Investment in business continuity systems may be wasted because companies are not willing to contemplate the most extreme scenarios, a leading practitioner has warned.
Speaking at the Business Continuity Expo in London, Victor Meyer, global head of business continuity management for Deutsche Bank, said that while most firms invested considerable sums in technologies and strategies to ensure business could continue uninterrupted in the face of unexpected events, many failed to comprehensively plan for more extreme events such as terrorist attacks or large-scale natural disasters.
"In order to avoid tragedy, it is necessary to think tragically," Meyer, a former US Navy security expert, said.
Meyer pointed to the September 11 attacks in New York as a prime example. "Deutsche Bank lost a strategic office [in that attack] but the franchise survived because we had an evacuation exercise six months prior," he said.
Running regular exercises to examine extreme events is critical, he said. In one test last November, Deutsche Bank's trading desk was contacted by an extortionist and told that access to its systems would be switched off in five minutes, then resumed after half an hour, as a demonstration of technical capacity.
If the bank failed to pay US$500 million to the extortionist, all systems would be disabled within an hour and other payment details modified. DB's emergency processes handled the pseudo-attack, Meyer said, and such exercises helped provide valuable insights into process improvement and possible vulnerabilities.
Natural disasters can be equally threatening. The biggest risk on the bank's radar is the high likelihood of an earthquake in Tokyo. "We can't stop an earthquake, so we have to do our best to put organizational solutions in place to mitigate the effects," Meyer said. "Not addressing those would border on negligence."
One area many companies don't consider in their continuity plans is the role that partner organizations play. While Meyer is a fan of outsourcing--"outsourcing represents tremendous potential for cost savings if done correctly"--he noted that companies had to ensure all partners also had continuity plans. "If you're going to put all your eggs in one basket, you better watch that basket."