Paradox of thrift
Written by Dave Adams
What impact has the recession had on continuity and recovery spend? Have these tough times led companies to spend more to protect what they have, or less, as belts tighten? Dave Adams investigates
Although most organisations have become more reliant upon IT, making disaster recovery increasingly important, the economic environment has made budgets for disaster recovery somewhat vulnerable. Companies operating in highly regulated sectors like finance, or organisations with Civil Contingencies Act obligations are probably less likely to have pulled resources away from disaster recovery or business continuity, but some have still done so and no such controls apply to a huge range of other organisations.
Where there is extreme financial pressure it may become more difficult for business continuity or risk managers to obtain the resources they need to maintain disaster recovery provision. As Martin Caddick, director for business resilience at PwC puts it: “When staff are being laid off, people are frightened of asking the financial director for a workplace recovery site. It is not going to go down very well.”
When one considers the great strides business continuity and disaster recovery have taken over the last decade, it seems hard to believe all this good work may be destroyed by miserly management decisions. But some holes are visible, claims Mike Osborne, managing director of business continuity at Phoenix IT Services. He believes the economic climate is having a significant impact, particularly on IT disaster recovery plans for smaller and also some medium-sized organisations. Osborne fears that the work put into constructing business continuity and disaster recovery protection for SMEs over the past decade has been slowly unpicked by the double dip recession.
“We are definitely seeing a trend with small and medium-sized customers who had been ready to invest £10,000 to £15,000 a year,” he says. “They don’t want to do that any more.”
Other clients are becoming choosier about which disaster recovery provision services they want to use. Stephen Nuttall, regional manager, EMEA, for Service Continuity Management at HP Continuity Services, also reports business continuity and disaster recovery measures being taken out of scope during contract negotiations.
Another problem, according to PwC’s Caddick, is that the attention of management can wander over time. There are usually rises in business continuity or disaster recovery activity after a well-publicised incident or media ‘scare’, but as time passes and the state of the economy becomes an ever more significant ongoing concern, managers turn their attention back to the bottom line and resources for business protection start being withheld. It is, says Caddick, a cycle that repeats itself regularly – but ends up as false economy.
One sector that has suffered a great deal during the recession is retail. Despite that, the need to cut costs has not had a noticeable effect on business continuity and disaster recovery provision at the Arcadia Group (owner of brands including Topshop, Miss Selfridge, BHS and Dorothy Perkins), according to Colin Campbell, Group head of risk management. “I don’t think there is anything we’ve done differently as a result of any need to reduce budgets or watch our spending,” he says.
Campbell says business continuity and disaster recovery planning has continued to evolve at Arcadia, to help the group’s brands gain a clearer understanding of the efficiency and resilience within their supply chains, an ongoing challenge for all retailers. Yet he admits new risks may have been created within the supply chain, if suppliers have themselves been forced to cut back on continuity and recovery provision, or if key personnel working for them have left. It is not just shrinking budgets, but the fact senior managers will spend less time thinking about continuity or recovery, which is dangerous, he says.
In some cases the board is still thinking hard about it – and then deciding to accept a risk anyway, says Caddick. “I think provided you’ve thought through the odds, that’s a legitimate decision,” he says.
Nuttall does not always agree with this. He cites a retail company, one of the top 100 US companies, which asked HP to study the risks to their business. HP identified serious risks relating to an inventory system, which was deemed to have a direct impact on 50 per cent of the company’s global production and distribution processes. HP calculated that the loss of a single day’s production would be US$10 million and if the risk materialised it could bring the system down for 30 days. Nuttall’s team devised a fix which would cost around US$500,000, spread over five years. The board was keen at first, but when contract negotiations began HP was told that the fix was no longer in scope, for cost saving reasons. Nuttall rails against what he calls short-term thinking driven by management concern over share prices. “If they take that short-term view you often see silly things happening,” he says.
Of course, there are other companies that are taking the ‘right’ decisions, in the eyes of the business continuity and disaster recovery conscious. Rodger Arneil, former managing director at Relectronic-Remech and ISS International, is now a consultant, with clients including disaster recovery and property restoration specialist Belfor. Arneil notes that every board has an obligation to protect the assets of the business, in part, for the sake of the shareholder; and in a well-run company this must include taking adequate precautions to protect the business from the consequences of disaster.
Value for money
One argument disaster recovery providers use is that if companies and organisations are under financial pressure, their response should be a drive to get better value for money out of disaster recovery arrangements, not just a rush to cut the budget. Some organisations are doing just this, reports Mark Nicholas, head of business continuity at back2business, an independent business continuity provider based in Plymouth which is also a founding member of the iWASP (Independent Work Area Service Providers) network. He believes the fact that more clients are now scrutinising and adjusting arrangements more carefully before signing or renewing a contract than was once the case indicates a desire to consider continuity and recovery in more detail. “It used to be one of those things that people just wanted to pay someone to make it go away,” he says. “But now people are trying to do this cost-effectively. They are looking at the critical parts of their business and trying to get value for money.” He says smaller providers like his company are trying to differentiate on the basis of the customer service they provide, while they can also offer facilities across the country through iWASP.
Representatives of other providers can also see some reasons to be cheerful. For HP’s Nuttall, one positive effect of these tough times is that more eyes are being opened to the flexibility and cost-effectiveness of cloud computing. Osborne says the fact more of his clients are now seeking to use IT solutions which are more resilient than their legacy architectures is an important positive development: a preventative step which may reduce the need for curative disaster recovery.
Osborne also believes being cash-strapped has made some business continuity and risk managers try to become a bit more creative in terms of the way they try to mitigate risks. “The cash-rich banks used to say ‘that’s a risk, let’s spend money on it’ don’t do that now,” he adds. “But sometimes they’re saying ‘if the risk appetite has changed I’ll try to find a way to support it’. I think there’s a willingness on the part of professionals to try and use their ingenuity to close the gap.”
Companies and organisations of all kinds may be facing tough financial pressures, but the UK is still a world leader in both disaster recovery and business continuity, says Caddick – and will continue to be one if cost-cutting impulses are channelled in a productive way. “Pressure to reduce cost is not necessarily a bad thing, because I think [service providers and internal business continuity and risk managers] should be questioned over whether what they do is good value for money,” he says. “You should not cut for the sake of cutting – but I’m fairly sure a lot of people overspend as well.”