http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,99756,00.html Advice by Scott Warren International Network Services Inc. FEBRUARY 21, 2005 COMPUTERWORLD While government and relief agencies around the world continue to funnel humanitarian aid to the victims of the Asian tsunami, multinational businesses are scrambling to assess their exposure to disasters of this sort, not just in terms of their own people and facilities around the world, but also to the suppliers of services they are ever more reliant upon. Businesses that have offshored services to India, China and other distant locations must understand the impact a natural disaster can have on their suppliers' facilities and infrastructures just as clearly as they understand their own vulnerabilities, and they must make plans to recover from any such disasters, wherever they may strike. Business continuity planning must be a critical component of all offshoring initiatives. Whether a company uses a strategy of offshore outsourcing or is simply a multinational with offshore facilities, a well-defined and -tested business continuity plan is a must. A fairly common question I hear during the development of such plans is, "What is the likelihood of a natural disaster occurring that will significantly disrupt our operations?" My response is always that there is an exponentially greater potential for disruption from a natural disaster in the developing world because of lower building-code standards, a general lack of preparedness and less mature business models. Recognizing this reality, companies must ensure that their business continuity plans extend to include their suppliers' facilities and infrastructures as well as their own. The Asian tsunami is a stark example of the potential for widespread devastation, particularly because of the incredible loss of life that occurred. Unfortunately, many people have the impression that this was a once-in-a-century event. While it's true that disasters on this scale are rare, how many people can recall that in 1975 an earthquake hit Tangshan, China, killing 242,000 people and severely damaging or destroying 78% of its industrial buildings? Even putting aside such colossal disasters, total yearly damage from accumulated smaller events is far more than most people think. For instance, the Philippines, on average, is struck by more than 20 typhoons per year, resulting in significant physical damage and loss of life. Unless you are very familiar with the Asian region, you would likely underestimate the chance of a natural disaster disrupting your supplier's operations. Fortunately, initial reports indicate almost no damage to the Indian Ocean undersea communications infrastructure, other than that part in close proximity to the epicenter of the earthquake that triggered the tsunami. Also fortunate were suppliers of offshoring services in Chennai, India, such as Tata Group and Wipro Technologies, which reported no damage to their infrastructures and no loss of personnel. But several U.S. expatriates, many of who managed or held key leadership positions in offshore facilities for U.S. and Western European businesses, were killed. It's common knowledge within the expatriate community (of which I was a member) that senior-level U.S. executives in the region frequented the devastated locations. With this in mind, a solid business continuity plan must also prepare for the sudden loss of business leadership. For the most part, companies that choose to offshore, in my view, tend to be myopically focused on the lower cost associated with a given country or geographic area to the exclusion of its ability to meet Western standards for quality, safety, etc. Many governments also offer economic incentives to companies that locate facilities in more disadvantaged areas. As a result, companies that choose to offshore must conduct more extensive due diligence and business continuity planning. If your company contracts for offshore outsourcing services today or plans to in the future, you need to sit down with your provider and review its business continuity plan in detail. Start with these questions, then build upon this list as it relates to your specific industry: * When was your business continuity plan created? * What incidents and/or disasters are planned for? * When was the plan last tested/updated? * What are your plans for loss of employees and/or executives? * Do you have an alternate business continuity site? * What is the level of insurance coverage at the site? * What are your plans to restore the primary site, and how long would it take? * Have you arranged for construction, support and IT services? * Who makes the determination to move to the alternate site? * Where is the alternate site, and how easy is it to get to? * How will your employees travel to the alternate site? * Will there be sufficient accommodations for you to visit the site? * How is your communications infrastructure configured to support the alternate site? * How will our service-level agreements be affected? * Will you need to augment your staff? * Will you need to temporarily bring some services back to the U.S. or to another location? * What is the priority for restoration of services? (This is particularly important because some companies negotiate a priority for restoration. You need to know where you are on this list.) One key lesson that should be taken from the tsunami tragedy is that companies that use offshore services should develop a global strategy across multiple suppliers. I always recommend to my clients that they consider only global providers of offshore outsourcing. The advantage of this approach is that they gain the ability to move services fairly rapidly to other parts of the world when necessary. Most U.S. and Western European companies have developed business continuity plans to address natural disasters that occur locally. For instance, most U.S. companies recovered rather quickly from the multiple hurricanes that hit Florida this fall. U.S. firms should apply the same due diligence to offshore suppliers, particularly those in developing parts of the world. Failure to do so could result in losses from a single event that far exceed the savings accumulated over multiple years from lower costs. In this case, the old nostrum "caveat emptor" was never more apropos. -=- Scott Warren is a consulting principal in the Irving, Texas, office of International Network Services Inc., where he specializes in offshoring. He lived in Asia for three years, has worked in 24 countries and has deployed IT to more than 200 countries. _________________________________________ Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
This archive was generated by hypermail 2.1.3 : Wed Feb 23 2005 - 00:40:41 PST