plan based on the American National Fire Protection
Association 1600 Standard. It also established a management structure,
which was a huge undertaking, considering about 27,000 people are
involved with the WRHA. During a hazard assessment and vulnerability
analysis, it came up with its top three priorities: the outbreak of a
global pandemic, a dangerous goods incident and severe weather.

Canada has undertaken an effort to develop a Canadian version of the
1600 Standard. “In the Health Act there’s a conspicuous absence of
disaster management,” says Corriveau. “It’s more of a voluntary
practice.” If business continuity is legislated here, he added, getting
buy-in from management would no longer be an issue.