Business continuity (BC) is not yet fully understood by most large Middle East enterprises, and is often confused with its cousin disaster recovery (DR). With the current state of affairs, the region might have to wait for a couple of years for large-scale adoption of BC processes
The achievement of perfect business continuity (or something as close to it) remains one of the elusive elements that most large enterprises look for. In an effort to ensure that the business continues – regardless of any natural or man-made disaster – most organisations in developed markets have constantly invested in technologies and redundant centres, along with processes, for some time now.
In the Middle East (qualify as it does as an emerging region) the concept is well understood, but adoption levels remain low.
“It is the amount of dollars you are prepared to spend in the event that your business is put at risk due to, for example, a disaster or an interruption in service. However, do many Middle East enterprises understand and implement BC as much as they should? The answer is no. BC as a “business continuity strategy”, not as an “IT continuity strategy”. This is where many organisations fail when implementing BC strategies. They tend to focus on the latter and often fail to consider the complete
business impact of a disaster or outage,” says Steve Bailey, regional operations director at Commvault.
“In terms of understanding BC, there is a basic to medium level of awareness in this
region, and when it comes to implementing BC, almost all enterprises are faced with the challenges that I have mentioned earlier and eventually some of them end up using traditional or manual methods for BC that usually expose them to higher risks,” adds Hussein Mognieh, CA Technologies channel manager in the region.
Little understood as it might be in the region, the concept of BC comes with its own set of challenges and some of these can be peculiar to the Middle East.
“Businesses and organisations that are implementing key business continuity solutions are faced with both external and internal challenges. These external factors
include the soaring temperatures, firewall breaches and virus attacks along with natural disasters like earthquakes. Meanwhile, internal challenges include machines or equipment failure, fire and manpower availability or the lack of it. These challenges are the ones that are most likely to happen, resulting in small but frequent downtime if not attended to properly,” says Vipin Sharma, VP at MEACIS sales at TrippLite.
He continues, “The main challenge though, is to identify all possible threats, regardless of size, as they may cause major repercussions in operations. Power is one factor wherein the need to be constantly monitored is essential. The quality of power should be monitored constantly, which means if the power is not good then it might
cause the breakdown of key equipment and drive in unwanted downtime costs.”
Feras Al Jabi, GM at ITQAN says, “I believe the main challenge is to be able to allocate the budget to invest in implementing BC plans, especially with the current economic climate. Organisations are investing in core business related requirements, rather than investing in BC and preventive actions. In certain organisations, the internal capacity and resources, data connectivity speed / bandwidth is another challenge. And the maturity of the data centre concept in certain countries in not at the same level we have in the UAE.”
“A key challenge that the region faces is its size. IT DR sites are usually recommended in a separate seismic zone far from the primary site, but in the Middle East, with many smaller independent territories, identifying a suitable DR site is a key issue that enterprises have to address,” adds Girish Dani, business head for security services at Tech Mahindra.
“Through our experience in establishing business continuity management systems for enterprises in the UAE, we have noticed different common challenges as follows obtaining management buy-in and approval for business continuity arrangements, assigning roles and responsibilities to suitable employees, maintaining the business continuity management system, documenting and executing the management system processes and enforcing policies and integrating business continuity with other existing management systems,” says Ali Alamadi, principal consultant at helpAG.
“The biggest challenges for an organisation during BC implementation is stakeholder commitment, agreeing on strategies and coordinating with different teams. These issues are typically seen because the responsibility towards BC initiatives is a part-time activity as compared to primary responsibilities. So top priority may not be proportionately assigned to the BC initiatives though it is critical to an
organisation. One way to combat such issues is to include these responsibilities as part of the performance appraisal system as an individual’s goals. Another way is for it to be managed well by the BCM head by providing tools, templates, relationship and knowledge to users. Regular meetings between top management and department heads on BC initiative also help in the progress on the journey. These are some of the challenges faced by the BCM head on an organisational level,” says Mohamed Rizvi, manager of information security and advisory services at eHDF (eHosting DataFort).
