Economic crises, criminal attacks, fires, natural disasters, pandemics: unexpected incidents hit every company. In these situations, effective emergency plans are necessary to recover quickly, get the business up and running again and minimise the losses. The biggest mistake is to underestimate the likelihood and the impact such incidents can have, thus showing how important business continuity is for companies. Especially SMEs, whose continued existence can be threatened by a crisis of any kind, are under more pressure to introduce and maintain business continuity management measures and recovery processes.
An Introduction to Business Continuity and the Importance of IT Continuity Management
The COVID-19 pandemic is the latest and best example of a disruption, in which companies needed business continuity plans to swiftly switch to remote work, adjust supply chains or plan for recovery. According to the ISO 22301:2019 standard (a standard by the International Organization for Standardization (ISO)), business continuity describes the “capability of an organization to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption”. This ISO standard further recommends a systemic approach to business continuity management via the establishment and maintenance of a business continuity management system (BCMS).
IT crisis or IT service continuity management (ITCM) aims at securing the IT structure in case of a disruption and forms an important part of business continuity management (BCM), because it provides the infrastructure for the entire business . Fundamental for BCM is a critical assessment and classification of the company business areas and services. The tolerance level of reduction or elimination (in the case of an emergency situation) needs to be determined for each service, including essential infrastructure, IT systems, customers applications, communication systems as well as the staff and sites operating these. The services need to be prioritised, acceptable downtimes specified and budgets for preventing measures allocated accordingly. BCM sets the parameters for ITCM, but ITCM plans the availability and restoration in case of an incident. This means that companies must create multiple plans for all possible breakdown scenarios regarding reaction, coordination, recovery, and restoration. ITCM also includes managing the risks for the IT systems and infrastructure in advance. Effective contingency plans can reduce the costs of downtime immensely, improve business resilience and, preserve the company’s reputation.
A very recent example from Strasbourg illustrates the importance of BCM and ITCM: On March 3rd, 2021, one of the four data centres of the French cloud provider OVH caught fire and extensive amounts of data were destroyed. OVH had to shut down all centres which caused a temporary breakdown of 3.6 million websites in various countries – even governmental domains and 1.9% of all “.fr” domains. Because many companies did not purchase the additional backup service in another distant data centre, their data was irretrievably lost.
BCM & ITCM - Challenging to Implement for SMEs
What can we learn from the disastrous incident mentioned above? Continuity management and resilience are extremely important. Companies, no matter what size, need to have a strategy for dealing with risks, for example where and how to host their data. However, small and mid-sized companies often face obstacles that prevent them from installing effective BCM and ITCM processes:
Often, the reason is a lack of awareness. Companies underestimate the importance of emergency plans and the impact that an incident can have on different business stakeholders;
This topic might also put companies outside of their comfort zone as BCM confronts them with their biggest fears;
The belief that SMEs’ resources are too limited is still present in many organisations. Every new management system and process requires financial investment input;
A common mistake that results from a lack of understanding, is the consideration of too few, imprecise, and unrealistic scenarios. This can cause either overwhelming, a lack of focus or lack of action;
Sometimes the process of installing BCM and ITCM plans appears too complicated. SMEs rather require step-by-step approaches that are easy to implement and maintain.
BCM & ITCM are Imperative for SMEs
The above example and numerous others show the importance of well-functioning and -maintained BCM also for SMEs. Because of SMEs’ mostly simpler structures, the concentration of risk is much higher and, in case of an emergency, the losses will tend to have broader impacts on the business. Especially smaller companies cannot afford the costs of too little resilience.
On the flipside, simpler structures are also the reason why the set-up and introduction of emergency processes is easier and thus less costly to implement. Moreover, the external pressure to introduce BCMs on SMEs is rising. Especially after the global COVID19 pandemic, larger companies are rethinking their supply chains, looking more secure partners in closer proximity. New governmental regulations and rising global standards for BCM will compel SMEs to install adequate plans and measures as well. According to a report of the United Nations Office for Disaster Risk Reduction (UNDRR) of 2018, the risk of climate-related disasters causing direct economic losses is increasing , calling for matters around BCM to climb up the strategy and risk management priority lists of companies.
Thus, more awareness of business continuity, its importance and IT’s role is urgently needed to prepare SMEs appropriately for the next crisis.
- Gadatsch, A. & Mangiapane, M. (2017): IT-Sicherheit, Wiesbaden 2017;
– in: Gadatsch & Mangiapane, 2017, p. 39
- Hensel, M. (2021): OVH-Großbrand hat gravierende Folgen;
– Storage Insider, Hensel, 2021: www.storage-insider.de | [Retrieved 29/06/2021]
- Holland, M. (2021): Cloud-Dienstleister OVH: Feuer zerstört Rechenzentrum, ein weiteres beschädigt;
– heise online, Holland, 2021: www.heise.de | [Retrieved 29/06/2021]
- International Organization for Standardization (ISO) (Ed.) (2019): ISO 22301:2019: Security and resilience
– Business continuity management systems – Requirements; – ISO, 2019, nr. 3.3.: www.iso.org | [Retrieved 29/06/2021
- Kasulke, S. & Bensch, J. (2017): Zero Outage, Cham 2017
– Kasulke & Bensch, 2017, pp. 122-124
- Kobeleff, J. (2020): Mit ITSCM für den Notfall gewappnet;
– Security Insider: www.security-insider.de | [Retrieved 29/06/2021]
- Rezaei Soufi, H., Torabi, S. A., & Sahebjamnia, N. (2019): Developing a novel quantita-tive framework for business continuity planning;
– in: International Journal of Pro-duction Research 2019, Vol. 57, Issue 3, pp. 779-800
- United Nations Office for Disaster Risk Reduction (UNDRR) (Ed.) (2018): UN 20-year review: earthquakes and tsunamis kill more people while climate change is driving up economic losses;
– UNDRR, 2018: www.undrr.org | [Retrieved 29/06/2021]