About Us  |  Search  | FAQ  | Contact Us
Risk Management
Human Resources
Smarts Cards
Optimise CRM
Data Warehousing
Disaster Recovery
Swift Messaging
BPM & Workflow
Capital Markets
Global Custody




e-continuity(tm) - A new age and new demands?


Earlier in the year, 'e-continuity(tm)! - A corporate lifeline for Internet operations' introduced the concept of ensuring continuous availability for Internet operations to readers of this publication. The question remains what new demands - if any - the Internet age poses for 'traditional' businesses as they ensure continuity for e-commerce operations. And, more importantly, how should they be addressed?

Areas to consider include:

The relationship between business continuity planning (BCP) and disaster recovery (DR)

The changing business model

nThe risks of 'e'

n The new approach to BCP and DR

n The technical difficulties

The relationship between BCP and DR.
There can be few organisations within the Banking sector that have not invested in disaster recovery to ensure that appropriate restore strategies are in place for their critical systems, and that alternative office facilities are available for personnel to relocate to should the worst occur. And many within this industry have overlaid disaster recovery provision with BCP - the all encompassing approach to eliminating, mitigating and managing the risks that an organisation faces. Risk Assessment, Business Impact Analysis, Business Continuity Plan creation - followed by its exercising, testing and ongoing maintenance to ensure currency and viability - are all vital elements towards ensuring business continuation in the face of interruption. DR is all very well, but BCP protects the business that depends on the technology, as well as the technology itself.

Historically, most BCPs reflected a slow moving business environment with no great or dramatic changes to the plan or the process. But when the decision is made to move from 'bricks' to 'clicks', will the old model for BCP still work in an environment where the Internet moves at the speed of light? Technology is different, working practices are different - or are they?

For any 'traditional' company moving into the Internet (rather than start up dotcoms) all of the 'old' principles still apply. There may be changes, but they are not as dramatic as may be imagined. The basic approach to BCP doesn't change. A move into e-commerce is not carte blanche to throw away all learning applied thus far, it just needs to be applied to a new set of risks - and therein lies the fundamental change.

The changing business model
We all know that businesses change over time - in order to combat their competition, to deliver new products, to acquire new markets, and so on. Or to quote Sir John Harvey Jones: "Companies must constantly change and move forwards. There is no such thing as standing still. Standing still is, per se, moving backwards".

As recent years have demonstrated, new technologies force or permit change. For example, computing in the workplace has become ever more prolific, resulting in widespread automation and the ability to transact in ways previously unheard of. Allied with advances in telecommunications, our world today is one vast network. We have ATMs and phone banking in order to manage our finances and obtain cash; pagers and mobile phones deliver the ability to manage mobile workforces; laptop computers and modems have made the ability to work from variable locations reality; faxes and email allow us to conduct business with greater speed and immediacy.

Risk Management and DR coped with these, so what is the difference with the current set of changes?

The risks of 'e'
In many ways there are no changes, as the same overall process for managing e-risks should be followed. Timings may be different, scope may be different, some of the specific expertise required may be different, but the remit for e-continuity(tm) remains unchanged.

Some developments associated with 'e' that should be addressed include:

n Streamlining.
This removes layers of people providing less room for manoeuvre and leading to increased opportunities for single points of failure. Lean, mean operations have little in-built redundancy to cope with unexpected occurrences.

n Increased automation.
Increased dependency upon technology, 3rd party suppliers and maintainers leaves little leeway when interruption to critical IT services occur. Resultant recovery strategies must also integrate the business process closely with the technology one to ensure that the e-promise made can be delivered seamlessly.

n Internet business is much more transparent to customers.
If the online 'shop front' becomes unavailable, or orders cannot be fulfilled, the weaknesses in the operation become highly visible and the impact may be felt in terms of lost customers, share value, brand integrity and reputation. Any 'traditional' business with sound a brand proposition cannot afford to permit brand values to be undermined with a weak online offering.

n Volume of business could 'rocket' beyond control, consider the experiences of Egg (Prudential) and Cahoots (Abbey National) who both fell foul of an under anticipated demand.

n Data Security is a major issue.
Statistics suggest that 90% of hacks go undetected, that 60% of companies suffer a security breach every two years and that the cost of rectification following one (estimated at £20,000 - £100,000) costs 10-100 times more in lost customer confidence.

The new approach to BCP
Some of the changes required to the BCP process for e-commerce include:

n The 'Snapshot' approach to Business Impact and Risk Assessment.

Because things move at an accelerated pace, long term risk and impact analyses familiar to more traditional commerce cease to be an advantage. Take a snapshot of the business, apply 'known' risks and make judgements based on those, you probably will not have sufficient time to get too detailed.

n Technology is likely to play a much greater part, so take an integrated approach to systems, ISPs, telcos, 3rd parties

suppliers / maintainers, etc, to ensure seamless operations. Additionally, their risk management processes should be interrogated to ensure they cannot undermine the business.

n Upstream suppliers may play a more significant role - doing things for you at unsocial hours or days (e.g: Simply Computers busiest transaction period is Sunday afternoon). E-business may differ significantly from its off line counterpart and the BCP must reflect this.

