Iain McLaren/Avoiding the business continuity trap

Created 5 Aug 2024 Modified 5 Aug 2024

Avoiding the business continuity trap

Real business continuity for critical industries like banks, hospitals, and government organisations

The challenge: Are we really ready for disaster?

We do a lot of work to assist banks and other financial service providers, hospitals, and government services organisations. To operate, these critical organisations need to have plans in place to deal with disasters.

These organisations rely on the services of their most critical suppliers. If the organisation does not have a robust continuity plan in place it can be catastrophic if those suppliers stop providing their services for any reason, including because of natural disasters, wars, if the supplier becomes insolvent, or (and I have seen this) the supplier just decides to stop providing the service.

The symptom: Leading with business continuity tools instead of a business continuity solution

There are a number of tools that I see customers commonly throw at this problem, such as (for technology suppliers):

  • building a ‘step-in’ process into supplier agreements that allows the customer to take over the management of a critical service provided by a supplier;
  • storing the source code of the supplier’s software in escrow so the customer can (in theory) fix bugs if there is a major problem with the supplier’s software; and
  • requiring the supplier to provide functionality allowing the customer to download all of its data from the supplier at any time, including when the customer wants to stop using the supplier.

The challenge is that, for most customers, the above may not allow the customer to get back up and running quickly and cost-effectively.

The trap: Most customers cannot take over and run supplier services themselves

The main reason why organisations use third party service providers for critical services is that they cannot provide or perform these services themselves. For example, some of the best technology security people I know work in hospitals. These people would never try to run a critical data centre themselves. They don’t have the expertise. That’s why they pay the suppliers.

In practice, this means that:

  • other than for the most sophisticated organisations, having access to the source code of the software doesn’t help;
  • if the supplier is insolvent or just stops providing the service that we use, there is nothing useful to ‘step in’ and take over; and
  • if the customer has not downloaded the latest copy of the customer’s critical data before the supplier’s servers are switched off, then this data may be lost forever.

The solution: Ensure that a single empowered manager is responsible for implementing the continuity plan and dealing with disasters

How do we get up and running again as quickly and cost effectively as possible without our key suppliers? While the solution can be complex, I see this done well when a single responsible manager within the customer’s organisation is responsible for developing and maintaining the business continuity plan.

For example, from a technology perspective, this often boils down to answering the following questions:

  • How do we ensure that we always have access to a copy of our critical data even if our supplier disappears overnight?
  • Is this data in a format where we can import it into the technology systems of competitors of our supplier?
  • Can we run things manually, such as by using spreadsheets for example, in the meantime?

Put simply, organisations can get into trouble when a single empowered manager is not on the hook. The best managers are able to answer these questions, are able to explain the solution in simple terms, and are ready to deal with disasters when they happen.