You may believe that business continuity is a practice
appropriate only for larger corporations. You would be mistaken.
Catherine Jennings assesses how you can put together a business
continuity strategy that suits your business
Disaster recovery (DR) and business continuity management (BCM)
have traditionally been seen as the preserve of large enterprises,
not least because of cost.
But no matter what size an organisation is, there's no getting away
from the fact that 60% of businesses suffering a physical disaster
such as fire or flood without any active DR and BCM plan in place
go bust within a year. A sobering thought and one that can make the
difference between the success or failure of your company.
Another important trend, however, is the growing emphasis on the
need to comply with corporate governance regulations, which have a
strong focus on risk management.
End-to-end continuity
While many companies like yours are feeling the pressure to
implement DR and BCM policies, an increasing number of large
enterprises are also starting to "push down" on their smaller
suppliers and partners to ensure that they don't become the weak
link in the chain, according to Debbie Rosario, Managing Consultant
at Compass Management Consultants.
"Large companies are taking risk management very seriously and are
looking at end-to-end business continuity and how to protect their
supply chain. As a result, we're starting to see pressure from
clients higher up the food chain as they recognise that, having got
their own house in order, the next logical port of call is to look
at their suppliers," she explains.
Even at a base level, however, there is still much confusion as to
what the terms DR and BCM actually mean, and what the difference is
between them. To put it concisely, DR relates to the ability to get
your IT systems and networks up and running as quickly as possible
after unscheduled downtime has occurred.
It is reactive in nature and comprises a technical subset of BCM,
which is about ensuring your business can continue to undertake
revenue-generating activities in the face of unforeseen
incidents.
The focus here is on managing risk proactively and anticipating
incidents that might affect your critical organisational functions
and tasks to ensure that your company can respond appropriately in
times of crisis.
Worryingly, however, says Andrew Hiles, Managing Director of
Kingswell International, a DR and BCM services provider, as few as
10% of SMEs have any type of provision against IT or business
interruption in place.
"Backing-up computer applications and data is about as far as most
people go. There's a misguided belief that insurance will take care
of everything, so the market is barely developed," he says. "The
prime focus is on surviving in a business context rather than
worrying about something that may never happen, and the general
assumption is, 'it won't happen to me'."
The best-prepared firms tend to be in the heavily regulated
financial services industry, but professional practices such as
accountants and services-oriented organisations, including local
government, are often more on the ball than other sectors.
This is because they are aware of just how reliant their businesses
are on their corporate data and because they don't have the added
complexity of having specialised plant or industrial machinery to
worry about.
Reliant on data
Areas such as catering, leisure and retail, however, are the least
likely to have covered themselves; they operate in competitive
markets to tight margins and find it hard to find the money and
justify the expenditure.
And it is this money issue, in the broadest sense, that causes the
most problems for firms who want to implement DR and BCM, problems
exacerbated by the fact that there are few consultancies, service
providers or product vendors that specialise in catering to the
specific needs of firms like yours.
Hiles explains: "It can take the same time and cost the same for
consultants and vendors of recovery services to conduct a sale
worth £5,000 as for one worth £500,000. The cost of sale to SMEs
has inhibited developing special low-cost solutions for them, which
means there are a limited number of offerings."
To make matters worse, many of the large recovery centre vendors
such as Hewlett-Packard and IBM provide recovery facilities based
on a minimum number of seats. This means that you may have to pay
for 25 seats even if you only require five, making such options
unaffordable.
However, a good starting point, says Paul Hammond, Managing
Director at DR and BCM services provider CNT UK, is online data
back up, which is offered by hundreds of suppliers. This ensures
your data is regularly mirrored to disk at a remote location and
means that recovery is quicker than it would be if undertaken from
tapes stored at an off-site fire vault.
But the cost issue is not an insurmountable one and can be solved
by a bit of creative thinking. Rosario explains: "The perception is
that business continuity has to be expensive and eat up a lot of
resources, but it doesn't. It depends on what you want to protect -
if you do a risk assessment and business impact analysis, you may
find you don't need to spend much at all."
Hammond agrees. "Many people over-protect things they don't need to
and under-protect things they do because they haven't got a clear
view of what they need. A starting point for any BCM project is to
understand what the business requires, what it doesn't, and where
to invest money wisely by doing a cost-risk analysis."
After using this information as the basis for writing a BCM plan -
which must be tested at least once a year to ensure it is kept
up-to-date - the next step is to identify alternative premises that
can be used in the event of a disaster.
