WHAT’S THE WORST THAT COULD HAPPEN?
Controlling and managing risk can be one of the great unknowns in business. Each year, many businesses get burned because they didn’t plan and anticipate the risks and put a business continuity plan in place. A recent Symantec survey found that 30 per cent of Australian and New Zealand* busineses don’t have a formal disaster prepardeness plan.
Steve Martin, director, SMB, Symantec, Australian and New Zealand, is not stranger to seeing the fallout that occurs to a business once a risk has been realised. Managing risk and keeping your information secure is what Symantec is all about. Each year, Symantec helps thousands of companies globally to understand their risks, and works with them to put a plan in place, so that if the worst does happen, there is a fall-back option.
IDENTIFYING THE RISKS
Steve explains that business risks can come in all shapes and sizes. Some risks are physical, like a fire or natural disaster destroying your building. Others are operational, such as whether your business can continue if your IT systems fall over. And it appears as if Australian SMEs are being a little too blasé about the potential risks. A survey from Symantec in late 2009, which surveyed those responsible for computers and technology resources in SMEs, discovered that 93 per cent of respondents in Australian and New Zealand (ANZ) were somewhat or very satisfied with their disaster recovery plans.
However, in the same survey, Australian SMEs also admitted to experiencing an average of three system outages in the past 12 months, costing around #30,000 each. The leading causes of these outages were viruses or hacker attacks, power outages, as well as employee accidentally deleting data.
THE DANGERS YOU CAN’T SEE
Perhaps the most critical risks to your business are the ones that are the least visible. One of the most valuable, and yet most taken for granted, is data. Data is the lifeblood of your organisation, and without it, you cease to function. Imagine what would happen if you lost your customer information? You wouldn’t know who they were, where to contact them and what they buy from you. Before you’ve even found out, they’ve probably moved onto one of your competitors. Similarly, think of all the intellectual property that your business has developed over the years, all of the systems and processes you’ve developed and built as part of your business. Within seconds it could disappear, and with it your business. ‘It’s not surprising to hear that if a business experience one of these disasters they most generally tend to cease trading within a few months. That’s how critical it is,’ says Steve.
Whilst the above paints a picture of the worst case scenario, there are other risks associated with the loss of data and business information. ‘Losing customer data is not just a hassle for you, there are governance issues and the financial risk of compliance. Compliance is a growing challenge for many businesses and with the proposed changes to the Australian Privacy Act, it could soon be mandatory for any Australian business to report a loss of customer information, no matter how big or small that loss is, if you have not taken the necessary precautions. In addition to significant damage to a company’s’ brand, there’s also a big financial risk associated with trying to report or find data too, if indeed you have to report against it,’ says Steve.
‘Data integrity is fast becoming another issue that business owners have to think about. Certain industries require you to maintain data for a number of years, and you need to be able to access that data quickly and easily if you’re required to submit it for any reason, be it a course case for example. Imagine the man hours involved if you’re suddenly asked to produce all the information to an incident that happened five years ago? Saying you can’t find it is not an excuse. Therefore you need to have the appropriate measures in place to be able to deal with that.’
It’s no wonder that business owners can become a little overwhelmed with what’s required to keep their business safe and secure. However, the forward-thinking decision-makers are starting to take control of the risks facing their businesses, and are adopting risk management head-on by planning for the unforeseen. In doing this, it allows you to achieve planned outcomes without the fear of something happening to the business, and minimising the chance of failure by making informed decisions based on that potential risk. But how exactly do they go about it? This is where risk management and business continuity come to the fore.
WHAT IS RISK MANAGEMENT AND BUSINESS CONTINUITY PLANNING?
Risk management and business continuity planning (BCP) can often be viewed as separate or overlapping practices, but are in fact processes that are very much tied together. For example, the risk management process creates important inputs for the business continuity plan (company assets, impact assessments, cost estimates for insurance etc). Where they differ is that the BCP process goes beyond risk management’s pre-emptive approach and moves on from the assumption that the disaster will realise at some point. If you accept that at some point disaster could strike and affect you, having a business continuity plan in place could mean that you’re up and running again within hours or even minutes should the worst happen.
Risk management is about selecting cost-effective approaches that minimise the threats to your organisation before they have actually happened. For example, if you feel that your business is likely to experience virus attacks over email, what measures can you put in place to help prevent this? How high does it rank in the list of possible risks? Once you understand this, it will then dictate the amount of budget you need to spend to help prevent that risk.
