Robin Johansen, Beca Corporate Holdings: The real issues could be earthquakes and fires, but I'm much more focussed on people initiated things - either maliciously or by accident - that take us out. The key is trying to identify those things which have the high probability of occurring and a big impact when they occur. You simply can't afford to have a set of everything sitting in the backroom in case, because you'll never use it before it becomes obsolete. So the planning has got to be around a lot of the things that are most likely to occur. What's the plan for agility - how are you going to deal with that? And even with that, the focus for us is going to be on the people who are going to put it right rather than the technology. Sure, it might be important to get additional servers and so on, but if you have had a natural event such as an earthquake, then the people who want to put it back together again have got to be focussed on putting it back together. It's a very complex subject and I don't think you can possibly predict with accuracy what is going to happen.
The key to success in my view is having the agility to meet anything that gets thrown at you.
Alan Mayo, The Warehouse: The distinction between BCP (business continuity planning) and DRP (disaster recovery planning) was always difficult. The question that always arises is you can't just do DRP, you need a BCP. I took the view we're just going to do the IT DRP first, being a subset of BCP, otherwise it just got too big on you.
Cathy Bennett, Russell McVeagh: Disasters - the events that interfere with the running of services - have tended to be more in the nature of loss of power to the floor that happened to have our server room ... We're also having the problem with centralising more and more services. This year we're going to be looking again at exactly what our IT plans are for getting essential services up and running after we have re-centralised so much more than we have in the past.
Paul Tombleson, Carter Holt Harvey: One of the greatest challenges that we face in business continuity planning should a disaster occur, is physically where do people go? We've got a lot of things in place to recover applications, to run in all the different data centres. But if a site is shut down, where do the people go? Is there a different place that they can locate to? You need to make sure that you have enough assets in that place. Are the pipes large enough in that place?
Also if they go home, do we use broadband and do we actually have the capacity to have 400 people sitting in their homes dialling in through broadband and being able to access all the applications and get all the things that they need to have? It is a real challenge also making the businesses understand the impact that that has.
Who's responsible for what?
Paul Tombleson: Right now every business is responsible for business continuity planning. They have to prepare for that. We have a person who has a risk role which goes through and ensures that businesses do have appropriate or reasonable plans in place.
David Bakker, IAG: We have a business function called business continuity planning, and it's not just IT. Business continuity is around people because we've got a lot of our business through call centres. What we've found is that it's actually easy for us to technically replicate a call centre, but what do you do if there are 300 people gone? Where does that work go? So there's the business continuity plan, and that's reviewed regularly.
We've got what we call our 'IT services continuity plan'. We have mapped what IT services support the business and there's a semi-formal process. We look at that quarterly and say, what's changed in our environment? What services have we added? What services have we deleted? What are the priorities? Can we still support the business continuity plan? We test it regularly.
The last one we actually did was November last year, and there was a simulation where we just said effectively one site's closed, and the people at that site actually had to go somewhere else to work. What we solved in that is that we're trying to push a lot of the continuity into the architecture. It's not a disaster recovery, it's how do you actually make the whole architecture resilient.
Robin Johansen: In our company, the business continuity is split into different functions. The network guys look after their part. Desktop guys look after their bit. We're just moving it up a gear because of the growth in the company and because of the centralisation push. We've got someone right now dedicated to doing this alone. They won't do that full-time but it is becoming an increasingly big burden. It's also not the most attractive job in the shop. Finding someone who actually wants to do business continuity planning is not an easy thing to do.
Para Ganesan, Transit NZ: It's been two years now that we started the whole concept of business contingency planning. We've got 12 offices around the country with seven regional offices and different satellite offices from there. We have Wellington as the main national office where 90 per cent of our systems are housed. First of all, we had to find a business contingency manager. It was nominated from a national perspective.
Each region has its own contingency person. Everybody started to look at systems for the core for business continuity. Then we stepped back and said hang on, there are whole processes involved, because the people that actually need to run the systems are not necessarily going to be available, so what is the process going to be without that expertise?
Since then, it has matured over the last 12 months to where each business owner can identify critical systems. To get that consultation through was actually quite difficult because explaining the nature of how a system actually works and the reliance on it, is quite challenging for people who never realised how much is actually involved in delivering the service that we actually do.
Alan Mayo: In the Warehouse, DRP very much sits in the IT department but BCP sits in the business. For a retailer, the disaster is not getting the products to the store and not being able to sell it.
So business continuity planning really has to sit in the business, because it really needs to be made by people who are responsible for moving the stock and making the money. It might be different in organisations where the major infrastructure is IT, and without physical movement of goods, but it might be horses for courses.
Peter Rosewarne, NZ Customs: A lot of organisations spend a lot of time on customer satisfaction skills and training and development, but what is lacking out there is training for when disasters strike and how they should behave in terms of keeping the business going ... For my part also, when a disaster does occur, that there is someone in control and in charge. Because if everyone is trying to control it their own way, it falls apart.
So having an incident response manager is absolutely critical. He makes the hard decision calls and also represents the business when he makes the call, even though he may be an IT person. I think CIOs are typically the right sorts of people [for this role] because their whole function in life is to understand the business and to develop system strategies that augment with the vision of the organisation.
Those sorts of people already have a system strategy. The wonderful thing about systems strategies is that anything can hit you but you don't rush away and change the strategy. It survives time. Problems don't. They come and go.
Peter Rosewarne: The other thing about business continuity is the ability to not lose any data when it occurs. Losing data is bad. You just can't afford to lose it. The second thing is knowing that if you've lost any data, what is the data you lost and are you able to restore it? ... The trick is [knowing] what data out there is important and finding that and retrieving that.