Commvault’s Bailey states, “The typical challenges when addressing the question
of BC would be a lack of resources and difficulties in obtaining senior management support and input. However, in the majority of the organisations which have developed business continuity plans (BCP), it is typically an activity led by the IT department, with the result that the business continuity plan is mainly seen as an IT activity.”
He continues, “many process owners fail to realise the fact that not all processes are
mission critical or critical for an organisation to survive and it is often a daunting challenge for CIOs and IT heads, who have been forced to don the mantle of BCP leader, to assure the business and process owners that prioritising of processes does not make those with longer recovery time objectives (RTO) redundant or of less importance than those with quicker RTOs.”
“Another problem that I perceive is that when IT people don the business continuity
hat, the program tends to go off on a tangent towards being ‘information continuity. There is no doubt that information in today’s age is a key to success, however information availability alone is of little help if people are not available to access and use it during an incident or crisis,” Bailey adds.
Along with other experts he agrees that the nature of the workforce in the region can create its own set of issues related to pure human factors and restricted communication.
A step at a time
Challenges there might be, and the Middle East as a whole might still be a newbie to the area of BC, but experts also point out that the situation is much better than it was even five years back.
“We’ll easily find a vast difference when we try to compare the current situation to what it was five years back. Enterprises nowadays generally understand the risks of not having a proper BC solution in place and hence they have invested more in providing their technical teams with as much resources as possible to have the proper exposure to solutions and a sufficient technology awareness to keep up with the daily challenges,” says Moghnieh.
“There has definitely been an increase in the overall awareness for the need for business continuity and IT disaster recovery. Some of the recent events such as the political unrests and adverse weather incidents including the cyclone in Oman have accentuated the need for enterprises to have clearly defined and implemented strategy for BC,” says Dani.
However, enterprises that are investing in BC should make efforts to follow international best practices and processes in order to gain efficiencies out of it.
“Before implementing a BC solution ,an organisation needs to plan for one. At the most basic level, Business Continuity Planning (BCP) can be defined as an iterative process that is designed to identify mission critical business functions and enact policies, processes, plans and procedures to ensure the continuation of these functions in the event of an unforeseen event. All activity surrounding the creation, testing, deployment, and maintenance of a BCP can be viewed in terms of this definition,” says Bailey.
CA’s Moghnieh states, “Every organisation uses a different topology and structure in their IT environment, but the main process is as follows: first, understand an organisation’s pain points and the organisation’s expectations regarding ROI, RPOs and RTOs. Secondly, allocate the budget to be invested in the project. After that comes the stage of involving the vendors with proven success stories that are similar to their requirements to conduct Demos and/ or POCs to prove that their solutions do what they say on the box. After that it becomes clear to the organisation which vendors to select and how to move forward.”
“The British Standards Institution (BSI) has released a new independent standard for business continuity processes. The BS 25999-1 extends to organisations of all types, sizes and missions, whether they are government or non-government, profit or non-profit, large or small or coming from any industry segment. Based on these standards, business continuity should start with analysis, followed by solution design and then the implementation of the solutions. The implementation phase will also cover the running of tests to make sure that the desired outcome is achieved, which is followed by the acceptance of the organisation,” says Sharma.
He adds, “After all these initial stages are followed, the most important part is next, which is maintenance. Maintenance of a business continuity manual is broken down into three periodic activities. The first activity is the confirmation of information in the manual, roll out to all staff for awareness and specific training for individuals whose roles are identified as critical in response and recovery. The second activity is the testing and verification of technical solutions established for recovery operations. The third activity is the testing and verification of documented organisation recovery procedures. A biannual or annual maintenance cycle is typical.”
Knowing the processes is very different from implementing them and getting them to work for you within your organisation. Awareness campaigns around the Middle East will help enterprises understand and implement BC in a more effective manner. However, with the pangs of the recession still being felt, vendors are not rushing to create awareness campaigns, and the entire concept of BC in its full awareness and understanding might have to wait to be adopted on a larger scale in the region.