Business continuity not just about business
14th October 2004 (The Star)
BY ZAHRI YUNOS & AHMAD NASIR MOHD ZIN

Zahri Yunos and Ahmad Nasir Mohd Zin (below) are the manager and assistant manager respectively at the Secretariat of the National ICT Security and Emergency Response Centre (Niser)

BUSINESS Continuity Management (BCM) plays an important role and is fundamental to the well-being of an organisation.

Without adequate planning, organisations may not be able to effectively handle prolonged disruptions in services and ensure business continuity.

In Malaysia, the National Information Infostructure (NII) and Critical National Infrastructure (CNI) are of paramount importance. The disruption of one component of the CNI or the NII can have a cascading effect.

Therefore, it is important for organisations, especially those that are part of the CNI and NII, to develop and maintain business continuity programmes to ensure continuity in the face of unforeseen threats.

NII are systems and assets, both real and virtual, that are extremely vital to the nation that their incapacity or destruction would have a devastating impact on national security, and public health and safety.

The CNI consists of critical infrastructure that supports the nation's economic, political, strategic and socioeconomic activities. It comprises government operations, defence and security forces, public sector services, banking and finance, transportation, utilities, information systems, telecommunications, medical and emergency services.

Currently, we're vulnerable because of the strong interdependencies between computer systems and telecommunications networks. Weaknesses in one infrastructure sector could seriously affect others, resulting in potentially catastrophic damage and disruption.

Critical Concern

Niser conducted an ICT Security Survey for Malaysia in both 2001 and 2002. The surveys covered various areas on ICT (information and communications technology) security, with BCM one of the focus areas. Consulting firm KPMG had also conducted a BCM Benchmarking Survey for the Asia Pacific region in 2003.

These surveys found that the majority of organisations do not have organisation-wide BCM in place. This indicates that many organisations are not ready to deal with business interruptions and are exposed to potentially significant losses and damage.

Without organisation-wide plans in place, they may not be in a position to recover from disaster effectively, or confidently deal with a major interruption.

It is worrying that there are still a large number of organisations that do not have BCM in place, or which do not conduct any type of risk assessment.

With the increasing number of cyberattacks, and the staggering number of internal and physical security breaches, this is definitely a cause for concern.

Organisations should realise that without a thorough and comprehensive BCM plan, they may find themselves exposed to all sorts of possible threats, vulnerabilities and risks that will affect them.

Different strokes

There are two business continuity organisations that have developed BCM methodologies: The US-based Disaster Recovery Institute International (DRII) and the British-based Business Continuity Institute (BCI).

However, the BCM requirements for each organisation is unique and a variety of different approaches may be employed. Therefore, for an effective BCM programme, a common set of methodologies is needed.

The need for a national standard in BCM is important, as it will provide a common interface or framework for different industries to adhere to.

That's because when a disaster strikes, it will take the cooperation of all - business partners, service providers, emergency services and other bodies - to help restore and get businesses back to ... well, business.

A common standard would also provide an assurance that organisations which provide services to the public can do so with minimal interruption by allowing them to identify potential threats and the vulnerabilities associated with those threats.

A BCM standard can also play a key role in helping organisations enhance their corporate governance practices. Corporate governance requires directors and management ensure the sustainability of their organisation, and that it manages its risks.

Organisations are dependent on critical national infrastructure services such as electricity, transport, water and communications. When this infrastructure fails, they will become vulnerable.

The BCM standard is important as it will lay down a foundation and common understanding for the owners of this critical infrastructure to adhere to and continuously provide their services in the event of a disaster.