Having a business continuity plan is one thing. Knowing it works is another. Sally Flood finds out how three organisations meet the challenge.
Your organisation probably has a business continuity plan, which outlines how it will cope in the event of fire, flood or terrorist attack. However, whether your plan will actually work is far less certain. According to a study by the Business Continuity Institute, most companies have not fully tested their business continuity plans in more than a year.
Even up-to-date plans might not be enough to keep your business going in the event of a disaster. The BCI claims that only 2% of organisations have given serious thought to the risk of a complete telecoms outage, and just 4% had considered the impact of losing revenue, suppliers or customers.
"Organisations have to take an extremely broad approach to business continuity that goes beyond whether their IT systems are up and running," says Martin Byrne, business continuity practice lead at consultancy Accenture. "It is critical that business continuity planning, implementation and testing takes account of the whole business."
Accenture recommends that companies take a systematic approach to business continuity planning. It highlights six key activities: analysing the business and its processes; assessing risks to the business; identifying key assets and processes; implementing a continuity plan; testing; and ongoing maintenance. "If you cover all these steps, the chances are that you will end up with a plan that works when you need it," says Byrne.
Three companies were asked to share their experiences of business continuity planning and give some insight into whether their plans worked when they were needed.
Company name: Voca
Industry: Financial services
Business continuity strategy: A comprehensive, in-house plan reviewed four times a year
Biggest challenge: Getting board acceptance of the costs
Business continuity is critical to Voca, the payments and transaction infrastructure behind the Bacs payment network, and the company responsible for processing all the UK's direct debit transactions. Last year, Voca processed 4.5 billion transactions, with an estimated value of £3tn, and there is no room for error.
"We have been around for a long time and have not lost a single transaction yet," says Chris Dunne, Voca's commercial business development manager. "That is because business continuity is part of the fabric of the organisation - it is that important to what we do."
Voca is considered part of the UK's "critical infrastructure" because it handles so many government and business payments. This means that, under the Civil Contingencies Act, it is required to have robust business continuity procedures. In addition, as a financial services company, Voca is required to comply with strict regulatory requirements on security and disaster recovery.
Because business continuity is so vital to Voca, the company decided to manage all its business continuity planning and implementation internally, through a dedicated business continuity team. "The role of the team is to create a plan that spells out how we continue to operate in the three key areas of people, process and technology," says Dunne.
The "people" aspect of business continuity includes appointing a crisis management team so everyone knows what they need to do in the event of a problem. "You cannot just assume people know who to talk to or where to go in a crisis," says Dunne.
The "process" is distilled into a series of planning documents that are reviewed by a senior management team every quarter to ensure they still reflect the needs of the business.
The technology includes a fully redundant network across three sites, with alternative network routing in the event of one site's network failing completely. Voca has also invested heavily in remote access and voice over IP technology, which allows staff to access the network from any location within the company.
Voca regularly tests all aspects of its business continuity plan. Twice a year the company moves the whole service desk from its site in Bedfordshire to a second site in Essex to make sure the business could operate from either location. "It is simple things that present a challenge sometimes, such as: do they know where to sit, do their key-cards work, can they log into the computers?" says Dunne.
This testing is combined with vertical contingency testing, where the business continuity team tests particular scenarios from beginning to end, to look for gaps in the plan. "These scenarios often involve partners, banks and customers, which is vital," says Dunne. "Many organisations have their own processes and terminology, and the test is the only way to iron out the inevitable wrinkles."
The biggest challenge Dunne's team faces is justifying the cost of such a sophisticated plan, he says. "A good plan is always more expensive than you imagine, and that can be difficult to justify. To some extent, you have to paint the doom-and-gloom scenario to get the business to accept this is not just spending money on something we hope we will never use."
Company name: Iglu.com
Industry: Online travel agency
Business continuity strategy: Back-up to protect against the biggest risks
Biggest challenge: Limited resources for business continuity and high rate of change
Although it has been established for only seven years, ski-holiday specialist Iglu.com is considered something of an internet veteran. Even so, the company is under no illusions: if the website is unavailable, customers will click away to a competitor's site in seconds.
"We have a brochure and telephone service, but the website is the first port of call so the aim of our business continuity planning is to ensure the site is always available," says Rob Whitehouse, Iglu.com's head of IT infrastructure.
Organising technology is often the simplest part of business continuity, Whitehouse says. Iglu.com has redundant hardware and closely defined support contracts so that the business can continue to run in the event of a hardware or software failure, and all data is backed up and stored off-site. "We also know where we can get replacement kit quickly," says Whitehouse.
Although the IT department is responsible for business continuity, the plan involves more than just IT, says Whitehouse. "You have to look at human error - around external partners and suppliers, particularly."
Once Iglu.com had created its continuity plan, Whitehouse spent several weeks ensuring key managers were familiar with its contents. "You have to make sure more than one person knows all the procedures - just in case that person gets hit by a bus," he says.
To ensure the business continuity plan will work, Iglu.com created strict change-management procedures, so changes to IT or other systems are immediately reflected in the plan. "The last thing you need is to start recovering systems and realise nothing works because you have a new database, or somebody changed the payroll provider," says Whitehouse.
The plan is constantly reviewed because Iglu.com is a small, dynamic company where processes and systems often change, says Whitehouse. Conducting an annual review would not suffice. Instead the business continuity plan is reviewed every month to ensure it reflects the latest practices in the business.
But as a small firm, Iglu.com also has to decide just how far its business continuity plans can go. "We could say 'back up everything, every day' and ensure we have a back-up for every person, application and process, but we could not afford to do that," says Whitehouse. "We decide where the big risks lie and leave it to the managers to decide their priorities."
Company name: Markel International
Industry: Insurance broker
Business continuity strategy: To work with a third-party consultant to identify risk and core business processes
Biggest challenge: Getting full commitment from the business and getting them to understand why Markel is investing in business continuity ahead of other initiatives
The London office of Markel International is the hub of all Markel's activities in Europe, and also provides all the company's European IT and telecoms infrastructure. This means that IT director Steve Fountain is responsible for making sure that Markel's offices across the European Union are kept up and running.
It is not just customers and brokers that are affected when things go wrong - as a US-owned company, Markel must also comply with Sarbanes-Oxley regulations, which insist on rigorous business continuity and disaster recovery plans, says Fountain.
The company's continuity plans span everything from IT to remote access, substitute offices and spare network capacity, and require input from all aspects of the business.
Because of the scope of the risks and planning required, Markel called in consultants in 2001 to conduct a business impact analysis and risk assessment. "We wanted something impartial that would not rely on one part of the business understanding how its work affects other people," says Fountain.
The consultants created a virtual map of all Markel's business processes and systems, and ranked them between A and C, according to their criticality. The business continuity team could then use this map to create a business continuity plan that would restore all systems and processes within 72 hours of a disaster.
Working with a third party also helped Markel to identify areas it might otherwise have missed. "We made changes to the existing plan because of things they came up with - from identifying potential service providers which could provide services when we weren't able, to building our own recovery centre."
The recovery centre acts as an alternative hub for Markel's European business in the event of the London head office becoming unavailable. All the local IT staff have visited the site and and know how to set up key systems in an emergency, and a full test is conducted twice a year.
A dedicated working party also reviews the business continuity plan regularly to make sure it reflects changes to any business processes, assets and people.