Compliance key to implementing business continuity, says survey
MUSCAT -- KPMG has held an Information Security and Business Continuity conference to present the findings of a survey carried out in Oman and the UAE. The event was held under the auspices of Sayyid Abdullah bin Hamad al Busaidy, Chairman of the State Audit Institution. The survey shows that a vast majority of companies are considering business continuity planning, driven by factors such as customer service, compliance and safety issues, with 57 per cent naming regulatory issues as a key concern.
However, the survey also shows that only 20-24 per cent of companies have an enterprise-wide security or continuity plan in place, with up to 50 per cent of companies confining continuity plans to the IT department and limited critical systems. Too many companies are still assigning responsibility for continuity and security to the IT department, rather than taking a strategic and enterprise wide approach to leveraging their investments in these programs.
Only 12 per cent of companies currently have these functions reporting directly to the board, which is a common practice in leading global companies with robust security and continuity strategies. "Companies need to take a holistic approach when investing in their business continuity and information security programs to ensure that all areas of the business are covered, rather than addressing issues on a case to case basis," commented Rajeev Lalwani, Head of IT Advisory Practice for KPMG in the UAE and Oman.
"It can be hard to measure the results of spending on both security and continuity so organisations need to treat these issues as business issues and embed them in the larger context of risk management programs, policies and procedures. When it comes to information security, there is no point in investing in expensive security technology tools to protect your digital customer information if the same information remains unprotected in paper form."
Results show that companies need to rethink their security and continuity policies to keep up with the growing international trend to integrate security and continuity functions as part of a company's overall risk management policy and strategic framework, through implementing standards such as ISO 27001. At present, 86 per cent of the companies surveyed had not implemented a global standard. Of those that did follow the standards, 21 per cent did not cover the whole organisation.
Leading organisations leverage the strength of their information security and business continuity programs as one of the sources of strategic and competitive advantage. This is achieved through their real or perceived ability to provide continuous service and security and confidentiality of vital information assets. Interestingly, the survey also found customer service to be a key influencer in the decision to implement a business continuity management programme.
Other noteworthy findings from the survey show a greater understanding is required on the need for geographic dispersion of disaster recovery sites. Most companies surveyed have, or plan to have, secondary recovery sites within the same city or location in which their business operates. This leaves businesses vulnerable in the event of a major disaster in that city or location.
The survey also reveals that organisations recognise people as one of their weakest links. Processes are left vulnerable due to human error, negligence, lack of awareness or even the lack of staff availability during a disruption. Investment in business continuity appears to be constrained, with a majority of firms spending in the lower end of the investment spectrum.
By Staff Reporter
© Oman Daily Observer 2007
