Speaking at the Business Continuity Expo in London, Victor Meyer, global head of business continuity management for Deutsche Bank, said that while most firms invested considerable sums in technologies and strategies to ensure business could continue uninterrupted in the face of unexpected events, many failed to comprehensively plan for more extreme events such as terrorist attacks or large-scale natural disasters.
"In order to avoid tragedy, it is necessary to think tragically," Meyer, a former US Navy security expert, said.
Meyer pointed to the September 11 attacks in New York as a prime example. "Deutsche Bank lost a strategic office [in that attack] but the franchise survived because we had an evacuation exercise six months prior," he said.
Running regular exercises to examine extreme events is critical, he said. In one test last November, Deutsche Bank's trading desk was contacted by an extortionist and told that access to its systems would be switched off in five minutes, then resumed after half an hour, as a demonstration of technical capacity.
If the bank failed to pay US$500 million to the extortionist, all systems would be disabled within an hour and other payment details modified. DB's emergency processes handled the pseudo-attack, Meyer said, and such exercises helped provide valuable insights into process improvement and possible vulnerabilities.
Natural disasters can be equally threatening. The biggest risk on the bank's radar is the high likelihood of an earthquake in Tokyo. "We can't stop an earthquake, so we have to do our best to put organisational solutions in place to mitigate the effects," Meyer said. "Not addressing those would border on negligence."
One area many companies don't consider in their continuity plans is the role that partner organisations play. While Meyer is a fan of outsourcing -- "outsourcing represents tremendous potential for cost savings if done correctly" -- he noted that companies had to ensure all partners also had continuity plans. "If you're going to put all your eggs in one basket, you better watch that basket."
That was an interesting article, and perhaps a wake-up call for some of Australia's technology reliant companies.
Although we're not an international business based in New York, our company works with small, medium and corporates on Disaster Recovery Planning.
It really can be a complex journey towards disaster recovery, and there is no perfect end state after all the work!
Many businesses we come across believe DR is all around computers, internet connections, mail servers and equipment... however in reality it's only part of the planning process.
We focus on business processes, people, and then the equipment. At the end of the day, in a disaster scenario, it's all about who is available to carry on the business and with what tools.
In most cases, businesses can carry on with mobile phones and lots of paper.
For our larger customers, this still rings true.. at least until alternate data centre equipment can be brought on-line.
Even after September 11, it's surprising more Australian businesses are not heavily involved in DR planning.. well at least that's what we're seeing.
All the best.