Why are large organisations so bad at business continuity?

Last night I was settling down to watch an episode of Criminal Minds on LoveFilm only to discover the service was unavailable. I waited to see if it would be restored but after 15 minutes there was still no resumption in service.

I was pretty annoyed – after all, I pay for a premium subscription and don’t expect the service to be unavailable when I go to use it. As such, it would seem LoveFilm are not the only large organisation that don’t have adequate measures in place to ensure the continuity of their business. It is not too long ago when several large banks experienced issues with their IT systems – specifically RBS and Lloyds TSB in the UK.

But why are large organisations so bad at business continuity? Surely they don’t want to suffer the damage that results from a business interruption?

Damage to an organisation suffering a business interruption can be manyfold but can include:

  • Damage to the organisation’s reputation and brand
  • The cost of lost orders
  • Compensation costs associated with customers not being able to access the services they pay for
  • Fines for not complying with industry or governmental regulations
  • Costs associated with resuming business as usual.

In short, the damage done to an organisation experiencing a business interruption could destroy it. They fail to plan for a crisis and as a result don’t have systems in place to ensure the continuity of their business.

‘By failing to prepare, you are preparing to fail’
Benjamin Franklin

But what can be done to ensure an organisation can continue business even when a major IT or other crisis strikes?

The answer is pretty simple really; they need to put in place an ISO 22301 business continuity management system (BCMS). ISO 22301 enables organisations to take a risk based approach to business continuity, putting in place adequate controls to manage the risks faced to the continuity of an organisation and mitigate them as much as possible.

Organisations can gain certification against ISO 22301 and thus demonstrate they have a system in place to ensure the continuity of their business and, more importantly, the services customers use.

Now, where is LoveFilm’s ISO 22301 certificate?

Essential ISO 22301 Resources:

  1. ISO22301 (ISO 22301) BCMS Requirements
  2. The Route Map to Business Continuity Management. Meeting the Requirements for ISO22301 (ISO 22301)
  3. Business Continuity Management Systems – Implementation and Certification to ISO 22301
  4. ISO 22301 Business Continuity Management System (BCMS) Implementation Toolkit
Share
  •  
  •  
  •  
  •  
  •  
  •  

Comments

  1. Howard Kenny says

    Hi Jamie

    Maybe, just maybe, these large organisations may have it right … ish. Maybe they’ve done their risk assessment and determined the cost of mitigation exceeds the losses they would experience from such outages.

    Have you cancelled, or are you likely to dump, your LoveFilm subscription as a result of this experience? Ask the strategists at any of the major banks (and probably most large branded corporates), and they will tell you that there is a level of protection against customer attrition as a result of a break in service, due to the perception that they are all as bad as each other.

    In each of the examples you provide, the issues are technology related which, in large organisations, tends to be somewhat divorced from mainstream BC and CM as we know it. DR is based around service SLAs and IT have “incidents” that tend to be internally managed in the technology bubble.

    To me, this is the bigger issue – technology as a silo, not being effectively managed through risk and BC principles. Wouldn’t that be nice, to incorporate DR and incident management into the bigger picture!

    But, it would come at a cost, as would implementing a formal standards based approach. And who would wear that cost? Not the shareholders or the company, but the customers. And given most products and services are priced to the market these days (i.e. to what the market will pay), the cost v benefits analysis becomes tougher to balance. An increase of x% is measured as the number of customers who will dump the service, or potential customers who just wouldn’t subscribe. How much extra would you be willing to pay to ensure LoveFilm was always available, with no interruption to service – ever?

    In reality, I don’t think they are bad at Business Continuity. At best, they are astute and measure the potential impact against the cost to mitigate and understand what MUST be done; at worst, they make a calculated decision based on basic perceived customer expectations.

Share your thoughts