‘It sounds very simple,’ says Steve, ‘good risk management prioritises the threats with the greatest loss and the greatest probability of occurring. These are handled first and given the most amount of attention. However in practice the process can be difficult and judgement can be a little clouded. What we tend to find is that businesses pay a lot of attention to those risks that have a high probability of occurrence but lower loss, versus a risk with high loss but lower probability of occurrence. This is why you often see that despite having some kind of plan in place, that plan is focused incorrectly.
‘However some risks are simply unavoidable, no matter how hard you try to stop them. For example, a flood could happen on the top floor on an office block if a small fire occurred that set off the sprinkler system. Whilst you may have a plan in place to stop the fire when the sprinklers trigger, businesses need to assess what damage the ensuing flood could create to their business.’ Steve explains, ‘It’s therefore natural that all businesses have to accept some level of residual risk, which means business continuity planning (BCP) needs to figure as part of the risk management process. Once you’ve accepted that certain risks will hit your business, the business continuity plan is all about how you’re going to recover and keep your company running should a risk hit. ‘So in the example of the flood, should it hit your business, how quickly can you react and move your business to other premises and be up and running? As part of that consideration, what about all the intellectual property within the business? What if the servers holding all of your business information become damaged in the flood? Have you made copies of that information (preferably held in another location), so that you can access your business information and effectively remain unaffected by what’s happened? All of these considerations are vitally important, because no matter how hard you try, you’ll never be able to prevent all risks, so having a plan in place to deal with those risks can be vital to keeping your business up and running.
Of course, risk management is never a simple process and does have its difficulties, namely when allocating resources – the idea of opportunity cost. Resources spent on risk management could be potentially spent on more profitable activities, and can sometimes become resented within the organisation. In an ideal world, risk management minimises spending while maximising the reduction of the negative effects of risks, but that again comes down to the planning. The question you’ll always need to come back to is ‘could by business survive without it?’ If the answer is ‘no’, then start making a plan.
PUTTING A PLAN IN PLACE
It is important to have a plan in the first place, and one that has the correct focus. I know of a business who did 99% of the things they should have done when it came to managing risk. Everything was insured, they even backed up their data each day and made sure they had copies of that information should something go wrong on their serves. Then one day a fire burnt everything to the ground, including the backed-up data, which was left next to the IT servers. They had to go to the drastic measure of taking out an advert in the local paper to find out who their customers were. Needless to say, the business went under a few months later.
IN TERMS OF HOW TO PLAN, STEVE OFFERS A SIMPLE FIVE-STEP PROCESS:
- Speak to the IT professionals: The first port of call is to take the time to sit down with trusted professionals, particularly those within the realms of IT to securely manage the most critical asset within your business – your data. You need to identify, characterise, and assess the threats that exist to your business. All too often, the reason why risks escalate into disasters is because of a lack of knowledge around how to deal with them and plan properly.
- Risk assessment on your business: It must include anything and everything that could potentially disrupt your ability to serve your customers. What equipment do I have? Who looks after my power? What data do I have? These are just some of the simple considerations you’ll need to have, and make sure you, as the decision-maker, document it all – and spread that knowledge across the business. It can’t remain in the head of one person.
- Determine the risk: If something does occur, what are the expected consequences of specific types of attacks on specific assets? If the building burns down, do I have a temporary location to go to? Is my data backed up and held securely offsite, should my IT systems fail? As a business decision maker, can I or my IT manager recover data and information if needed to under legislation?
- Identify ways to reduce those risks: Once you’ve identified what assets you have, how they support your business and what would happened if a risk presented itself, you need to work out how to minimise these risks. If data is the lifeblood of your business, then make sure the solution to keep that data safe is the best around.
- Test, Test and Test: This is the one thing that most companies forget to implement as part of their planning. If you have a plan in place, should something happen, how do you know it’s going to work unless you’ve tested it out? A stud in July 2008^ found that testing failed 50 per cent of the time with the two major reasons being people not knowing the correct process and technology not doing what it is supposed to. Frequent testing bi-annually helps to address this issue.
‘Whilst it may seem like a complex process that takes up a lot of resource, it’s a critical one that could mean the difference between your business sinking or swimming should a disaster strike. The one question I ask of any business I meet is, why continue with contents insurance if your data isn’t insured in some way through a risk plan? The dawn of realisation hits people when you put it in that context, and they realise that without their data, their business is nothing.’
*Symantec’s SMB Disaster Preparedness Survey 2009. ^The Symantec Disaster Recovery Research Report, July 2008.
Ref: BUSINESS INSIGHTS Summer 2010 issue