- Pricing and telematics lead the charge as insurtech patents jump 40pc
- FCA puts general insurance pricing practices under review
- Volvo and Baidu reach agreement to produce autonomous vehicles
- Cyber and D&O exposures increasingly intertwined, Airmic report finds
- Arch selects Touchstone for cat risk modelling
A case for continuity
Written by David Adams
The narrative of the past ten years will be familiar to all our readers: a series of events, from Y2K through 9/11, Foot & Mouth and Buncefield to swine flu, which have collectively helped galvanise attitudes and lifted the industry's profile. How has this shift manifested itself among FTSE 100 companies?
The problems faced by Severn Trent Water following the severe flooding in the UK during 2007 were themselves potent symbols underlining the importance of contingency planning. But within the company, the actions taken to solve those problems wouldn't be seen as business continuity operations. "Internally we see that as emergency planning," says Jim Smith, resilience programme manager at Severn Trent. "The other side of business continuity involves IT infrastructure, call centres, network monitoring and so on."
Unsurprisingly, both aspects are very well established; while the fact the company is also a Category 2 responder under the Civil Contingencies Act has also influenced strategy. Nonetheless, there have been changes in emphasis in recent years, as the company has become more reliant on technology. It has also been forced to consider in more detail the consequences of extreme weather events. "We've been looking at building redundancy into the networks and avoiding relying on single points of supply; and looking at alternative suppliers," says Smith.
Another gradual change in recent years has been a move to a more risk-based approach to decision making. "We've had a risk management team in place for a couple of years now. They look at the relative risks in the business and use that analysis to target investment in particular activities." However, the company is restricted to some extent by the rulings of the industry regulator Ofwat. "They let us know what we can and can't spend, so we use the risk approach to make a case for where we want to spend money; we have to try to persuade the regulator it's a good use of the money."
The company seems to have suffered from more than its fair share of incidents in recent years. "We've had a flooding in our HQ building [in 2006], as well as a fire at a customer relations location in Birmingham and a couple of issues at our datacentre to cope within the last couple of years," says Smith. "We seem to prefer live incidents to exercises!" But those experiences were valuable, in part because they demonstrated the need for a degree of flexibility in planning. "It gave us a good steer on how far we should develop our plans," says Smith. "It's about getting 80 per cent of the way on paper, because every incident is different, depending on cause, who's affected or the time of year." For example, the plans don't specify exactly who gets top priority in terms of claiming recovery centre seats, because at different times in the company's business cycle it might be more important to assign seats to billing department personnel or to the finance department, for instance.
Planning is based around the use of BS 25999 as a benchmark, but the company doesn't see a need to attain full certification. "There was some talk of how it would get your insurance premiums down, but we've found that by working through the business continuity plans we've
got in place with insurers, those premiums are available whether we've got the certification in place or not," says Smith.
In the last decade energy company Centrica has created an entirely new business continuity strategy. When the company was founded in 1997, following a demerger from British Gas, business continuity arrangements relied heavily on
the principle of dispersal, simply because it had such an extensive estate of offices and operational facilities.
Since then, an ongoing drive for greater efficiency has entailed shedding some of that spare capacity. "That has meant that over the last three to four years we have had a radical change, moving towards the use of business recovery sites," says Mario Pascoe, head of business continuity at Centrica.
The company has also become more reliant on its IT infrastructure, which is now protected through the use of a mirroring arrangement across two datacentres. Finally, the company has also needed to carry out deeper analysis of the business continuity requirements and resilience of its 15,000 suppliers. The result has been the creation of a much more coordinated strategy across the business, which includes testing at all Centrica sites at least three times a year. Senior management are supportive, in part because of the twin pressures of regulation and commercial forces in the energy market. While there is less competitive pressure than in other sectors, the company recognises a paramount need to be able to serve customers requiring emergency assistance, for example.
Centrica has had to invoke plans on a number of occasions. In 2009 it twice needed to use 300 to 400 seats in a recovery centre, because of problems caused by a lack of power or of telephony. "To go to 400 seats which are not dedicated and have that up and running so the customer doesn't know you've failed is a fairly major undertaking," Pascoe points out. He also highlights the beneficial effects that a comprehensive approach to business continuity has on employees. "They know where they will be working if something goes wrong and it gives them confidence that the company is looking to have a degree of continuity and resilience."
Roger McLoughlin, business continuity authority at Vodafone, believes the way business continuity is perceived within his company has changed significantly, from being regarded as a defensive function to something to be used more positively to promote the strengths of the business.
