Business continuity should no longer be considered a tedious task.
Given that eight out of 10 businesses without a tried and tested
continuity plan suffering a major interruption to business go out
of business within a year of suffering that disaster, this is no
surprise.
Business interruptions have cost the UK an average of £3.04bn each
year for the past seven years.
According to Richard Waterer, marketing manager at business
continuity specialist Adam Associates, business continuity
management can best be defined as 'the ongoing process of ensuring
the continual operation of critical business processes through the
evaluation of risk and resilience, and the implementation of
mitigation measures'.
Waterer points out Adam Associates (www.adam.co.uk) core
disaster recovery business does not cover AS/400 direct, although
'a lot of the business continuity planning we do for clients
involves making decisions on this technology, where it is
considered critical'. Business continuity is about the business of
survival. IT and telecom (eg mobile phone) theft is increasing.
Where once it was silicon chips that were highly sought after,
today the thieves' attention focuses on complete workstations. The
Association of British Insurers estimates the value of IT theft at
£600m per year in England alone.
'Any event, no matter how small or seemingly trivial, has the
potential to constitute a threat to a company's survival,' says
Waterer. 'Anything which stops a company operating at its expected
level has to be considered a disaster.'
Business continuity demands total commitment at board level, the
dedication of key individuals in a company, assistance from
business continuity specialists, and an enthusiastic and informed
staff to execute all the necessary processes. Minimising risk plays
a vitally important part in the overall scheme too. Risk has to be
addressed at the outset, and allowed to influence all future
planning.
Safetynet (www.safetynet.co.uk) has been operating for 15 years,
and has notched up over 190 invocations and averted 1,510 standbys.
All invocations were successful. It's got pole position on the
AS/400 grid (it recently forked out over £500,000 for two of the
largest AS/400 Risc processors).
Success seems to know no bounds. The company has been picking up
scattered laurel wreaths. In a recent IDC report on levels of
satisfaction with business continuity services providers, Safetynet
scored the highest customer satisfaction rating (4.8 out of a
possible 5.0), ahead of the likes of IBM (4.7), Hewlett-Packard
(4.5), Guardian (4.1), Comdisco (4.1), Compaq (4.0) and SG-RS
(4.0). IDC surveyed business continuity users across the UK,
France, Germany and the US.
Safetynet md Paul Barry-Walsh says: 'Business continuity has
been regarded as a niche interest for too long. Turnbull has made
it a board level concern, and we are working to ensure UK
organisations understand how business virtually protects not just
IT and operations processes, but also reputation, share, and brand
values.'
The Turnbull report - 'The combined code of corporate
governance' - was published last October by the Institute of
Chartered Accountants of England & Wales to the Stock Exchange
(available for £7.50 from 020 7920 8841). The report requires
companies to put in place controls to manage financial risk, and
non-compliance with Turnbull has to be disclosed in company
reports.
The Cadbury Report recently stated the obligation of directors
to protect shareholders' assets against risks. As such, risk
management is migrating from the IT manager's in-tray and into the
boardroom.
'It's something all companies cannot ignore and the sooner they
sort it out the better,' says Barry-Walsh. The Home Office points
out 50 per cent of all businesses which experience a disaster, but
have no effective plans for recovery, fail within the following 12
months. The Institute of Risk Management estimates 60-plus per cent
of small businesses do not have a disaster plan, which is seen as
'too high for comfort'.
Safetynet's sales director Michael Burke says: 'Users with 200Gb
disk, and a 12-hour recovery window now have 700Gb, which can't be
handled within 12-hours. Such users are now looking at mirroring to
hit their recovery windows. The www world is very much 'wild wild
west' territory and e-continuity is critical. Equally mirroring is
playing an increasingly important role.'
