Having a business continuity plan is one thing. Knowing
it works is another. Sally Flood finds out how three
organisations meet the challenge.
Your organisation probably has a business continuity plan, which
outlines how it will cope in the event of fire, flood or terrorist
attack. However, whether your plan will actually work is far less
certain. According to a study by the Business Continuity Institute,
most companies have not fully tested their business continuity
plans in more than a year.
Even up-to-date plans might not be enough to keep your business
going in the event of a disaster. The BCI claims that only 2% of
organisations have given serious thought to the risk of a complete
telecoms outage, and just 4% had considered the impact of losing
revenue, suppliers or customers.
"Organisations have to take an extremely broad approach to
business continuity that goes beyond whether their IT systems are
up and running," says Martin Byrne, business continuity practice
lead at consultancy Accenture. "It is critical that business
continuity planning, implementation and testing takes account of
the whole business."
Accenture recommends that companies take a systematic approach
to business continuity planning. It highlights six key activities:
analysing the business and its processes; assessing risks to the
business; identifying key assets and processes; implementing a
continuity plan; testing; and ongoing maintenance. "If you cover
all these steps, the chances are that you will end up with a plan
that works when you need it," says Byrne.
Three companies were asked to share their experiences of
business continuity planning and give some insight into whether
their plans worked when they were needed.
Company name: Voca
Industry: Financial services
Business continuity strategy: A comprehensive, in-house plan
reviewed four times a year
Biggest challenge: Getting board acceptance of the costs
Business continuity is critical to Voca, the payments and
transaction infrastructure behind the Bacs payment network, and the
company responsible for processing all the UK's direct debit
transactions. Last year, Voca processed 4.5 billion transactions,
with an estimated value of £3tn, and there is no room for
error.
"We have been around for a long time and have not lost a single
transaction yet," says Chris Dunne, Voca's commercial business
development manager. "That is because business continuity is part
of the fabric of the organisation - it is that important to what we
do."
Voca is considered part of the UK's "critical infrastructure"
because it handles so many government and business payments. This
means that, under the Civil Contingencies Act, it is required to
have robust business continuity procedures. In addition, as a
financial services company, Voca is required to comply with strict
regulatory requirements on security and disaster recovery.
Because business continuity is so vital to Voca, the company
decided to manage all its business continuity planning and
implementation internally, through a dedicated business continuity
team. "The role of the team is to create a plan that spells out how
we continue to operate in the three key areas of people, process
and technology," says Dunne.
The "people" aspect of business continuity includes appointing a
crisis management team so everyone knows what they need to do in
the event of a problem. "You cannot just assume people know who to
talk to or where to go in a crisis," says Dunne.
The "process" is distilled into a series of planning documents
that are reviewed by a senior management team every quarter to
ensure they still reflect the needs of the business.
The technology includes a fully redundant network across three
sites, with alternative network routing in the event of one site's
network failing completely. Voca has also invested heavily in
remote access and voice over IP technology, which allows staff to
access the network from any location within the company.
Voca regularly tests all aspects of its business continuity
plan. Twice a year the company moves the whole service desk from
its site in Bedfordshire to a second site in Essex to make sure the
business could operate from either location. "It is simple things
that present a challenge sometimes, such as: do they know where to
sit, do their key-cards work, can they log into the computers?"
says Dunne.
This testing is combined with vertical contingency testing,
where the business continuity team tests particular scenarios from
beginning to end, to look for gaps in the plan. "These scenarios
often involve partners, banks and customers, which is vital," says
Dunne. "Many organisations have their own processes and
terminology, and the test is the only way to iron out the
inevitable wrinkles."
The biggest challenge Dunne's team faces is justifying the cost
of such a sophisticated plan, he says. "A good plan is always more
expensive than you imagine, and that can be difficult to justify.
To some extent, you have to paint the doom-and-gloom scenario to
get the business to accept this is not just spending money on
something we hope we will never use."
