Business Continuity and the Travel & Transportation sectors
Breaches caused by complacency rising
Events of the last few years convinced many corporate executives of the need for business continuity and disaster recovery plans. Someone would have to live in a bubble not to acknowledge the potential havoc that events like 9/11, the SARS pandemic and Hurricane Katrina can inflict on a business. But, even more mundane events can hurt a business and continuity plans can make the difference between surviving and failing in the aftermath.
With all the attention on natural disasters and terrorism, as well as complying with new regulations and legislation, it makes sense that many businesses have developed recovery plans and systems.
While organizations have invested millions of dollars in protecting IT, people and infrastructure, the question remains whether or not their plans will be effective should a disaster occur. Most often businesses don't go wrong in making plans but fall short when it comes to updating these plans as business, technology and threats themselves change.
As a result, plans can become as outdated as old shoe-sized cell phones. Businesses, of course, are not only disrupted by cataclysmic events. Security issues like viruses, worms and denials of service have brought organizations to a halt, perhaps most famously those that affected online retailers and financial organizations in the late 1990s. Everyday factors like faulty plumbing or HVAC problems can expose businesses to major losses.
All businesses should plan for crises but the travel and transportation industry should place an especially high priority on creating and updating business continuity plans. Airlines, hotel companies, cruise operators and other segments are as much or more at risk of being directly affected by disaster than any other industry.
These companies, however, are also constrained by the nature of their business. For instance, the complexity of airline operations & plane routing, crew assignments, gate slotting & makes a disaster recovery drill almost impossible. Hotels benefit from being more location-specific than airlines and can more easily conduct drills, practice disaster recovery and update plans. Even though it is possible to conduct drills, they're often not done and plans can be based on assumptions that are never tested, except during a disaster.
Crisis plans often focus on protecting and rebuilding IT and infrastructure. Many, however, don't take into account how much of an issue labor can be after a disaster. While IT can be housed remotely the travel industry is labor intensive and people are needed on site. Staff may have had to evacuate or their homes may be unlivable. Staff housing and transportation should be addressed in any plan.
Another aspect to address is customer service. Successful companies do not forget their commitment to customer service during a disaster. The ability of a company to provide help and comfort to customers during and after a crisis goes a long way to earning loyalty and may determine if a company recovers from a disaster. During the most recent hurricane season, a large hotel chain arranged to have guests evacuated after a storm instead of waiting for the government or the Red Cross or leaving guests to arrange their own transportation out of hurricane-damaged area. This was an enormous cost for the company but it demonstrated that the hotel would continue their service commitment no matter what the situation and likely earned them extremely loyal customers. This response was not accidental but the result of planning and decisions made well before the hurricane arrived.
These aspects should be part of all disaster plans and other companies and segments of the industry can learn from this example. We've all seen footage of passenger filled airports during severe winter storms or other crises. Imagine, however, footage of helpful airline employees passing out blankets, pillows, water and snacks to make customers more comfortable. By neglecting business continuity planning, organizations run the risk of being without viable capability for recovery. All past effort and investment counts for little if plans are outdated and no longer useful. In fact, it is far more cost effective to incrementally modify and realign a corporate recovery plan than to examine it when an issue arises.
Important Questions
There are many questions CEOs should ask themselves and their teams in order to be confident that their enterprise's business continuity program will, in fact, help the business survive a crisis. Here is a look at some of them:
1. When was the BCM plan last tested? How realistic was the scenario used for the test? Was there a third party or outside observer documenting it? Were problems that occurred during the test tracked and resolved?
2. What has changed since the last time the plan was tested or updated? What have the significant technology changes been? Have we put new storage and network technologies in place?
3. How has my business changed? Are there new processes that weren't in place when the initial disaster recovery activities were planned? Have they been addressed and built into the overall business continuity capability?
4. What are todays' threats? What's changed geopolitically? How is the company protected in an area where there is unrest? What are the new risks?
5. How is the business positioned for risk mitigation with an insurer? Can we use business continuity capability as a way to lower overall insurance premiums? Is the business insured adequately?
6. When was the plan last updated? Is there a function within the organization whose sole responsibility is to ensure that business continuity efforts are current and relevant?
7. How were the business continuity plans developed? Have the recovery plans for IT services, facilities, employees all been coordinated so there aren't redundancies or gaps? How have regulatory and legislative requirements been integrated?
8. Have third parties and vendors been considered? Have vendors and outsourcing partners been contracted to have sound business continuity plans so they will not leave the company vulnerable? What about the supply chain?
We frequently hear the war stories, like the company that failed to employ inexpensive leak detectors to protect against flooding and ended up with a plumbing problem that shut down all the IT systems, or the organization that built a data system up to earthquake standards but didn't reinforce the service straps so the servers would be braced effectively against an earthquake.
The lessons in those stories are many plan for the extreme and the everyday; plan for process, infrastructure and for people; and think, rethink and question the plans. Organizations with no disaster recovery or BCM plans are clearly very vulnerable but those that develop a comprehensive plan and then put it on the shelf, may be far more vulnerable than they think.
If you would like to know more about how your organisation can get involved and benefit from working with the Continuity Forum, please email us HERE! or call on + 44 (0) 208 993 1599.