Ensuring business continuity in Hong Kong
By Kenneth ChauIt's no fun to think about all the ways your business can be disrupted – hurricanes, tsunamis, snow storms, epidemics, earthquakes, tornados, terrorism, floods, fires, even relatively minor incidents like a failed water main or a planned event like an office relocation.
Hong Kong's risk profile is better than many of our neighbours – historically, we've escaped earthquakes and tsunamis, for example – but it would be foolish to think we are completely immune. Threats may be predictable (e.g. summer typhoons) or less predictable – remember the unexploded world war two bomb that caused evacuations of nearby buildings in Happy Valley in February?
Either way, this kind of sudden business disruption is the kind of thing that keeps business execs and IT leaders up at night.
The best remedy is a solid business continuity strategy you can count on to minimise the impact and keep your business running through thick or thin. I believe that local businesses should consider the following seven elements in formulating their business continuity strategy.
1. A clearly defined team
In an emergency, people shouldn't have to wonder who's in charge. Create a business continuity team with members in every part of your organisation, in every location where you operate. Even in a small place like Hong Kong, the threat profile is not homogenous: some areas may be more or less prone to disruption resulting from flooding or protest marches, for example.
The individuals in the team will lead the local response to local events as well as the organisation-wide response for both local and broader-based emergencies. They should stay involved in planning and testing throughout the year to keep the plan up-to-date and gain the familiarity they'll need to perform under the pressure of an actual emergency.
High-level support is crucial to make sure business continuity gets the attention and resources it needs.
2. A detailed plan
Think through the kind of disruptions that could occur in each place where you do business. Assume the worst, then figure out what you'd need to do to maintain your most important operations.
Rank your recovery priorities in business terms such as revenue, regulatory implications, brand concerns, customer protection – whatever matters most to your organisation – then map these to applications, people, facilities, and equipment.
For example, during Super Typhoon Vicente in 2012, the biggest issue for many companies was that employees could not get to work. Implementing appropriate flexible working policies and IT that supports remote access to apps and data would have enabled employees to work from home, avoiding lost productivity.
Once your business continuity team has come to an agreement on this analysis (which isn't always easy), it can start to identify recovery strategies and costs around each process.
3. Effective testing
An out-of-date or ineffective business continuity plan can be worse than none at all, giving you a false sense of security and leaving you to scramble when things go wrong. Review and update your plan at least once a year, and ideally more often than that, to reflect changes in your IT environment, business priorities, operational structure, and other factors.
There is a range of resources online – the HKSAR government's information security website (www.infosec.gov.hk) is a good source of tips for IT-related threats to business continuity, for example. Conduct full simulations at least annually as well, covering everything from application recoverability to crisis communications.
4. Crisis communications
Effective communications can make the difference between panic and smooth emergency response. Create a toolkit that encompasses the full range of communications channels, including telecom, email, public address, intranet, IM, texting, and the company website.
Draft sample emergency messages in Traditional Chinese and English in advance so they can be updated quickly during an actual emergency, and make sure you can deliver a consistent message to the public as well through press releases, social media updates, and interviews with spokespeople.
5. Employee safety
Nothing is more important than keeping people safe. Local agencies such as the Fire Services Department and Hong Kong Observatory can provide emergency response guidance for your program. Tailor your procedures to your workforce, facilities, and locations, and review and test them regularly with all employees.
6. Uninterrupted access to business resources
It's important to keep people working – not just to maintain productivity, but to protect data and make sure your customers aren't left hanging. Remote access technologies make it possible for people to work wherever it's safe and convenient, whether at home, in a hotel conference room, at a friend's house or anywhere else.
Organisations that already enable mobile workstyles are way ahead of the game here: Instead of having to get used to disaster mode as an entirely different way of working, people just keep using the same remote access tools they always do.
7. Continuous IT operations
Data centre continuity is the final element. Most large organisations already have more than one data centre for scale and redundancy. If one comes offline for any reason – planned or unplanned – people should be able to switch seamlessly to another to access the same apps and data.
Make sure your infrastructure can support this response in terms of rapid, automated failover, load balancing, and network capacity.