WEDNESDAY 10 APRIL 2002

MR JOHN SHARP, MR DAVID GAMBLE AND MR PAUL WOOD, MBE

  740.  Can you give us an example—and you can choose the size of company—where they do everything that you advise them to do, they are well into this, of how much this would cost?
  (Mr Sharp) Yes!

  741.  I do not have the slightest idea. I imagine that having alternative premises, their computers being shunted off by way of reserve, additional staffing, better security. All this must be a bar to people taking it seriously?
  (Mr Sharp) One of the major international banks did a presentation at a conference last year and they had looked at how much they needed to invest and it came down to how much could they afford to lose and for them it was two days' trading. In the securities industry two days' trading for a major—
  (Mr Wood) I would not want to put a specific figure on it at all because I am not fully aware of what the bottom line impact is from our perspective. I can perhaps go away and look and come back to see whether we can, but I think that you are correct in assuming that if you are going to take this seriously and you are going to have an alternate site—and there are different standards of that alternate site, are you going to have it fully prepared and ready so that you have an instant switch over or are you going to have it "warm" so there is the "hot" and the "warm" and "solutions"—are you conscious of where that is and how you are going to get your staff to it? Are you thinking about the back-up processes of the data? Are you thinking about the physical security of that site? Then you have got to think about what is the percentage of your organisation that you are going to put into there and, in addition, what are you going to do with the rest because you cannot replicate everything that you do. It is just not practical to do so and it is not cost effective at all. It all comes down to a cost judgment on what is the big impact on your critical operations and therefore what are you prepared to budget out to make sure that you can sustain your operations for the period of time that you feel you are going to be out. What 11 September has also shown us is that historically we probably thought about a 72-hour scenario. I do not think that is realistic any longer and we need to think much longer than that.

  742.  72 hours where your business is not operating?
  (Mr Wood) Where your business is not operating and when we would start to recover and then we would look for up to three months of recovery. If you take a serious incident like we have had in London before which ripped out the centre of your infrastructure, you need to be thinking much longer than just three months. The other issue is that there is not a never-ending supply of these facilities and these operating areas where you can have these hot centres or warm centres. Inevitably in the financial sector we are in a very, very short square mile and something happening there is likely to impact on all of us and many of us would be looking to use the same sort of facilities. That is where the issue starts to come as well. You have to be thinking about those things and about where you are going to locate your alternative facilities.
  (Mr Sharp) There is some experience from Deutschebank in New York who have effective continuity processes in place. It a question of what elements you need to get up in what time. Within two and a half minutes of the first aircraft striking they were backing up their data. In two and a half hours their first back-up sites were working. They have 1,400 seats of their own off site and they then moved people progressively over two or three days into those sites. So that was a very, very slick operation. If we think of Cantors who lost 700 people, in 48 hours they were trading again.
  (Mr Wood) But to the other extreme where some lost everything and who did not recover and will not recover and others where they were given a lot of mutual support, which is another option which can be considered. Certainly we provided for some of our sister companies' services and facilities in our own main buildings because we were fortunate enough to have our major operations in Stamford, Connecticut so well away from the central down town Manhattan location.

  743.  If there is anything that you want to say which is really sensitive, can I just say that we will do it properly. If there is something you think is really important that you do not want to end up in the record then keep it until the end and we will formally go into private session. Obviously some of the stuff you are saying is quite sensitive.
  (Mr Sharp) The investment really comes down to the impact. There is one bank here in the UK site that clears a trillion dollars a day. 72 hours is not soon enough; they have to be operating within two.

  744.  Is that physically possible?
  (Mr Sharp) Yes, they have done it because they have alternative sites, they have warm desk facilities.
  (Mr Wood) We would be able to cut over within two hours. We have a safe almost replicated site so our data is live in both areas. We would move our staff there very quickly—if we still have our staff; and that is the issue.
  (Mr Sharp) The implications if these organisation cannot do that are serious not just for the organisation, they are serious for the country's infrastructure and probably the international financial infrastructure.
  (Mr Gamble) There is another cost which I heard. At least one of the major banks at Canary Wharf has decided not to take the whole of the building and has moved at least half of its staff elsewhere so they now have an additional cost compared to what they were planning but they have decided that that is a more sensible way to operate.

