Business continuity: the expert view

Business continuity is about expecting the unexpected and preparing for a system failure.

Business continuity: an expert view

Business continuity is about expecting the unexpected and preparing for a system failure.

Business continuity aims to prepare for natural disasters, accidents, transport problems, security threats, hacking and other e-crime, as well as problems such as avian flu.

A business continuity plan spells out how you restore normal service in the event of one of these risks becoming a reality.

It differs from disaster recovery, which is about getting systems up-and-running following a system failure. In contrast, business continuity is about whether an organisation can carry out its core business functions in any circumstances - this is about people, processes and policies, as well as technology.

The business continuity committee must first identify which of a firm's activities are the most critical. In the event of a disaster, some services must be restored quickly (such as customer service and payroll), while less critical services (like the staff canteen) could be restored over a period of days or weeks.

Once the core business processes are identified and prioritised, continuity experts advise a risk analysis, to assess how vulnerable the company's processes are. There are lots of audit tools to help with this process.

Once the risks are identified, the business should consider whether to eliminate or mitigate a risk, rather than planning to recover from a problem later.

Technology can improve business continuity with, for example, data-mirroring, off-site back-up and "battle boxes", which ensure companies always have access to a safe copy of critical manuals, processes and software licences.

The key questions

The Business Continuity Institute recommends businesses answer the following questions when creating their business continuity plan. What if:

• Our electricity supply failed?

• Our IT networks went down?

• Our telephones went down?

• Key documents were destroyed by fire?

• Our staff could not gain access to the building for days, weeks or months?

• There were casualties?

• Our customers could not contact us?

• Our suppliers could not supply us?

• Our customers could not pay us?

• We could not pay our suppliers?


Recipe for a sound plan

• Consult throughout the business.

• Use non-technical language that everyone can understand.

• Make it clear who needs to do what, and who takes responsibility for what. You should always include deputies to cover key roles.

• Use checklists that are easy to follow.

• Include direct instructions for the crucial first hour after an incident.

• Include a list of things that do not need to be thought about until after the first hour.

• Agree how often, when and how you will check your plan. Update it to reflect changes in your company's personnel and the risks it might face.

• You will never be able to plan in detail for every possible event. Remember that people need to be able to react quickly in an emergency: stopping to read lots of detail may make that more difficult.

• Plan for worst-case scenarios. If your plan covers how to get back in business if a flood destroys your building, it will also work if one floor is flooded.


Business continuity - news stories

Floods offer £170m disaster planning lesson >>

Investment in disaster recovery expected to rise >>


Business continuity - features/analysis

Business continuity - keep on running >>

Plan for the unexpected >>


Business continuity - weblinks

Continuity central >>

Business Continuity Institute >>

Good practice guide from the BCI >>

Business continuity directory >>

Business continuity guide for small businesses >>

Business continuity definition >>


Business continuity - blogs

David Lacey's security blog

How business continuity is changing >>

Tony Collins' project management blog

How the NHS IT programme, TPP's SystmOne, CSC and BT can help GPs during the floods >>

Silicon Valley Power Outage: Web 2.0 Honchos Fume >>

Should disaster recovery centres be locally or geographically dispersed >>


Read more on IT risk management