Bite the bullet: learn from Y2K

A business continuity plan is for life not just for the millennium, writes Julia Vowler

A business continuity plan is for life not just for the millennium, writes Julia Vowler

It's a depressing truth of 20th century history that Britain won the war, and lost the peace. After heroic efforts to defeat Hitler, the energy required to sustain that momentum into economic resurgence simply ran out. Perhaps, too, it was a question of perceived risk. After all, Nazi occupation is a lot worse to endure than industrial decline.

The same psychology can affect the current post-year 2000 era. The prospect of global meltdown courtesy of the millennium date bug was enough to ensure that huge efforts were made to assign resources across the nation to avert the threat. Once averted, however, the demob mentality that has accompanied the general sense of post-millennial relief could mean that risk from any other source is dangerously underestimated.

Without wanting to invent an IT version of the Cold War to keep stress levels high, don't assume that because you survived Y2K you are immune to IT-related corporate risk.

At the end of last month the Cabinet Office published a paper assessing the lessons learnt by UK PLC from the experience of dealing with the Y2K problem. Author Simon Martin-Redman, managing director of management consultancy DBi, stresses that the key lesson learnt is that the whole issue of business continuity planning must be an on-going concern for every organisation.

It certainly came to the fore in Y2K programmes.

Many organisations, says Martin-Redman, didn't even have a business continuity plan before they started work on the date change problem. Even when the Y2K programme was complete, the business continuity plans were not always tested.

"I did [post-fixing] Y2K audits for government departments," Martin-Redman says. "They didn't get a green light unless they had a business continuity plan in place and had tested it."

Testing the business continuity plan is essential, he says, and, depending on your organisation's critical dependence on IT, it should be carried out at least twice a year.

The plan needs to be both robust and comprehensive, extending throughout the organisation and beyond. No department is an island, and no company either. That was another key lesson that the Y2K experience taught - that we all depend on organisations beyond our own boundaries. Knowing just what those dependencies are is crucial for business continuity, even in ordinary times.

Martin-Redman urges, "It's absolutely categorical that the business continuity plan must be integrated across and beyond the organisation. Isolation is sub-optimal."

Nor are organisations static. Continuous business improvement is a way of life. An out-of-date business continuity plan is worse than useless, it is dangerous. It must map constantly to the ever-changing structure and architecture of the organisation. Every new IT project needs to have a point when it will be included in the business continuity plan.

"You must keep the business continuity plan dynamic," warns Martin-Redman. "It's no good it sitting in a brown envelope inside a locked safe."

The business continuity plan also has to be thought out beforehand in as much detail as possible. When the balloon goes up there will be little time for thinking, only for action.

Martin-Redman recalls, "One government department had a business continuity plan which roughly said, 'In case of failure devise a communications strategy'."

Needless to say, the strategy should be worked out beforehand so that it is easily and rapidly applicable when disaster strikes.

Business continuity plans also need to be easy to understand and as brief as possible. A turgid 50-page incomprehensible document is not helpful when there's a state of emergency. Martin-Redman advises at-a-glance pictorial representation and you-are-here process maps for swift orientation and positioning.

Although the Y2K problem amply demonstrated corporate dependence on IT, such a plan is for business not IT continuity. So even if it is the IT director who is directly involved in the business continuity plan, the ultimate owner has to be the chief executive. And if the IT director is responsible for the business continuity plan, he or she must also be given the concomitant degree of authority to devise and execute it.

The bottom line of a business continuity plan is that every organisation needs one.

"It has to be robust and dynamic," says Martin-Redman, "or all you'll have to fall back on is the equivalent of Baldrick's 'I've got a cunning plan, Mr Blackadder'."

Not the most reassuring prospect.

Business continuity essentials

Although each organisation will need to implement its own unique plan, every business continuity plan must:

  • be up to date. Organisations are not static, neither can the business continuity plan afford to be - it must map to the current organisation of the company

  • be sufficiently practical and high level, giving a rapid insight into the manual workarounds that may be called up

  • be pictorial and signposted, for example, displaying a clear, concise process map showing information flow and dependencies

  • be integrated across the whole organisation since no department can operate in isolation

  • embrace information security - how precious is your corporate information and how retrievable is it?

  • include your supply chain and understand your dependencies on suppliers, and the impact of your discontinuity on other organisations

  • be tested in action at least twice a year

  • be owned by the chief executive - it's his company, he's ultimately responsible for ensuring it keeps operating

  • Read more on IT risk management