  745.  Not unnaturally, quite a lot of what you have had to say is related to financially orientated companies and I can very easily see why the City of London and New York would be thinking very carefully about what they should do in terms of risk management. Are any of you able to tell me whether the rest of British industry is taking it as seriously as the financial sector?
  (Mr Sharp) If we turn to the retail sector, two of our leading supermarkets are taking it extremely seriously. One of them, and it is on public record, Sainsbury's, was able to handle both the fuel crisis and the foot and mouth crisis because they had effective continuity in place and were able to build up toWoods Christmas levels of stocking in three days and maintain that stock with no fuel supplies or limited fuel supplies. They had plans and processes in place because they are a critical infrastructure and the Millennium created a lot of awareness in people's minds.

  746.  If I took the top 100 companies in the United Kingdom, would you say to me that all of them are taking this subject that we are talking about now as seriously as you have suggested or I think you have suggested?
  (Mr Sharp) They are not all taking it to such a depth as some of them are.
  (Mr Gamble) But they are all taking it seriously. Some of them are spending a great deal of money on it. Chief executives are now very aware that if they are found wanting in terms of business continuity it will not just affect their share prices, it may well affect their position.

  747.  I will not use the word profit disparagingly but who does profit from what is happening? Who gains? The companies who are putting up the alternative buildings? Who else?
  (Mr Sharp) It is an interesting point.

  748.  Risk managers? Disaster recovery managers?
  (Mr Gamble) The risk managers certainly do not. The brokers might but not the risk managers.
  (Mr Sharp) There are companies that provide the back-up type sites. They clearly have seen an increase in demand, although that industry is interesting because it is concentrating down. At a time when you think demand would be increasing we are seeing them merging and concentrating, but that is by the very nature of how that business is done. The consultants found it very, very quiet, surprisingly, after 11 September and it has taken six months for people to realise the depth of what they need to do in an organisation and they are now turning to the consulting sector to ask for help. In the end it is going to come down to organisations trying to bring in a culture where within the organisation people recognise their vulnerabilities and then looking to see what they can do to protect themselves and that is where the benefit is going to be within companies as people get new opportunities.

  749.  Just so I understand this, in the scale of awareness, where are we?
  (Mr Sharp) If I look at the figures from this research again of all companies, 45 per cent had business continuity plans. That was across all sizes of companies. We know that some of them when we asked them, "Do you have a business continuity plan?" will take an IT disaster plan as being their business continuity plan.

  750.  But you would have to look behind those figures and that research? I do not know anybody else's experience around here but mine is that organisations are very easily able to deceive themselves about what they are actually doing when in fact they are doing something else.
  (Mr Wood) It comes back to that point we spoke of earlier about rehearsal. Having the plan sitting there gathering dust is one thing but putting it into practice and showing that it works is another. I suspect that National Air Traffic Services are doing that today with the failure of the host computer system, but again they have good resilience built in and they know that they can change the system over and operate it manually and that is all part of their contingency planning. Those who know that it is going to impact the bottom line and that it is going to cause significant disruption to the community probably take it more seriously than small to medium-sized enterprises where they really have not felt an impact yet or have not been directly affected by some kind of disaster.
  (Mr Sharp) What we are seeing is that the customers of organisations are now beginning to demand evidence of continuity so the major companies are now asking their suppliers "can you supply evidence of continuity?" The issue we have got is that the current method that has been used to audit has been very much, "Do you have a business continuity plan?" "Yes", tick. That does not mean to say it is going to be effective and again it is unrehearsed. We know that only 25 per cent of people are testing their plans every 12 months which is the minimum recommended. There are some very major organisations who are reluctant to go for a full invocation test. It is expensive, troublesome and in real live systems it is not always easy to do. One that I have experience of has demonstrated they can do it internationally and do it effectively and that is how they are able to recover in two hours—because they know it will work. It is not just major business. You may not be aware but HEFC, the Funding Council for Higher Education, is now requiring business continuity plans to be in place by universities and the Charity Commissioners are asking for risk management and continuity plans as well, so it is spreading beyond plc companies.

  751.  The question I asked you was about the scale of where progress had been made and you did not really answer it. What I think I am getting from you is there is quite a lot of good work going on, awareness has been raised, and so on and so forth, but there is a way to go yet.
  (Mr Wood) I think we are still at the bottom end of the curve.

  Mr Cran: Thank you, that is what I wanted to hear.

