Cutting disaster down to size

Most smaller companies are aware of the need to plan for contingencies. Fewer have converted concern into workable plans. Helen Beckett looks at some practical approaches

Most smaller companies are aware of the need to plan for contingencies. Fewer have converted concern into workable plans. Helen Beckett looks at some practical approaches

Small and medium-sized business are becoming more aware of business continuity, and more are implementing high-availability technologies that were previously the preserve of big corporations.

However, this new zest for business continuity does not alter the fact that most remain in a poor state of preparedness.

At this year's Gartner summit for mid-sized businesses, demand for business continuity was "way up there", according to vice-president of research Simon Mingay.

Business continuity was the most popular workshop by a factor of four, but Mingay is not fooled into thinking there is a dramatic conversion afoot. "Overall, the level of capability is going up, but the gap between the bestand the worst is also widening," Mingay says.

The affordability of high availability services such as disc mirroring and digital vaulting, and a more sensible pricing of bandwidth have encouraged savvy SMBs to upgrade. The drivers for this are larger databases and storage needs, tardy recovery from tape and the need for business guarantees, according to Gartner.

"Mid-sized businesses should not discount these high-availability, disaster-based recovery solutions as being too sophisticated or expensive," the analyst firm said.

Mortgage wholesaler Enterprise Home Loans is one such medium-sized company that has beefed up business continuity through a managed service. Its purchase of a digital vaulting service from Iron Mountain means that head of IT Matt Cramer no longer has to spend long hours supervising manual tape back-ups.

The service continuously and automatically backs up the company's data on Iron Mountain Digital's own servers, as well as at Enterprise Home Loans' disaster recovery premises. Cramer still does in-house back-up - "I take a belt and braces approach" - but an in-house back-up failure is no longer a cause for panic.

Plus, he says, a managed service means the company is confident of compliance with Financial Services Authority regulations.

Although the move to electronic vaulting was not a budgetary decision, with risk management the primary driver, a managed service nonetheless makes economic sense. "Storing tapes in vaults off-site costs thousands of pounds every quarter, which is silly money," says Cramer.

Despite a high state of awareness prompted by terror alerts and domestic disasters such as the Buncefield oil depot explosion, many SMBs- particularly smaller ones - have yet to convert concern into practical plans. "A major incident will spark a wave of concern which soon dwindles away to business as usual," says Mingay.

His observation is confirmed by findings published by the Federation of Small Businesses. The FSB survey found that almost a sixth of respondents did not back up data in any way.

A further fifth admitted they would not be able to recover from an event such as data theft or a virus attack.

"Technology may have levelled the playing field for small firms, but it is vital for small firms to be aware of the security implications for their business when they buy new hardware or software," says Peter Scargill, IT chairman at the FSB.

This neglect of the basics often comes from a human tendency to correlate "disaster" planning with catastrophic events. This misperception is probably fuelled by living in an age when people are alert to terrorist attacks and environmental disasters.

In fact, says Robin Gaddum, practice leader for IBM UK Business Continuity & Recovery Services, a business is more likely to be taken out by a plumbing problem.

One area where SMBs have made progress is in their recognition that many crises have a personal as well as an IT dimension.

Businesses that survived the Buncefield blast were the ones that managed to relocate their personnel as well as their data when they could not enter unsafe offices.

Toymaker James Galt & Company is an example of a firm that survived when its offices burned down because it had made proper preparations.

Prior to the fire, IT manager Mark Taylor had decided to upgrade from an IT disaster recovery plan to a broader business contingency. "The time was right to add the extra 'insurance clause'," he says, and the 25% increase in price received the blessing of his managing director and finance director.

Had James Galt not upgraded from IT-only to desk space recovery, the 13-week recovery period may have been even more painful, Taylor says.

As James Galt's experience shows, successful business continuity is about retaining the ability to think and act. The purchase of packages or services to keep people and data going is no substitute for rational thinking.

Gaddum cites the case of a medium-sized company that was situated by a river and recognised the risk. Unfortunately, it elected to locate its back-up centre on the banks of the same river.

Relying on normal business processes during a crisis is a classic mistake says Mingay. "It is Murphy's law that the appointed crisis manager will be on holiday when the gas pipe explodes," he says.

Instead, there has to be a system of delegation in place that enables someone else to release cash if the finance officer is not around. "People behave in peculiar ways when disaster strikes, so it is important to rehearse scenarios to increase the likelihood of having a functioning, decision making body," says Mingay.

Ensuring this capability during a crisis depends on having a joined up approach to business continuity at the planning stage. Matthias Werner, director of the Storage Networks Industry Association (SNIA) says SMBs need to have two conversations: one with a business bias and the other with an IT flavour.

"Whereas the IT folk often have some ideas of what they want to do, the business has no way of knowing what can be done," he says.

The SNIA recommends that the first conversation should consist of establishing the recovery time objective (RTO) and recovery point objectives (RPO). These objectives are, respectively, the amount of time a business can survive without data and people and second, the critical functions that must be salvaged for operation.

The business conversation is important because the storage market has slumped in price over the past few years. IDC analysts predict that the biggest growth in the storage market will come from storage subsystems costing £25,000 or less. Cheaper prices may tempt naive businesses to spend on the wrong kind of product.

Armed with the business decision, a company can progress to stage two and make a shopping list of IT products and services.

"This would include storage network architecture, whether you need IP links or dark fibre links, disc mirroring or a tape library offsite, or both," says Werner.

Smaller businesses may be handicapped because they lack the in-house expertise to select the appropriate continuity architecture. "Storage companies need to offer services as well as great products to this community," says Werner.

The very small business is perhaps least vulnerable to disconnection between IT and the business because the owner probably runs the whole shop. "The owner-proprietor is the right person to accept the risk, even if they decide to do nothing", says Gaddum.

And doing nothing may be legitimate if the company's strategy is to take £1 today and turn it into £1.50 ­tomorrow, says Gaddum, but only if it is part of business continuity best practice.

Don't miss the SMB business continuity seminar on the web

Computer Weekly, in association with IBM, will be running a web seminar entitled "The vital need for business continuity strategies for small and medium-sized business" at 11am on Wednesday 11 October.

The one-hour session, which includes presentations and a question and answer session, aims to highlight:

  • The best practices involved with business continuity strategy and planning in SMBs
  • Personnel and responsibility lines for setting up a business continuity strategy
  • The practical issues associated with the deployment of a business continuity system
  • The typical costs and how to determine and then justify budget
  • The case for a business continuity strategy as a managed service.

For further information or to register, click on the "webinars" link at

This special section for small and medium-sized businesses looks at the issues of business continuity planning. The threat of terrorist attacks may dominate the news, but smaller firms are more likely to be brought down by something as mundane as a plumbing leak. The trick, say the experts, is to continually monitor your plans for what to do if disaster strikes - you cannot get by without a once-and-for-all solution.

Read article: What is best for you?

Read more on IT for small and medium-sized enterprises (SME)