Vodafone is in a special position of course, because its networks play a vital role in so many of its customers' own business continuity plans. The company has attained BS 25999 certification for its whole network, in part because of the statement of strength this broadcasts to customers. "We had used BS 25999 as a best practice guide," McLoughlin recalls. "We didn't see the value of certification, but our sales, PR and marketing guys did, because the customers saw a value in it."
The company's sales director subsequently helped support the financial cost of registration and certification, attained for the 2G voice network in 2008 and extended to cover the 3G network and mobile broadband in June 2009. The ongoing development of business continuity planning and the drive to attain certification has been beneficial for Vodafone companies around the world. "We now have a business continuity management standard for the group which feeds out to all the Vodafone companies," McLoughlin explains. "They all use the BCMS, but whether they go for full certification is a local decision." Plans have been put to the test for real several times. The summer floods of 2007 put the company's main UK campus at Newbury out of action for several days, forcing the company to prove its staff really could work remotely from home or alternative office accommodation.
"It would be nice to say that the reason we had the capability to do that was thanks to business continuity, but of course really it was because we had the solution we sell to our customers," admits McLoughlin. "The vast majority of people at Vodafone don't have a fixed desk, they have a mobile phone and a laptop. A by-product of that mobility was a very good continuity solution."
One of Vodafone Turkey's datacentres in Istanbul was affected by serious flooding in September 2009, when the waters rose astonishingly quickly in just a few minutes. "Again, we recovered our services within hours to about 50 per cent of Turkey and were back up to 100 per cent within 24 hours," says McLoughlin. "Given the circumstances, our recovery was quite remarkable." In fact, this year Vodafone UK took away the Award for Business Continuity Strategy.
The evolution of the business continuity function at Sainsbury's could be said to have followed a more conventional route. Steve Mellish, the firm's head of business continuity, has led the business continuity function since it came into being in 1996, having grown out of disaster recovery planning to protect the company's datacentre and corporate headquarters.
Mellish and his colleagues began to develop a more comprehensive business continuity strategy during the second half of the 1990s, the most important aspect of which, he now believes, was a focus on building a strong governance structure, embracing key personnel who would become the spine of the business continuity management team.
As elsewhere, preparations for Y2K altered both the scope of planning and the view of business continuity within the company. "We were looking at scenarios outside our control that could involve anything from the breakdown of road infrastructure to interruptions to utility supplies, or events in other parts of the world that would hit Y2K before us," Mellish recalls. One such scenario was an interruption to fuel supplies; and the team's work paid off during the September 2000 fuel crisis. "That was a big milestone, that showed the benefit of having that [BCM] team dealing with a major incident," says Mellish. "Six months later we had the Foot and Mouth outbreak to deal with and used the team again and the same processes of getting control of the situation, stabilisation, then getting back to normal as soon as possible."
Since then, the team has had to cope with more than 40 incidents, ranging from the 7/7 London bombings to more localised events like critical equipment failure or store fires. It is currently monitoring the swine flu pandemic.
The business continuity function has become fully integrated within every operational aspect of the business, covering all the company's store formats, online channels and supply chains.
The business continuity management programme is aligned with the BS 25999 standard, but the company has not sought full certification. In any case, he believes the company's approach incorporates one of the standard's most important aspects: embedding [business continuity] into the organisation's culture. "We have always focused on the question of whether our business continuity management strategy is directly supporting our corporate strategy. It's now built into the fabric of what the company is all about." He believes that attaining this level of business continuity -consciousness across the company has boosted its overall resilience. "People now think of business continuity in a broader sense, so in areas like facilities management, IT and supplier relationships there is a more calculated approach in terms of how you mitigate [issues].
"We've formalised business continuity rules within each part of the business and built up competence of the capabilities of our people to be able to manage this within their respective areas," he continues. "Just by doing that we have contributed to resilience improvements, because they're now thinking 'There's a potential issue there, let's do something about it', rather than looking to the central business continuity team to deal with it."
Generalisations are risky when considering a body of organisations as diverse as the companies of the FTSE 100, yet speaking to these very different companies does reveal a few interesting themes. Where there has been adequate investment of resources with the aim of improving cultural attitudes as well as technical proficiency, business continuity can become an enabling force within a company, in a way one might compare to the benefits that can be derived from an effective IT infrastructure. It can help to unify and strengthen a company's supply chain as well as its core operations. In some sectors, it can confer commercial benefits. Of course, you knew that. The important point is that today the FTSE 100 knows that too.