One DR-specific option is to buy rack space currently being offered
by various telcos at their data centres, which is a cost-effective
way of buying yourself 'a mini-data centre', says Hammond.
Another is to simply house a spare server at an alternative site,
even at your home or at the home of one of your employees. Or you
could set up an agreement with your hardware provider to ensure
they provide you with a replacement server within 24 hours of yours
going down.
On the BCM side of things, it might be worth providing a local
commercial estate agent with details of your requirements so they
can maintain a record of possible locations you could use should an
incident occur.
Yet another option, however, is to enter into an arrangement with a
company similar in size to yours to look after each other's spare
servers or back up tapes and even to temporarily house each other's
staff until alternative accommodation is found.
"It's about being creative, which doesn't have to be expensive. In
fact, I'd say that the biggest challenge with business continuity
isn't so much cost as the cultural change involved. It's about
actively managing risk and as such has to be supported from the top
because it touches all areas of the organisation," Rosario advises.
n
Case Study: Multiple Sclerosis Society
"We started on the road to business continuity management after
we had problems with our back up window and the whole scenario
developed from there. Someone asked the question, 'what happens if
there's a fire' and it started off a train of thought. We started
small, but are moving forward bit by bit," says Chris Moore, Head
of IT at the Multiple Sclerosis (MS) Society.
The MS Society is a charity with 45,000 members, which
undertakes fund-raising activities, provides respite care,
distributes research grants and provides information to people
whose lives are affected by multiple sclerosis in the UK.
Its business is supported by five key applications, one of the
most important being its donor database, which holds records
relating to donations over the previous 50 years. In the past, the
organisation had backed up its storage tapes manually and held them
offsite, but about two years ago it signed up to InTech Partner's
zBac online back up service.
"Most of our back ups are once a night, but this shrank the
window down from two hours to 20 minutes. It also gave us an
element of disaster recovery (DR) as the back ups are already
offsite and it is part of the service to restore the data in case
of disaster," Moore says.
But she acknowledges that "if the server room goes down, we have
a problem", and as a result is currently in the process of
undertaking risk and business impact analysis and evaluating full
disaster recovery and business continuity options "to focus
trustees' minds on the importance of this".
Such options include agreeing to share 'house room' with
charities of a similar size should an unforeseen incident occur,
renting shell buildings or leasing space in specially provided DR
facilities "which is not cheap, but is more affordable than it
was".
"It's a big item on the budget and isn't sexy, so we're going to
have to impress the importance of business continuity on senior
management and the trustees. The last possible occasion to do
something is when things go wrong, so we have to concentrate
minds," Moore concludes.
Case Study: James Galt
"Business continuity isn't cheap, but you get what you pay for
and without it we might have taken a month to recover rather than a
day. You have to think about what the impact will be if you don't
do it and weigh that up against the price of the contract, and for
us it made good sense," says Mark Taylor, IT Manager at James
Galt.
James Galt is a toy manufacturer that turns over £8 million,
employs 33 staff, and is based in Cheadle, Cheshire. Although now
part of larger organisation, Findel plc, it still operates
autonomously and has had full business continuity management (BCM)
plans and facilities in place for several years.
As a result, it was able to recover its business and IT systems
rapidly with the help of SunGard Availability Services after a
suspected arson attack at its headquarters in August last
year.
"Due to the nature of our business volumes and the type of
business we are, we considered it crucial to restore critical
functionality in 48 hours. But our phones were online from 9am on
the Monday after the incident and we were taking orders within 24
hours of putting our business continuity plan into action. We
gained the maximum benefit of being prepared," Taylor says.
The organisation had previously spent nine months getting its
BCM strategy in place, one month of which Taylor spent analysing
risk and the potential impact of any incident on the business. Six
months were spent working to devise a more detailed plan; the rest
of the time was spent implementing and testing the scheme.
"It was a challenge because people already have their days
filled undertaking their own roles and you're asking them to take
on more and involve them in another part of the business," says
Taylor. "That's why there had to be top-level agreement and
management has to be seen to endorse it. Also, you can't give the
work to people to do in one big chunk. It has to be manageable and
fit into their day."
But ensuring the plan is kept up-to-date and relevant is also
crucial, he adds, which means that annual testing is a must.
"Testing is a key part of this. The first test you do is a real
eye-opener - it makes you realise what you haven't done! But that's
great because you can tackle problems in advance. It's all about
minimising risk," he says.