What would be the impact on your business of having to shut production down for 2 days, or being without email for over a week? British Airways and the NHS are finding out the answers to that in the hardest possible way because of a power outage at a data centre and the Wannacry cyber-attack. In BA’s case, compensating up to 75,000 passengers affected by the problem could cost around £100million, 3%, or £375million was wiped off share values and, the potential impact on reputation is, at this moment, incalculable. For the NHS, patients’ health was put at risk and much day to day management and communication was disrupted, with some Trusts unable to access emails for up to 8 days.
Underlying all the noise about old, unsupported and unpatched operating systems, back-up systems not kicking in automatically or the impact of outsourcing core IT systems are three key questions? Do you understand your IT related business risks, what are you doing to mitigate those risks and, when was the last time you fully tested your business continuity plan?
Assessing risk has three key components; your risk appetite, the likelihood of a particular risk occurring and, the impact on your business if that risk does occur. Some risks may be very unlikely to happen, but if they do, the impact on your business may be catastrophic. At the other end of the scale, there may be risks that crop up every day but their impact is very slight. If you rate the likelihood of a risk occurring on a scale of 1, being very unlikely, to 5, highly unlikely and similarly rate the impact on a scale of 1, little or no impact, to 5, critical impact, you have a 5 by 5 risk matrix that you can RAG rate according to your appetite for risk. Placed onto a spreadsheet, this is a simple, useful visual tool to help the Board and senior managers understand their risks and how much time and effort to put into mitigations.
I have no doubt that British Airways had assessed the risk and impact of a power outage knocking out systems or even a whole data centre. They will have had mitigations in place such as uninterruptable power supplies and generators that kick in automatically. Systems and data will have been replicated to remote locations. The question they may not have asked is, what is the risk inherent in outsourcing and offshoring their key operational systems?
I also have no doubt that British Airways have a Business Continuity Plan. The question is how often is that tested and are the learnings from the test applied to an updated plan? There is no right and wrong answer as to how often you should test your Business Continuity Plan. A 2010 survey from Symantec revealed that 82% of companies surveyed carried out a test of their IT Disaster Recovery plans annually. This is not the same, or as far reaching, as Business Continuity, but it gives you an idea. The only mandatory is that you should have assessed if, and how often, you need to test the plan fully. Did British Airways include customer communication as part of their Business Continuity Plan? From the news reports and comments from passengers it certainly doesn’t seem like it. At the very least, it didn’t look as though that they had tested that element of the plan.
In summary, when it comes to Business Continuity…Assess, Mitigate, Test. Assess the business risks of IT failures. Develop processes, procedures and skilled people to mitigate the risks. Fully test your Business Continuity plan and build in any learnings.