Most smaller companies are aware of the need to plan for
contingencies. Fewer have converted concern into workable plans.
Helen Beckett looks at some practical
approaches
Small and medium-sized business are becoming more aware of
business continuity, and more are implementing high-availability
technologies that were previously the preserve of big
corporations.
However, this new zest for business continuity does not alter
the fact that most remain in a poor state of preparedness.
At this year's Gartner summit for mid-sized businesses, demand
for business continuity was "way up there", according to
vice-president of research Simon Mingay.
Business continuity was the most popular workshop by a factor of
four, but Mingay is not fooled into thinking there is a dramatic
conversion afoot. "Overall, the level of capability is going up,
but the gap between the bestand the worst is also widening," Mingay
says.
The affordability of high availability services such as disc
mirroring and digital vaulting, and a more sensible pricing of
bandwidth have encouraged savvy SMBs to upgrade. The drivers for
this are larger databases and storage needs, tardy recovery from
tape and the need for business guarantees, according to
Gartner.
"Mid-sized businesses should not discount these
high-availability, disaster-based recovery solutions as being too
sophisticated or expensive," the analyst firm said.
Mortgage wholesaler Enterprise Home Loans is one such
medium-sized company that has beefed up business continuity through
a managed service. Its purchase of a digital vaulting service from
Iron Mountain means that head of IT Matt Cramer no longer has to
spend long hours supervising manual tape back-ups.
The service continuously and automatically backs up the
company's data on Iron Mountain Digital's own servers, as well as
at Enterprise Home Loans' disaster recovery premises. Cramer still
does in-house back-up - "I take a belt and braces approach" - but
an in-house back-up failure is no longer a cause for panic.
Plus, he says, a managed service means the company is confident
of compliance with Financial Services Authority regulations.
Although the move to electronic vaulting was not a budgetary
decision, with risk management the primary driver, a managed
service nonetheless makes economic sense. "Storing tapes in vaults
off-site costs thousands of pounds every quarter, which is silly
money," says Cramer.
Despite a high state of awareness prompted by terror alerts and
domestic disasters such as the Buncefield oil depot explosion, many
SMBs- particularly smaller ones - have yet to convert concern into
practical plans. "A major incident will spark a wave of concern
which soon dwindles away to business as usual," says Mingay.
His observation is confirmed by findings published by the
Federation of Small Businesses. The FSB survey found that almost a
sixth of respondents did not back up data in any way.
A further fifth admitted they would not be able to recover from
an event such as data theft or a virus attack.
"Technology may have levelled the playing field for small firms,
but it is vital for small firms to be aware of the security
implications for their business when they buy new hardware or
software," says Peter Scargill, IT chairman at the FSB.
This neglect of the basics often comes from a human tendency to
correlate "disaster" planning with catastrophic events. This
misperception is probably fuelled by living in an age when people
are alert to terrorist attacks and environmental disasters.
In fact, says Robin Gaddum, practice leader for IBM UK Business
Continuity & Recovery Services, a business is more likely to be
taken out by a plumbing problem.
One area where SMBs have made progress is in their recognition
that many crises have a personal as well as an IT dimension.
Businesses that survived the Buncefield blast were the ones that
managed to relocate their personnel as well as their data when they
could not enter unsafe offices.
Toymaker James Galt & Company is an example of a firm that
survived when its offices burned down because it had made proper
preparations.
Prior to the fire, IT manager Mark Taylor had decided to upgrade
from an IT disaster recovery plan to a broader business
contingency. "The time was right to add the extra 'insurance
clause'," he says, and the 25% increase in price received the
blessing of his managing director and finance director.
Had James Galt not upgraded from IT-only to desk space recovery,
the 13-week recovery period may have been even more painful, Taylor
says.
As James Galt's experience shows, successful business continuity
is about retaining the ability to think and act. The purchase of
packages or services to keep people and data going is no substitute
for rational thinking.
Gaddum cites the case of a medium-sized company that was
situated by a river and recognised the risk. Unfortunately, it
elected to locate its back-up centre on the banks of the same
river.
Relying on normal business processes during a crisis is a
classic mistake says Mingay. "It is Murphy's law that the appointed
crisis manager will be on holiday when the gas pipe explodes," he
says.
Instead, there has to be a system of delegation in place that
enables someone else to release cash if the finance officer is not
around. "People behave in peculiar ways when disaster strikes, so
it is important to rehearse scenarios to increase the likelihood of
having a functioning, decision making body," says Mingay.
Ensuring this capability during a crisis depends on having a
joined up approach to business continuity at the planning stage.
Matthias Werner, director of the Storage Networks Industry
Association (SNIA) says SMBs need to have two conversations: one
with a business bias and the other with an IT flavour.
"Whereas the IT folk often have some ideas of what they want to
do, the business has no way of knowing what can be done," he
says.
The SNIA recommends that the first conversation should consist
of establishing the recovery time objective (RTO) and recovery
point objectives (RPO). These objectives are, respectively, the
amount of time a business can survive without data and people and
second, the critical functions that must be salvaged for
operation.
The business conversation is important because the storage
market has slumped in price over the past few years. IDC analysts
predict that the biggest growth in the storage market will come
from storage subsystems costing £25,000 or less. Cheaper prices may
tempt naive businesses to spend on the wrong kind of product.
Armed with the business decision, a company can progress to
stage two and make a shopping list of IT products and services.
"This would include storage network architecture, whether you
need IP links or dark fibre links, disc mirroring or a tape library
offsite, or both," says Werner.
Smaller businesses may be handicapped because they lack the
in-house expertise to select the appropriate continuity
architecture. "Storage companies need to offer services as well as
great products to this community," says Werner.
The very small business is perhaps least vulnerable to
disconnection between IT and the business because the owner
probably runs the whole shop. "The owner-proprietor is the right
person to accept the risk, even if they decide to do nothing", says
Gaddum.
And doing nothing may be legitimate if the company's strategy is
to take £1 today and turn it into £1.50 tomorrow, says Gaddum, but
only if it is part of business continuity best practice.
Don't miss the SMB business continuity seminar on the
web
Computer Weekly, in association with IBM, will be running a web
seminar entitled "The vital need for business continuity strategies
for small and medium-sized business" at 11am on Wednesday 11
October.
The one-hour session, which includes presentations and a
question and answer session, aims to highlight:
- The best practices involved with business continuity strategy
and planning in SMBs
- Personnel and responsibility lines for setting up a business
continuity strategy
- The practical issues associated with the deployment of a
business continuity system
- The typical costs and how to determine and then justify
budget
- The case for a business continuity strategy as a managed
service.
For further information or to register, click on the "webinars"
link at
www.computerweekly.com
This special section for small and medium-sized businesses
looks at the issues of business continuity planning. The threat of
terrorist attacks may dominate the news, but smaller firms are more
likely to be brought down by something as mundane as a plumbing
leak. The trick, say the experts, is to continually monitor your
plans for what to do if disaster strikes - you cannot get by
without a once-and-for-all solution.
Read article: What is best for you?