Investment in business continuity systems may be wasted
because companies are not willing to contemplate the most extreme scenarios, a
leading practitioner has warned.
Speaking at the Business Continuity Expo in London, Victor Meyer, global head
of business continuity management for Deutsche Bank, said that while most firms
invested considerable sums in technologies and strategies to ensure business
could continue uninterrupted in the face of unexpected events, many failed to
comprehensively plan for more extreme events such as terrorist attacks or
large-scale natural disasters.
"In order to avoid tragedy, it is necessary to think tragically," Meyer, a
former US Navy security expert, said.
Meyer pointed to the September 11 attacks in New York as a prime example.
"Deutsche Bank lost a strategic office [in that attack] but the franchise
survived because we had an evacuation exercise six months prior," he said.
Running regular exercises to examine extreme events is critical, he said. In
one test last November, Deutsche Bank's trading desk was contacted by an
extortionist and told that access to its systems would be switched off in five
minutes, then resumed after half an hour, as a demonstration of technical capacity.
If the bank failed to pay US$500 million to the extortionist, all systems
would be disabled within an hour and other payment details modified. DB's
emergency processes handled the pseudo-attack, Meyer said, and such exercises
helped provide valuable insights into process improvement and possible
Natural disasters can be equally threatening. The biggest risk on the bank's
radar is the high likelihood of an earthquake in Tokyo. "We can't stop an
earthquake, so we have to do our best to put organizational solutions in place
to mitigate the effects," Meyer said. "Not addressing those would border on negligence."
One area many companies don't consider in their continuity plans is the role
that partner organizations play. While Meyer is a fan of outsourcing--"outsourcing represents tremendous potential for cost savings if done correctly"--he noted that companies had to ensure all partners also had continuity plans.
"If you're going to put all your eggs in one basket, you better watch that basket."