As we speak, it appears that disruption to IT services
by the London bombings was minimised due to effective and realistic
business continuity strategies. Sally Flood sees how you construct
them.
Events that disrupt your business are rarely the ones you
expect. Take the tunnel fire in Manchester's underground system
last year, which affected 130,000 phone lines across Greater
Manchester, Cheshire and Merseyside. "Nobody was prepared for a
fire that would take out their communications," says Paul Vlissidi,
head of the information security practice at NCC Group. "Often
people plan for big terrorist attacks but forget about the more
mundane risks to business continuity, like power cuts and
communication failures."
This view is backed up by research conducted by the Business
Continuity Institute, an independent body that promotes best
practice in business continuity planning. The BCI found that just
2% of UK companies considered telecoms outages to be a serious
threat to their business. Companies were far more concerned about
natural disasters and terrorist attacks, with 52% of organisations
seeing these as the biggest threats they faced.
Although 75% of companies have business continuity plans, many
plans do not accurately reflect the risks that companies face, says
Martin Byrne, head of Accenture's European business continuity
practice. "The problem is many people have a very narrow
understanding of business continuity," he says. "Having business
continuity plans means more than just paying for a gold-plated
datacentre.
Vlissidi concurs. "Many business continuity plans are really
just renamed disaster recovery plans,” he arguers. “IT departments
are often given responsibility for both business continuity and
disaster recovery planning, without anyone fully understanding the
difference between the two. Disaster recovery is about getting
systems up and running following a systems failure; business
continuity is about whether an organisation can carry out its core
business functions in any circumstances - and that is about people,
processes and policies as much as technology."
The IT director may be responsible for getting applications up
and running in the event of a problem, but somebody has to tell him
which applications to restore and in which order, says Steve
Fountain, IT director at Markel International, a US-owned insurance
company. "Once the business tells me what they expect, I can
usually provision it, for a cost," he says. "Part of the business
continuity planning process is therefore balancing what they want
with what they want to spend."
Close co-operation between IT and the business is also important
when looking at the wider issues of business continuity. Recovering
from a flood, damaged building or industrial action is not just a
case of rebooting computers, suggests Jonathan Cattle, head of IT
and planning with brokerage firm Close Premium Finance.
Responsibility for business continuity planning at Close Premium
Finance falls to a committee, which includes representatives from
IT and operations, together with all the core business functions.
"It is vital because business continuity plans also cover things
like premises, business assets, employees, training and supplier
relationships," states Cattle.
The business continuity committee's first job is to identify
which of the thousands of activities carried out by Close Premium
Finance are the most critical. In the event of a disaster, some
activities must be restored as quickly as possible (such as
customer service and payroll) while other, less critical activities
(like the staff canteen) could be restored over a period of days or
weeks.
"We have plans drawn up showing us how to restore the most
important activities within an hour, then others within four, 12,
24 or 72 hours," explains Cattle. "It is a process that has been
refined through experience, as the company's buildings have been
seriously damaged twice by IRA bombs in London." Once you have
identified and prioritised your core business processes, the
experts advise conducting a thorough risk analysis to assess how
vulnerable your company's processes might be. "There are lots of
audit tools to help with this process, so you do not have to
reinvent the wheel every time," adds Martin Byrne. "You are
basically looking at what assets support your core business
processes and what threats could affect them."
Once you have identified the risks, consider whether it is cost
effective to eliminate or mitigate a risk, rather than planning to
recover from a problem later. For example, if your telecoms system
is in a flood basin, consider investing in flood defences. If you
have only one person who can run the payroll system each month, you
may want to invest in additional training in case they are taken
ill or leave the company. At this stage, you will be left with some
risks that cannot be eliminated or reduced and it is these that a
business continuity plan must address. "Your business continuity
plan basically spells out how you restore normal service in the
event of one of these risks becoming a reality," says Mark Bowell,
an IT support analyst at media distributor Handleman. "Some of that
is down to technology, but a lot of it involves other parts of the
business."
There is a lot that technology can do to improve business
continuity - from data mirroring to off-site back-up and so-called
"battle boxes", which ensure companies always have access to a safe
copy of critical manuals, processes and software licenses.
Handleman uses Netvault to back up its core data each day. However,
other parts of the business will also have a hand in business
continuity planning. At confectionery company Kinnerton, for
example, the operations director is responsible for finding
alternative premises in the event of a disaster, and the human
resources department ensures all employees know where the
alternative offices are and how to get there.
Once you have created a business continuity plan, it is
essential to test it thoroughly, says Byrne. "Too many companies
have an artificial sense of safety because they have a lovely plan
on the shelf," he says. "But unless you test the plan, how do you
know if your employees will be able to get to the new premises, if
the back-up tapes work, or if the remote access software will work
with your new payroll system?"
Moreover, just because a plan works once does not mean it will
work for the rest of time. "Loads of businesses are still coasting
along with the business continuity plans they drew up for Y2K,"
says Vlissidi. "The problem is that the world - and that means your
partners, customers, employees and the government - has moved on a
long way since then." There are no hard and fast rules when it
comes to ongoing testing of a business continuity plan: it depends
on how dynamic your organisation is, and how important recovering
from a disaster is to the board. In the financial services and
retail sectors, companies tend to test business continuity plans at
least once a quarter, but in a smaller or less complex company,
once a year may suffice.
"A good compromise is often to conduct different levels of test
at different times," says Byrne. A full-scale test of business
continuity plans can be expensive and complex, particularly if it
involves partners, suppliers and regulators. However, it is
possible to conduct smaller tests more frequently. "A desk test,
where you get the team together and challenge the test by thinking
up different scenarios, is quite straightforward," he says. The
importance of testing is sometimes only realised too late. Last
summer, the comms room at Handleman's Warrington office flooded
during heavy rains, damaging several servers. "Fortunately, the
flood happened during the day so we were able to get in there
pretty quickly," says Bowell. "But our existing plan did not cover
what we would do in the event of losing data from those servers,
which we did."
Since the flood, Handleman has invested in back-up servers and
off-site mirroring, both of which are regularly tested. However,
persuading the board to invest in such technologies is not always
easy, Bowell says. "The problem is that suppliers tend to come up
with really unrealistic figures, there is a lot of scaremongering
and the solutions are very expensive. It is often not until
something happens that the board realises how important business
continuity really is."
The key questions
The Business Continuity Institute recommends businesses answer
the following questions when creating their business continuity
plan:
- What if our electricity supply failed?
- What if our IT networks went down?
- What if our telephones went down?
- What if key documents were destroyed by fire?
- What if our staff could not gain access to the building for
days, weeks or months?
- What if there were casualties?
- What if our customers could not contact us?
- What if our suppliers could not supply us?
- What if our customers could not pay us?
- What if we could not pay our suppliers?
Recipe for a sound plan
- Make it clear you have consulted throughout the business
- Use non-technical language that everyone can understand
- Make it clear who needs to do what, and who takes
responsibility for what.
- You should always include deputies to cover key roles
- Use checklists readers can follow easily
Include clear, direct instructions for the crucial first hour after
an incident - Include a list of things that do not need to be thought about
until after the first hour
- Agree how often, when and how you will check your plan to make
sure it is always a "living document". Update it to reflect changes
in your company's personnel and in the risks it might face
- You will never be able to plan in detail for every possible
event.
- Remember that people need to be able to react quickly in an
emergency: stopping to read lots of detail may make that more
difficult
- Plan for worst-case scenarios: If your plan covers how to get
back in business if a flood destroys your building, it will also
work if one floor is flooded.