On the market

Recovery provision has developed considerably during the last decade. David Adams looks at how customer demand and environmental pressures have brought about these changes

Ten years after the Millennium Bug and eight years after 9/11 is an appropriate time to consider how the third party business continuity provision market has changed. Evolving client requirements have encouraged providers to adapt services and business models, but as more organisations gain a better understanding of the complexities of their business continuity needs, a growing number are focusing on building additional resilience into their own processes rather than relying on third party providers.

Stuart Anderson, business resilience expert at PA Consulting Group, says this trend is visible in global organisations operating in sectors like investment banking, telcos and government. The unifying characteristic appears to be high availability requirements. He believes one contributory factor is the ever more complex nature of IT solutions, with most businesses and organisations now dependent on a huge, interconnected mesh of systems.

He also thinks a desire to maintain control could be influencing some decision makers. Philip Caulfield, managing director at Adam Continuity, believes 9/11 bears some responsibility for this trend, because of the way that the attacks on the World Trade Center overwhelmed existing syndicated recovery arrangements. "It was such a huge event that syndication just didn't work and all the Manhattan-based recovery centres were immediately filled up," he recalls. "The syndication arrangements weren't based on a tower coming down and they certainly weren't based on two coming down. I think 9/11 changed the face of the way that business continuity was looked at by the City-based clients."

Those events encouraged many companies in the City of London to invest in recovery centres outside the M25, to house replicated IT environments and storage. However, as Caulfield points out, many of those companies then outsourced recovery and continuity arrangements for less important systems and processes to third party providers.
This offers third party providers some commercial opportunities. "When we do rehearsals with these companies we always end up helping them with their tier one recovery as well - because that's what we do," he explains. "Their IT teams are not always experienced in continuity and recovery processes."

The events of 2001 also encouraged regulators in sectors like finance to ask tougher questions about continuity provision, which may also have encouraged companies to bring recovery arrangements in-house. "Post-World Trade Center, particularly in the financial sector, the regulators became interested in syndicated disaster recovery risk in the event of a wide-area incident," says Robin Gaddum, senior managing consultant, business continuity and resiliency services, at IBM. "They started asking questions and a number of firms started to second guess where the regulators might be going. They wanted to have more control of the risk and take things back in house. We have a number of customers we've helped move along this route."

Other organisations bring continuity and recovery processes in house because they have unusual requirements not met by the third party providers, like particular safety or security concerns. Air traffic control or the control rooms of utility companies may fall into this category.

But not everyone in third party provision is convinced there is a significant movement towards in-house provision. "I would argue that as a result of the banking crisis there is a tendency for organisations to look at third parties," says Mike Osborne, managing director at ICM Business Continuity.

The cost case can be compelling. A dedicated recovery seat may cost £7,000 to £8,000 - a cost that would have to be borne in full by any company or organisation keeping the process in house, but which would obviously be reduced by the economies of scale a third party provider could offer. And a syndicated seat might only cost £300 to £400. "What we're finding is that in today's economic climate people don't want to build their own site any more," says Max Feneck, product marketing manager for managed services at SunGard. "It's extremely capital-intensive."

There's also the possibility that a company or organisation might not need as much space as was thought when a facility was first designed, because of technological advances such as virtualisation reducing the physical requirements of the IT infrastructure, or as a result of changes in the organisation. "What happens if you've reduced your staff by 20 per cent?" asks Mike Osborne. "You're left with a fixed cost for a business continuity facility with a tremendous amount of headroom you don't need." Consequently, many organisations are looking for the most pragmatic, effective mix of in-house and third party provision. Technical improvements have altered the nature of both types of solution.

The development of virtualisation technology is helping improve the quality and efficiency of both in-house and third party provision and has opened up new opportunities for smaller organisations to invest in recovery solutions. Technological changes make it possible to imagine the demise of the super-sized recovery site. "I can't see, in five or ten years' time, companies paying for recovery seats when they will be able to organise for critical staff to work from home," says Caulfield. "I'm not being critical of the players that have built these sites, but I can see them switching 100 positions on a floor to a floor that can take redundant and resilient IT equipment."

