As we speak, it appears that disruption to IT services by the London bombings was minimised due to effective and realistic business continuity strategies. Sally Flood sees how you construct them.
Events that disrupt your business are rarely the ones you expect. Take the tunnel fire in Manchester's underground system last year, which affected 130,000 phone lines across Greater Manchester, Cheshire and Merseyside. "Nobody was prepared for a fire that would take out their communications," says Paul Vlissidi, head of the information security practice at NCC Group. "Often people plan for big terrorist attacks but forget about the more mundane risks to business continuity, like power cuts and communication failures."
This view is backed up by research conducted by the Business Continuity Institute, an independent body that promotes best practice in business continuity planning. The BCI found that just 2% of UK companies considered telecoms outages to be a serious threat to their business. Companies were far more concerned about natural disasters and terrorist attacks, with 52% of organisations seeing these as the biggest threats they faced.
Although 75% of companies have business continuity plans, many plans do not accurately reflect the risks that companies face, says Martin Byrne, head of Accenture's European business continuity practice. "The problem is many people have a very narrow understanding of business continuity," he says. "Having business continuity plans means more than just paying for a gold-plated datacentre.
Vlissidi concurs. "Many business continuity plans are really just renamed disaster recovery plans,” he arguers. “IT departments are often given responsibility for both business continuity and disaster recovery planning, without anyone fully understanding the difference between the two. Disaster recovery is about getting systems up and running following a systems failure; business continuity is about whether an organisation can carry out its core business functions in any circumstances - and that is about people, processes and policies as much as technology."
The IT director may be responsible for getting applications up and running in the event of a problem, but somebody has to tell him which applications to restore and in which order, says Steve Fountain, IT director at Markel International, a US-owned insurance company. "Once the business tells me what they expect, I can usually provision it, for a cost," he says. "Part of the business continuity planning process is therefore balancing what they want with what they want to spend."
Close co-operation between IT and the business is also important when looking at the wider issues of business continuity. Recovering from a flood, damaged building or industrial action is not just a case of rebooting computers, suggests Jonathan Cattle, head of IT and planning with brokerage firm Close Premium Finance. Responsibility for business continuity planning at Close Premium Finance falls to a committee, which includes representatives from IT and operations, together with all the core business functions. "It is vital because business continuity plans also cover things like premises, business assets, employees, training and supplier relationships," states Cattle.
The business continuity committee's first job is to identify which of the thousands of activities carried out by Close Premium Finance are the most critical. In the event of a disaster, some activities must be restored as quickly as possible (such as customer service and payroll) while other, less critical activities (like the staff canteen) could be restored over a period of days or weeks.
"We have plans drawn up showing us how to restore the most important activities within an hour, then others within four, 12, 24 or 72 hours," explains Cattle. "It is a process that has been refined through experience, as the company's buildings have been seriously damaged twice by IRA bombs in London." Once you have identified and prioritised your core business processes, the experts advise conducting a thorough risk analysis to assess how vulnerable your company's processes might be. "There are lots of audit tools to help with this process, so you do not have to reinvent the wheel every time," adds Martin Byrne. "You are basically looking at what assets support your core business processes and what threats could affect them."
Once you have identified the risks, consider whether it is cost effective to eliminate or mitigate a risk, rather than planning to recover from a problem later. For example, if your telecoms system is in a flood basin, consider investing in flood defences. If you have only one person who can run the payroll system each month, you may want to invest in additional training in case they are taken ill or leave the company. At this stage, you will be left with some risks that cannot be eliminated or reduced and it is these that a business continuity plan must address. "Your business continuity plan basically spells out how you restore normal service in the event of one of these risks becoming a reality," says Mark Bowell, an IT support analyst at media distributor Handleman. "Some of that is down to technology, but a lot of it involves other parts of the business."
There is a lot that technology can do to improve business continuity - from data mirroring to off-site back-up and so-called "battle boxes", which ensure companies always have access to a safe copy of critical manuals, processes and software licenses. Handleman uses Netvault to back up its core data each day. However, other parts of the business will also have a hand in business continuity planning. At confectionery company Kinnerton, for example, the operations director is responsible for finding alternative premises in the event of a disaster, and the human resources department ensures all employees know where the alternative offices are and how to get there.
Once you have created a business continuity plan, it is essential to test it thoroughly, says Byrne. "Too many companies have an artificial sense of safety because they have a lovely plan on the shelf," he says. "But unless you test the plan, how do you know if your employees will be able to get to the new premises, if the back-up tapes work, or if the remote access software will work with your new payroll system?"
Moreover, just because a plan works once does not mean it will work for the rest of time. "Loads of businesses are still coasting along with the business continuity plans they drew up for Y2K," says Vlissidi. "The problem is that the world - and that means your partners, customers, employees and the government - has moved on a long way since then." There are no hard and fast rules when it comes to ongoing testing of a business continuity plan: it depends on how dynamic your organisation is, and how important recovering from a disaster is to the board. In the financial services and retail sectors, companies tend to test business continuity plans at least once a quarter, but in a smaller or less complex company, once a year may suffice.
"A good compromise is often to conduct different levels of test at different times," says Byrne. A full-scale test of business continuity plans can be expensive and complex, particularly if it involves partners, suppliers and regulators. However, it is possible to conduct smaller tests more frequently. "A desk test, where you get the team together and challenge the test by thinking up different scenarios, is quite straightforward," he says. The importance of testing is sometimes only realised too late. Last summer, the comms room at Handleman's Warrington office flooded during heavy rains, damaging several servers. "Fortunately, the flood happened during the day so we were able to get in there pretty quickly," says Bowell. "But our existing plan did not cover what we would do in the event of losing data from those servers, which we did."
Since the flood, Handleman has invested in back-up servers and off-site mirroring, both of which are regularly tested. However, persuading the board to invest in such technologies is not always easy, Bowell says. "The problem is that suppliers tend to come up with really unrealistic figures, there is a lot of scaremongering and the solutions are very expensive. It is often not until something happens that the board realises how important business continuity really is."
The key questions
The Business Continuity Institute recommends businesses answer the following questions when creating their business continuity plan:
- What if our electricity supply failed?
- What if our IT networks went down?
- What if our telephones went down?
- What if key documents were destroyed by fire?
- What if our staff could not gain access to the building for days, weeks or months?
- What if there were casualties?
- What if our customers could not contact us?
- What if our suppliers could not supply us?
- What if our customers could not pay us?
- What if we could not pay our suppliers?
Recipe for a sound plan
- Make it clear you have consulted throughout the business
- Use non-technical language that everyone can understand
- Make it clear who needs to do what, and who takes responsibility for what.
- You should always include deputies to cover key roles
- Use checklists readers can follow easily
Include clear, direct instructions for the crucial first hour after an incident
- Include a list of things that do not need to be thought about until after the first hour
- Agree how often, when and how you will check your plan to make sure it is always a "living document". Update it to reflect changes in your company's personnel and in the risks it might face
- You will never be able to plan in detail for every possible event.
- Remember that people need to be able to react quickly in an emergency: stopping to read lots of detail may make that more difficult
- Plan for worst-case scenarios: If your plan covers how to get back in business if a flood destroys your building, it will also work if one floor is flooded.