Company name: Iglu.com
Industry: Online travel agency
Business continuity strategy: Back-up to protect against the
biggest risks
Biggest challenge: Limited resources for business continuity and
high rate of change
Although it has been established for only seven years,
ski-holiday specialist Iglu.com is considered something of an
internet veteran. Even so, the company is under no illusions: if
the website is unavailable, customers will click away to a
competitor's site in seconds.
"We have a brochure and telephone service, but the website is
the first port of call so the aim of our business continuity
planning is to ensure the site is always available," says Rob
Whitehouse, Iglu.com's head of IT infrastructure.
Organising technology is often the simplest part of business
continuity, Whitehouse says. Iglu.com has redundant hardware and
closely defined support contracts so that the business can continue
to run in the event of a hardware or software failure, and all data
is backed up and stored off-site. "We also know where we can get
replacement kit quickly," says Whitehouse.
Although the IT department is responsible for business
continuity, the plan involves more than just IT, says Whitehouse.
"You have to look at human error - around external partners and
suppliers, particularly."
Once Iglu.com had created its continuity plan, Whitehouse spent
several weeks ensuring key managers were familiar with its
contents. "You have to make sure more than one person knows all the
procedures - just in case that person gets hit by a bus," he
says.
To ensure the business continuity plan will work, Iglu.com
created strict change-management procedures, so changes to IT or
other systems are immediately reflected in the plan. "The last
thing you need is to start recovering systems and realise nothing
works because you have a new database, or somebody changed the
payroll provider," says Whitehouse.
The plan is constantly reviewed because Iglu.com is a small,
dynamic company where processes and systems often change, says
Whitehouse. Conducting an annual review would not suffice. Instead
the business continuity plan is reviewed every month to ensure it
reflects the latest practices in the business.
But as a small firm, Iglu.com also has to decide just how far
its business continuity plans can go. "We could say 'back up
everything, every day' and ensure we have a back-up for every
person, application and process, but we could not afford to do
that," says Whitehouse. "We decide where the big risks lie and
leave it to the managers to decide their priorities."
Company name: Markel International
Industry: Insurance broker
Business continuity strategy: To work with a third-party
consultant to identify risk and core business processes
Biggest challenge: Getting full commitment from the business and
getting them to understand why Markel is investing in business
continuity ahead of other initiatives
The London office of Markel International is the hub of all
Markel's activities in Europe, and also provides all the company's
European IT and telecoms infrastructure. This means that IT
director Steve Fountain is responsible for making sure that
Markel's offices across the European Union are kept up and
running.
It is not just customers and brokers that are affected when
things go wrong - as a US-owned company, Markel must also comply
with Sarbanes-Oxley regulations, which insist on rigorous business
continuity and disaster recovery plans, says Fountain.
The company's continuity plans span everything from IT to remote
access, substitute offices and spare network capacity, and require
input from all aspects of the business.
Because of the scope of the risks and planning required, Markel
called in consultants in 2001 to conduct a business impact analysis
and risk assessment. "We wanted something impartial that would not
rely on one part of the business understanding how its work affects
other people," says Fountain.
The consultants created a virtual map of all Markel's business
processes and systems, and ranked them between A and C, according
to their criticality. The business continuity team could then use
this map to create a business continuity plan that would restore
all systems and processes within 72 hours of a disaster.
Working with a third party also helped Markel to identify areas
it might otherwise have missed. "We made changes to the existing
plan because of things they came up with - from identifying
potential service providers which could provide services when we
weren't able, to building our own recovery centre."
The recovery centre acts as an alternative hub for Markel's
European business in the event of the London head office becoming
unavailable. All the local IT staff have visited the site and and
know how to set up key systems in an emergency, and a full test is
conducted twice a year.
A dedicated working party also reviews the business continuity
plan regularly to make sure it reflects changes to any business
processes, assets and people.