Looking a little further ahead, it's perfectly possible to imagine more companies and organisations using internet cloud-based provider services. "The next 12 to 18 months is when the larger organisations are going to look at a more cloud-based, on-demand type service," suggests Tim Goodwin, senior director for recovery management, EMEA, at CA. "Technology has progressed to the extent that that can be an affordable reality." The fortunes of the third party provision industry will be influenced by changing client requirements in other ways. The passage of the Civil Contingencies Act in 2004 and a growing determination on the part of local and national auditing authorities to enforce its terms more strictly are pushing more public sector organisations to improve continuity arrangements.

At the same time, the public sector is under huge pressure to cut costs. In some cases this is leading to an exit from agreements with third party providers or to a reduction in provision. "So before they would want 50 positions plus IT back-up and now they're cutting that down to ten positions or less and increasing provision to site, at their own recovery centres," explains George Cook, chief executive at public sector continuity provision specialist Community Resilience. Local and national government organisations are also under pressure to sell off under-used real estate that might previously have been used to house recovery facilities.

All these developments put these organisations in a difficult situation, but one that is benefitting Community Resilience, which provides much more basic continuity arrangements than do most third party business continuity providers, at a lower cost. It is also benefitting from a new examination of syndication ratios. "Public sector organisations in the past lived with those ratios, but now auditors are saying that's not complying with the law, so they're having to look at 1:1 ratios," says Cook. "That's way more expensive than a standard disaster recovery and workplace recovery contract. We're extremely fortunate to be in the right place at the right time, because we offer exclusivity."

Nor is the Spartan nature of the facilities Community Resilience provides, with no furniture and very limited telecoms facilities, a major problem, as key staff are usually equipped with laptops and/or personal communications equipment such as a BlackBerrys, running on servers replicated at government server farms elsewhere, or at facilities run by other third party providers. Organisations could also use satellite communications providers, with portable facilities brought to the recovery facility when needed, providing a satellite link and wireless internet access within minutes. The upshot of all these changes is that there will continue to be commercial opportunities for third party providers, but that they do need to be nimble and flexible to take advantage of them. Adam Continuity's Caulfield believes that, despite major consolidation in the market over the last decade, there is plenty of scope for smaller providers like his company to find a niche. "If you're a smaller organisation these days you're starting to understand that your money may be best placed with a smaller company which has the ability to be more flexible than the larger providers," he says.

But Anderson wonders if that might be an overly harsh judgment on larger providers, which have also learned important lessons. "My experience of working with third party providers on behalf of clients is much better than when I first came into the industry," he says. "The working relationship used to be very skewed in favour of the supplier." Anderson doesn't believe the fundamental selection criteria for choosing a third party provider have changed. The first consideration has to be the location of a recovery centre and the extent to which it will be practically possible for a client's staff to travel there. Location may also be important for technical reasons, particularly if there is a need for synchronous data replication.

Cross-examining providers about syndication ratios, physical proximity to other recovery centre users and the basis on which facilities are allocated (first come first served or on an equitable share basis) is also a good idea when negotiating terms in today's market. Equally as important, is considering what happens if a primary recovery site is not available in the event of a wide area disaster. "A lot of salesmen will say 'We roll you over to the next site', but if you've got no network connections there, or if you've done three or four years' worth of testing and users are used to using the system at the primary site. It's those sorts of practicalities that organisations need to think about," warns Osborne.

And of course, the single most important question remains: "Unless you test a continuity plan it's not really worth having," says Goodwin. "You need continuity solutions you can test regularly." Overall, there is some scope for the third party provision industry to pat itself on the back: this is a competitive market; the standard of service is very high and rising, but providers need to stay on their toes. The challenge for business continuity providers across the industry will be to find opportunities to demonstrate their ability to help clients build resilience into continuity arrangements, whether or not they actually provide those clients with a primary or secondary source of continuity and recovery capability.

    Share Story:


Cyber risk in the transportation industry
The connected nature of the transport and logistics industries makes them an attractive target for hackers, with potentially disruptive and costly consequences. Between June 2020 and June 2021, the transportation industry saw an 186% increase in weekly ransomware attacks. At the same time, regulations and cyber security standards are lacking – creating weak postures across the board. This podcast explores the key risks. Published April 2022.

Political risk: A fresh perspective
CIR’s editor, Deborah Ritchie speaks with head of PCS at Verisk, Tom Johansmeyer about the confluence of political, nat cat and pandemic risks in a world that is becoming an increasingly risky place in which to do business. Published February 2022.