Douglas Byars, md at The Associates International
(www.associates-intl.com), a software house providing high
availability products for AS/400, says: 'Historically, the high
cost and major effort required to install and operate a high
availability solution have prevented all but the most determined
from implementing a complete disaster recovery plan for their
AS/400. A number of new products have come onto the market which
have solved the above drawbacks, which makes it surprising still
how few installations are running a full contingency plan.'
Adding another spin to the continuity issue, David Priscott,
sales and marketing director at Transoft (www.transoft.com), says:
'The AS/400 community is coming under increasing pressure to tackle
e-business, particularly business-to-business. Note there are some
650,000 AS/400s out there. Also, AS/400s are installed at 98 per
cent of Fortune 500 companies. Our approach enables users to move
at low risk to e-business without dumping legacy RPG or Cobol.'
Contrary to popular belief, there's a lot of bespoke stuff out
there. The AS/400 world is not populated with packages. Many
businesses with AS/400 want to get into e-business, and don't
necessarily know how to go about it. They want to move from legacy
code quickly, and at low risk. Here, Transoft offers its TCF
(Transoft component framework) product, which integrates advanced
component based development with a company's proven
mission-critical legacy applications and data. Nothing has to be
dumped or duplicated. This can help to ensure the viability of a
business in the e-world.
There are many pressures, emanating from outside the industry
that are putting a company's risk provision under scrutiny. An
increasing number of businesses are feeling obliged through demands
from that increasingly powerful species - the customer - to
implement a security and quality process. That typically takes the
form of BS7799 and ISO9000. Politicians are diving in too. Y2K for
all its speculation did elevate the need for contingency planning
and survival of business risk. The result? Business continuity
cultures have been installed in many businesses globally that
otherwise wouldn't have been aware of the dangers.
The Home Office opines it's the companies which have trained and
exercised their people in implementing their plans which have the
best chance of surviving a disaster. True, the AS/400 has an
excellent uptime record, but business continuity is more than
keeping the company's processor chundering away. Those who fail to
grasp that fact could be in for a shock.
Waterer reinforces this, saying: 'If the board doesn't buy into
the concept, ask each of the directors the following question;
'please will you sign this form that says you were not prepared to
invest in business continuity after I'd highlighted to you the
risks our company faces'. That might focus their minds.' l
Implementing plans
Disaster and continuity planning begins at the top with the
executive board, and cascades down through management, to
operational level. It can be divided into eight steps:
Agree there is a need and start the process.
Assess the risks - internal and external - their probability,
and severity. Identify crucial systems, and where the business is
vulnerable.
Identify ways of eliminating, or preventing, the exposure to
risk.
Agree how to obtain and deal with specific disasters - identify
a disaster team, and external sources of help.
Plan for business continuity - how the company will carry on
business with minimal interruption - a business continuity team,
alternative premises, external resources.
Look at how critical systems will be recovered once the
emergency is over, and how to get back to normal.
Plan communications, how to support staff, minimise loss of
reputation, and restore shareholder confidence
Finally, assign responsibilities, document the plan, train
people, test the plan, publicise it, keep it current, and make it a
permanent part of the company culture.
Further useful information is obtainable from the companies
mentioned in the text, plus the Business Continuity Institute
(www.thebci.org), Institute of Risk Management (www.irmgt.co.uk),
or Survive (www.survive.com). The Home Office produces a booklet
'How resilient is your business to disaster?', which can be
obtained by phoning 0870 606 7766.
Remember it can be the obvious things that bring a company
down. Power failure accounts for over 10 per cent of all business
interruptions. Recent 'love-bug' virus attacks, and expected
FBI-flagged more virulent strains, highlight the tip of an iceberg.
An Audit Commission report showed virus incidents reported by
Government departments and agencies in the late '90s rising by 350
per cent. The average outage time of business interruption in the
UK is: fire - 28 days; IT failure - 10 days; and theft - 26 days.
The proportion of organisations reporting an IT theft has increased
60 per cent and average estimated cost increased from £7,700 to
£25,000-plus.