Para Ganesan: If you look at data management, 40 per cent of growth of data is actually from email, which is across organisations. We're no different than anybody else. We get 7500¿email which become documents. As soon as it is written and delivered, it becomes a record. Information management around that is quite substantial. One of the biggest issues that organisations have is email is very silo to the individual.
Robin Johansen: This is one of the critical problems for us all, this management of data. It's policies, it's archives, who owns it, how much there is of it? The fact we've spent so much time on it here I think is indicative of the fact that we're all struggling with this element of business continuity.
Stepping into silos
Peter Rosewarne: It's very bad in any business continuity environment, where the organisational information based on data is in silos. I just cringe at the thought of people having these Access databases and these little homespun Excel spreadsheets.
Some of these people who think they know a lot about IT are developing these and they're running their business on it. So the first thing is to kill those things because they can't fit into a framework for business continuity ... You can have information disbursed everywhere but data has to be in one place, because a part of the business can have a little micro disaster recovery of its own, and guess what? IT can't help it out.
In an information system steering committee that represented a lot people, not just IT, one of the early decisions we made was that we as a group owned the data. The second thing we decided was that any information that is in all these little mushrooms that people are using from Access and Excel databases, we would not regard as a true record. The central repository is actually king in the organisation, not the disparate data that flowed around the place.
Robin Johansen: If you haven't got a focus on the architecture and strategy, you are in serious trouble. No business continuity process in the world will save you from lousy architecture and lousy strategy.
The value of data
Peter Rosewarne: If the company goes into receivership, the stark reality of that situation is they will come in and they will look at the data to see what value is in it. Data can therefore be sold, so it's fundamentally an asset. It's one of the very few things that businesses actually have that can actually demonstrate and show appreciation.
You explain to them [staff] why it is important that when they are entering data into the system, that they are entering it with integrity in mind. If they put it in wrong at a data level it goes wrong at an information level, and it goes wrong at a decision level above that ... If you don't have that governance around the data sorted out, then your disaster recovery is a quagmire basically. It's the source of everything in terms of ownership, appreciation and business decisions in terms of strategic futures.
Peter Rosewarne: The other thing is that we, as CIOs, are going to face these problems in the next five to 10 years big time: The technology following people in their places of work, rather than them having to come back to the technology to perform their work.
The future around data is that is going to be distributed. Form factors are going to get small, and DR is not going to be in data centres any more, not in 10 or 15 years time. DR is actually going to be on every employee.
Robin Johansen: It does raise some interesting dilemmas. If you're involved in the RFID world, I think you'll see a lot of integrated local databases. It's just going to have all the information about any product anywhere and where it was delivered from.
Conceptually it's a great idea but I don't know whether it will happen. If it does happen, suddenly we become dependent on external sources of information we have no control over.
Robin Johansen: The problem I always run into is I go and ask my vendors what's your systems strategy going to be in five years' time in terms of your products and your services? I don't really get an answer, well not a good one, because for them it's all very fiscally driven. How often have we had vendors coming into our offices saying well we've got a solution that will solve your problem?
I say, well, tell me what my problem is, and they can't. So the responsibility in systems strategy and everything, is that the CIO needs to be able to articulate quite clearly to the vendor community where it's going, and not to rely too heavily on the vendor community to try and dictate to your business where it should go.
In New Zealand, there's too much of that going on at the moment and somewhere along the line it needs to be arrested. We give out our expectation and then we want people to be able to come and give us the solutions.
We're moving into a world where it's not so much about the old traditional model of, we customers have problems and vendors have answers to our problems by way of solutions. It's now moving into where customers have opportunities and we go to vendors looking for solutions.
Peter Rosewarne: I'm not getting the answers because these organisations are fiscally driven from year to year. In the last five years, we didn't have September 11. We didn't have all this legislation around EU and data protection and privacy. If there is one thing that is happening that's consistent, it's change, and it's going to happen in our space.
For me the only thing that is going to be able to sustain it is the systems strategy or organisational kind of strategy that actually is able to think robust enough. I'm having difficulty with vendors actually coming on board aligning with my thinking, and that's why I say it's up to us en masse to actually dictate to the vendor community.
Reliance on third-party providers
Robin Johansen: We've become very, very dependent on data communications. That's outside of our direct control. There's a whole lot of utilities out there of which we have no control, who are not prepared to commit to any levels of service or plans in the event of disaster.
Cathy Bennett: That's just going to evolve further and further. We already have that reliance on other utilities. Water - take the water away and how many of our businesses would continue to operate as they do? Power? Communications is the same now. Data will be the same in a few years because data will be a utility.
Paul Tombleson: It is a struggle at times. We're trying to do much more around partnering with our vendors, and we are getting some success from that but you know they are quite fiscally driven. I'd say that with the likes of the telecommunications, we are seeing more interest from them to do more things, to partner with us more than they have in the past rather than just to give us services.
Even though the Microsofts and the Oracles are trying to work proactively with us, one of the concerns is that as we determine what our strategy is going out in five years time and beyond that, how can we avoid being actually tied in to a strategy of our vendors? We want to be able to keep that flexibility.
In the panel:
David Bakker, IT and T strategy and architecture manager, IAG New Zealand
Cathy Bennett, chief information officer, Russell McVeagh
Para Ganesan, IS operations manager, Transit NZ
Robin Johansen, chief information officer, Beca Corporate Holdings
Alan Mayo, group IT architect, The Warehouse
Peter Rosewarne, MIS manager, New Zealand Customs
Paul Tombleson, general manager IT and corporate services, Carter Holt Harvey
Hosting & Datacentre Services (HdS) kindly sponsored this roundtable on business continuity planning.
The next MIS roundtable discussion with CIOs will tackle corporate governance and IT.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.