We have still not taken on board the need to get ourselves properly
organised to sustain operations in the event of circumstances
beyond our direct control, says Colin Beveridge.
The sad fact is that for many organisations, business continuity
planning (BCP) has disappeared below our corporate radar. Moreover,
where they exist, disaster recovery plans may well be completely
inadequate for a changed, connected, world.
Ten years ago our planning parameters were fairly narrow and it was
so much easier to identify a passable continuity strategy. After
all, our businesses were largely independent, discrete, operations
with limited exposure to external threats and dependencies.
Today almost all of us rely on many third-party constituents for
our business activities. Not all of these are immediately apparent
to us due to the widely practised principles of badge engineering
parts of our business operations. This can make contingency
planning a minefield for the uninitiated and lull us into a false
sense of security if we don't follow the value chain right through
to the source.
Notwithstanding the bits and pieces we can't see, or don't know
about, we also seem to struggle with the infrastructure elements
that are under our noses daily: our hardware and software assets.
It wasn't always that way.
In the run-up to the Year 2000 date rollover we had no alternative
but to bite the bullet and find out exactly what we had out there
in terms of IT. Business continuity planning and disaster recovery
came to the forefront of the corporate agenda and our IT asset
registers were brought up to date, in many cases for the first
time.
It's
 | | "The tragic and traumatic events
of 11th September should have served as a wake-up call for those of
us who had slipped back into slumbering complacency" | | | | | |
| | Colin Beveridge | | |
|
|
a crying shame that the rigours and stringency we adopted to deal
with the Y2K problem were largely allowed to lapse. We seemed to
think that the heat was now off asset management.
We relaxed and quickly forgot the importance of maintaining
accurate and timely asset data. If that wasn't bad enough, the same
indifference has frequently been paid to all those
expensively-produced Y2K business continuity plans, the majority of
which are quietly gathering dust in the cupboard and have not been
updated since late summer or, if you are really lucky, autumn 1999.
The tragic and traumatic events of 11th September 2001 should have
served as a wake-up call for those of us who had slipped back into
slumbering complacency. Or so you would have thought.
This is obviously not the case though. If a recent report from
industry analyst IDC is anything to go by, the majority of major
European enterprises still do not have formal business continuity
plans. And, I suspect that, if the big boys don't think it is worth
the investment in BCP and disaster recovery, the smaller companies
are certain to be in an equally poor, or even worse, state of
unreadiness to survive a major catastrophe.
Of course, all things are relative and effective risk management is
all about striking an appropriate balance between likelihood,
impact and mitigation cost for threats. After all not everyone
needs a hot-standby facility, do they?
Maybe not - but there are very few businesses nowadays that will
not be seriously affected by a total or partial loss of their
computer facilities, or business data even for a very short time.
In this ever-faster world of the internet and 24/7 e-commerce, loss
of service for an hour is now a long-time, a day is now a lifetime
and a week can now be near-fatal.
And yet, it seems, many of us are happy to carry on blithely
without an effective business continuity plan safely tucked in our
back pocket, just in case the real world dares to break into our
technology-induced reverie.
When I am feeling really bloody-minded about this topic and not
getting what I expect as the proper level of attention from a
complacent infrastructure manager, I usually pull the pin from the
grenade (metaphorically speaking) and ask what will be happening to
our e-business during the 48 to 72 hour period it will take for the
internet's various DNS servers to propagate the IP address of our
re-constituted web-sites?
When I am feeling really bloody-minded about this topic and not
getting the proper level of attention from a complacent
infrastructure manager, I usually pull the pin from the
metaphorical grenade and ask about a worse case scenario. What
would happen to our e-business during the 48 to 72 hours it would
take for the Internet's various DNS servers to propagate the IP
address of our re-constituted Web sites if our server connections
were destroyed?
Are you happy with your business continuity plan?
As
Colin observes, many businesses have not bothered to update their
business continuity plans since Y2K.
Is this good enough given the events of September 11? Are you
confident you'll be able to keep the IT aspect of the business
running following a major disaster? >>Colin Beveridge is an interim executive who has held
top-level roles in IT strategy, development, services and support.
His travels along the blue-chip highway have taken him to a clutch
of leading corporations, such as Shell, British Petroleum, ICI, DHL
and Powergen.