BCP needs to provide implementation services to put the suggestions and observations into action. The key change is to keep the plan (and risk assessments) up to date with the changing business.

The new approach to DR
In assessing systems and business dependencies, there are likely to be three levels of requirement identified:

1. The old "24 hours will do"

2. The "we need this in 4 hours"

3. And the "if this ever goes down we've had it"

Evidently different elements of the e-business have different functions and therefore levels of criticality, and an e-continuity(tm) approach to DR will include a combination of solutions to address the levels identified above in an integrated way. These may include:

n Traditional 'hot fixed-site' disaster recovery or mobile services

n High availability - ensuring maximum uptime, rather than minimum, downtime

n Continuous availability - delivering no downtime whatsoever

n Hosting / co-location - a view needs to be taken if any of the equipment/site/services are 'hosted' or co-located in terms of DR provision. What measures are in place or can be put in place and is your recovery provider in a position to assist? Bear in mind guarantees are worthless (would you buy a parachute with a guarantee?), but proven performance counts. The evolution of the business continuity industry is such that host, network performance & access, data and server resilience may all be enhanced.

n Site monitoring - in the e-world forewarning of impending or actual doom becomes more valuable than ever before. You need to be continuously monitoring your site's availability, its 'look' and its performance.

n Security reviews - Security over the web is an often raised and tangible issue. PKI, file and folder encryption, firewall security, intrusion detection, door rattling attacks, inside jobs, are but some of the issues that will need to addressed as part of an e-continuity(tm) recovery process. Elements of such a solution could include simulated hacker attacks and penetration testing; crime prevention consultancy; and implementation services.

The technology challenges
In the Internet environment people who really know what they're doing are in short supply and are also very very expensive. In addition, public IP is difficult to 'move' and even more difficult to move quickly, and there is the ever present issue of security. As with any operation in need of effective BCP, the e-continuity(tm) approach should integrate traditional best practice to the concerns of conducting business over the Internet. This will ensure an holistic approach to business-wide continuance issues - and this is a principle that should never change!

Appendix a: Ten Tips for Business Continuity
n Consider the effect of the global e-culture on your business. Whatever you do, do something, even if its only research. The rest of the world is after your customers; doing nothing is giving them away and may damage your wealth. Promote a positive message.

n Consider the effect of a corporate e-culture on your business. However big you think the task and impact on your current workload may be, think again. If you want your e-commerce investment to deliver to its full potential the efforts required will be much much bigger and many times more expensive than your initial estimates.

n Consider the Information Security implications of introducing e-commerce into your business. Perimeter security is not enough, you must assess all points of threat and address each of them individually. You must also look for the early warning signs which usually precede an 'attack' of some description.

n Know your ISP, it does matter. Continually re-assess your ISP to ensure that your website has the best route of access to your target market, and that your ISP is operating with good Risk Management practices, don't rely on fine words or glossy publicity materials, ask for proof.

n Know what can cause your Internet presence to disappear and when it has. Make yourself aware when your web site is not available to the Internet or when it has been modified, don't wait for your customers to tell you.

n If the impact of failing to deliver service from web generated business is catastrophic, devise a means of assessing the 'reliability' of all of your 'upstream' dependencies. Your suppliers, 3rd parties and other companies on whom you depend to fulfil your customer service expectations must be operating to the same standards, timeframes and quality as you. Demand proof that they are - consistently - and that it is an ethos.

n Equip your company and its suppliers to cope with dramatic growth. Expect the best performance and align your technology accordingly! Ensure that your systems are truly scalable, ensure that your suppliers have the scope to deliver, ensure that your systems won't by undermined by the need for significant amounts of manual input during the fulfillment process.

n Having made the investment in e-commerce, anticipate what the impact on your organisation will be if that particular route to market becomes unavailable. Undertake and maintain risk assessments on your business as your business develops through use of the Internet as a market. Put in place the appropriate measures to protect ALL of the key elements which would have the greatest impact.

n Assume that the worst will occur - your site will disappear, or become overloaded, and what your response will be. PLAN! Plan to address the PR and Brand issues that may be raised. Plan to provide the highest quality customer service - even if not business as usual. Plan to regenerate a presence of some description, somehow, on the Internet.

n Be aware of laws or controls imposed on e-commerce. Take the appropriate advice when you set out on any Internet related business to ensure that you are not offering or delivering anything in contravention of any current laws


Copyright Guardian iT Group 2000

More details can be obtained from:


or by calling 0500 855311.

Piper-Anna Shields
Group Public Relations Manager|
Guardian iT Group.

Shields is also vice-chair of the CSSA's Business Continuity Management Group, a member of the Disaster Management Forum's Advisory Board, and was instrumental in kick-starting the Business Guide to Continuity Management.




Decision Cycle
Web Enabled
Drivers for STP
Personal Touch
Micro Finance
Intelligent hub
Treasury Solutions
Mobile e-commerce
Copy of Supplier Financing
Relationship Management
Data Management
Rise of e-commerce
Computer Crime
FX deals
Intranet Problems
Operational risk
Successful e-commerce
Wireless payments
Net Impact



Home  |  About Us  |  Search  | FAQ  | Contact Us