  752.  Is there a subdivision of resilience or something else whose sole rationale is providing advice, consultancy, buildings, additional computers, etcetera? How many companies are operating in this field?
  (Mr Sharp) I can provide you with evidence of the sort of things although I have not got that with me, but, again supported by the DTI, we are issuing a directory of all companies that are able to provide those type of services because there is a need for us to be able to lock into it. The number of companies that are providing disaster recovery and workplace recovery for the IT side is shrinking and we probably have about five major companies in the United Kingdom.
  (Mr Wood) I suspect there are five main players. Another issue here is coming back to the point I made about several of us looking to share the same facility at the same time which is causing some of us to think about having our own dedicated facility and therefore perhaps buying into space and, in addition, in fairness there has been a demise of the dot-com companies that has made it possible for us to buy cheaply data centres, an opportunity that perhaps was not there before.

  753.  Why should the number of companies be declining when the threat is increasing?
  (Mr Sharp) It is the nature of how the business operates in that you contract space for an annual payment and you share that space with other people, so it is a question of sharing the risk. A lot of the finance that was put in place for these organisations was put in place when the interest rates were very high and therefore the cost of that space is high and costs are important and therefore people are holding back on the number of seats that they take and so on.
  (Mr Wood) There is also the issue that we are no longer reliant on big, mainframe systems and therefore we have got more diversity available to us. We have got smaller, digital systems and much more ability to connect in somewhere else and we are also seeing examples of more homework and different ways of operating.

  754.  Could people just go home to their constituencies as parliamentarians do?
  (Mr Wood) As long as the main service systems from an IT perspective are there, although there is a capacity issue that comes with that.
  (Mr Sharp) Can I make one point. It is not just about IT. For example, you mentioned people, there are organisations who can help with interim management. When people have suffered a traumatic effect, trauma counsellors can go in and help people to help get back productivity. There are mail room recovery facilities for if you lose your mailing facilities, logistic companies who supply transport facilities. There is a need to cover the whole range of business and how do you find alternative facilities at short notice that can come in and help to repair and recover the business. It is not just IT, it is a very broad spectrum. When I provide you with the list you will see exactly what I mean.

  755.  We are in a profession where there are possibly millions of people who think they could step in to do our job. I do not think there is the slightest problem of the House of Commons needing resilience planning. You would just shout, "Who wants to be an MP?" And some might add they could do it a damn sight better than we are doing it. Syd?

  756.  You have said that there are some companies that are well prepared and a lot of other companies, 45 per cent or whatever it is, have said they are getting prepared as well but, to quote Mandy Rice Davies, "They would say that, wouldn't they?" I think it is more realistic to think that only the large companies would ever get involved in this and the others never will.
  (Mr Gamble) But the large companies have also got suppliers so they will be putting pressure on their suppliers, as happened particularly on Y2K, to make certain that their entire supply chain is supported.

  757.  And that is sufficiently powerful enough to force them to do that?
  (Mr Gamble) Yes.

  758.  It must be very expensive to have preparations when you are an SME looking at cost and thinking "I would rather go out of business.
  (Mr Sharp) It does not have to be expensive, it is just a question of thinking the what ifs. If you think about how quality came in, it came because of pressure from major customers and it is that type of approach that is now occuring. The survey showed that customers and potential customers are now asking for continuity. I think this is where DTI and others have a role to play to ensure that good practice is promulgated and people then understand how they can do this and we are prepared as an Institute to play our role. The whole of our infrastructure is based on small and medium companies, local government operations more and more have out-sourced operations or in partnership with volunteer organisations who are delivering their social service responsibility. We need to try to encourage continuity in local government because otherwise they will not be able to meet their mandatory obligations.

  759.  If I can use the term the monetary industry, that is a generic term, the industry recognises the critical points, the nodal points of communication and you mentioned NATS and we had a session some time ago that frightened us to death at how unprepared NATS were. Would they recognise all the critical parts of the business that they are in? Would it be helpful if central government was to identify where the most crucial points and operations and sectors are to help them?
  (Mr Wood) Very much so. I think that central government has a key role to play in that particular area and sphere of identifying what is critical. A good example of that is probably telecommunications where we can build in whatever resistance and redundancy we want into our computer systems and our means of communication and we will probably opt for a couple of diverse routes, one going out one way and one going out another, from an institution but we are actually lost when they both come together at the local telephone exchange and that is where the critical node is and we are not able to readily get advice on that from central government. There is as part of what was the old key point protection solution those sorts of things. I am just careful about what I can say here. Those issues are there and that is available but I think it needs to rethink and focus. It was primarily focused on the defence of the UK and I think we need to perhaps refocus that sort of infrastructure and support and make that more widely available to the private sector so that they can understand the impact beyond their immediate boundaries.