Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
[ISN] Eye on Offshoring: Lessons From the Tsunami
From: InfoSec News (isnc4i.org)
Date: Wed Feb 23 2005 - 01:07:52 CST
Advice by Scott Warren
International Network Services Inc.
FEBRUARY 21, 2005
While government and relief agencies around the world continue to
funnel humanitarian aid to the victims of the Asian tsunami,
multinational businesses are scrambling to assess their exposure to
disasters of this sort, not just in terms of their own people and
facilities around the world, but also to the suppliers of services
they are ever more reliant upon. Businesses that have offshored
services to India, China and other distant locations must understand
the impact a natural disaster can have on their suppliers' facilities
and infrastructures just as clearly as they understand their own
vulnerabilities, and they must make plans to recover from any such
disasters, wherever they may strike.
Business continuity planning must be a critical component of all
offshoring initiatives. Whether a company uses a strategy of offshore
outsourcing or is simply a multinational with offshore facilities, a
well-defined and -tested business continuity plan is a must. A fairly
common question I hear during the development of such plans is, "What
is the likelihood of a natural disaster occurring that will
significantly disrupt our operations?" My response is always that
there is an exponentially greater potential for disruption from a
natural disaster in the developing world because of lower
building-code standards, a general lack of preparedness and less
mature business models. Recognizing this reality, companies must
ensure that their business continuity plans extend to include their
suppliers' facilities and infrastructures as well as their own.
The Asian tsunami is a stark example of the potential for widespread
devastation, particularly because of the incredible loss of life that
occurred. Unfortunately, many people have the impression that this was
a once-in-a-century event. While it's true that disasters on this
scale are rare, how many people can recall that in 1975 an earthquake
hit Tangshan, China, killing 242,000 people and severely damaging or
destroying 78% of its industrial buildings? Even putting aside such
colossal disasters, total yearly damage from accumulated smaller
events is far more than most people think. For instance, the
Philippines, on average, is struck by more than 20 typhoons per year,
resulting in significant physical damage and loss of life. Unless you
are very familiar with the Asian region, you would likely
underestimate the chance of a natural disaster disrupting your
Fortunately, initial reports indicate almost no damage to the Indian
Ocean undersea communications infrastructure, other than that part in
close proximity to the epicenter of the earthquake that triggered the
tsunami. Also fortunate were suppliers of offshoring services in
Chennai, India, such as Tata Group and Wipro Technologies, which
reported no damage to their infrastructures and no loss of personnel.
But several U.S. expatriates, many of who managed or held key
leadership positions in offshore facilities for U.S. and Western
European businesses, were killed. It's common knowledge within the
expatriate community (of which I was a member) that senior-level U.S.
executives in the region frequented the devastated locations. With
this in mind, a solid business continuity plan must also prepare for
the sudden loss of business leadership.
For the most part, companies that choose to offshore, in my view, tend
to be myopically focused on the lower cost associated with a given
country or geographic area to the exclusion of its ability to meet
Western standards for quality, safety, etc. Many governments also
offer economic incentives to companies that locate facilities in more
disadvantaged areas. As a result, companies that choose to offshore
must conduct more extensive due diligence and business continuity
planning. If your company contracts for offshore outsourcing services
today or plans to in the future, you need to sit down with your
provider and review its business continuity plan in detail. Start with
these questions, then build upon this list as it relates to your
* When was your business continuity plan created?
* What incidents and/or disasters are planned for?
* When was the plan last tested/updated?
* What are your plans for loss of employees and/or executives?
* Do you have an alternate business continuity site?
* What is the level of insurance coverage at the site?
* What are your plans to restore the primary site, and how long would
* Have you arranged for construction, support and IT services?
* Who makes the determination to move to the alternate site?
* Where is the alternate site, and how easy is it to get to?
* How will your employees travel to the alternate site?
* Will there be sufficient accommodations for you to visit the site?
* How is your communications infrastructure configured to support the
* How will our service-level agreements be affected?
* Will you need to augment your staff?
* Will you need to temporarily bring some services back to the U.S. or
to another location?
* What is the priority for restoration of services? (This is
particularly important because some companies negotiate a priority
for restoration. You need to know where you are on this list.)
One key lesson that should be taken from the tsunami tragedy is that
companies that use offshore services should develop a global strategy
across multiple suppliers. I always recommend to my clients that they
consider only global providers of offshore outsourcing. The advantage
of this approach is that they gain the ability to move services fairly
rapidly to other parts of the world when necessary.
Most U.S. and Western European companies have developed business
continuity plans to address natural disasters that occur locally. For
instance, most U.S. companies recovered rather quickly from the
multiple hurricanes that hit Florida this fall. U.S. firms should
apply the same due diligence to offshore suppliers, particularly those
in developing parts of the world. Failure to do so could result in
losses from a single event that far exceed the savings accumulated
over multiple years from lower costs. In this case, the old nostrum
"caveat emptor" was never more apropos.
Scott Warren is a consulting principal in the Irving, Texas, office of
International Network Services Inc., where he specializes in
offshoring. He lived in Asia for three years, has worked in 24
countries and has deployed IT to more than 200 countries.
Bellua Cyber Security Asia 2005 -