Rising above disaster

You may believe that business continuity is a practice appropriate only for larger corporations. You would be mistaken. Catherine...

You may believe that business continuity is a practice appropriate only for larger corporations. You would be mistaken. Catherine Jennings assesses how you can put together a business continuity strategy that suits your business

Disaster recovery (DR) and business continuity management (BCM) have traditionally been seen as the preserve of large enterprises, not least because of cost.

But no matter what size an organisation is, there's no getting away from the fact that 60% of businesses suffering a physical disaster such as fire or flood without any active DR and BCM plan in place go bust within a year. A sobering thought and one that can make the difference between the success or failure of your company.

Another important trend, however, is the growing emphasis on the need to comply with corporate governance regulations, which have a strong focus on risk management.

End-to-end continuity

While many companies like yours are feeling the pressure to implement DR and BCM policies, an increasing number of large enterprises are also starting to "push down" on their smaller suppliers and partners to ensure that they don't become the weak link in the chain, according to Debbie Rosario, Managing Consultant at Compass Management Consultants.

"Large companies are taking risk management very seriously and are looking at end-to-end business continuity and how to protect their supply chain. As a result, we're starting to see pressure from clients higher up the food chain as they recognise that, having got their own house in order, the next logical port of call is to look at their suppliers," she explains.

Even at a base level, however, there is still much confusion as to what the terms DR and BCM actually mean, and what the difference is between them. To put it concisely, DR relates to the ability to get your IT systems and networks up and running as quickly as possible after unscheduled downtime has occurred.

It is reactive in nature and comprises a technical subset of BCM, which is about ensuring your business can continue to undertake revenue-generating activities in the face of unforeseen incidents.

The focus here is on managing risk proactively and anticipating incidents that might affect your critical organisational functions and tasks to ensure that your company can respond appropriately in times of crisis.

Worryingly, however, says Andrew Hiles, Managing Director of Kingswell International, a DR and BCM services provider, as few as 10% of SMEs have any type of provision against IT or business interruption in place.

"Backing-up computer applications and data is about as far as most people go. There's a misguided belief that insurance will take care of everything, so the market is barely developed," he says. "The prime focus is on surviving in a business context rather than worrying about something that may never happen, and the general assumption is, 'it won't happen to me'."

The best-prepared firms tend to be in the heavily regulated financial services industry, but professional practices such as accountants and services-oriented organisations, including local government, are often more on the ball than other sectors.

This is because they are aware of just how reliant their businesses are on their corporate data and because they don't have the added complexity of having specialised plant or industrial machinery to worry about.

Reliant on data

Areas such as catering, leisure and retail, however, are the least likely to have covered themselves; they operate in competitive markets to tight margins and find it hard to find the money and justify the expenditure.

And it is this money issue, in the broadest sense, that causes the most problems for firms who want to implement DR and BCM, problems exacerbated by the fact that there are few consultancies, service providers or product vendors that specialise in catering to the specific needs of firms like yours.

Hiles explains: "It can take the same time and cost the same for consultants and vendors of recovery services to conduct a sale worth £5,000 as for one worth £500,000. The cost of sale to SMEs has inhibited developing special low-cost solutions for them, which means there are a limited number of offerings."

To make matters worse, many of the large recovery centre vendors such as Hewlett-Packard and IBM provide recovery facilities based on a minimum number of seats. This means that you may have to pay for 25 seats even if you only require five, making such options unaffordable.

However, a good starting point, says Paul Hammond, Managing Director at DR and BCM services provider CNT UK, is online data back up, which is offered by hundreds of suppliers. This ensures your data is regularly mirrored to disk at a remote location and means that recovery is quicker than it would be if undertaken from tapes stored at an off-site fire vault.

But the cost issue is not an insurmountable one and can be solved by a bit of creative thinking. Rosario explains: "The perception is that business continuity has to be expensive and eat up a lot of resources, but it doesn't. It depends on what you want to protect - if you do a risk assessment and business impact analysis, you may find you don't need to spend much at all."

Hammond agrees. "Many people over-protect things they don't need to and under-protect things they do because they haven't got a clear view of what they need. A starting point for any BCM project is to understand what the business requires, what it doesn't, and where to invest money wisely by doing a cost-risk analysis."

After using this information as the basis for writing a BCM plan - which must be tested at least once a year to ensure it is kept up-to-date - the next step is to identify alternative premises that can be used in the event of a disaster.

One DR-specific option is to buy rack space currently being offered by various telcos at their data centres, which is a cost-effective way of buying yourself 'a mini-data centre', says Hammond.

Another is to simply house a spare server at an alternative site, even at your home or at the home of one of your employees. Or you could set up an agreement with your hardware provider to ensure they provide you with a replacement server within 24 hours of yours going down.

On the BCM side of things, it might be worth providing a local commercial estate agent with details of your requirements so they can maintain a record of possible locations you could use should an incident occur.

Yet another option, however, is to enter into an arrangement with a company similar in size to yours to look after each other's spare servers or back up tapes and even to temporarily house each other's staff until alternative accommodation is found.

"It's about being creative, which doesn't have to be expensive. In fact, I'd say that the biggest challenge with business continuity isn't so much cost as the cultural change involved. It's about actively managing risk and as such has to be supported from the top because it touches all areas of the organisation," Rosario advises. n

Case Study: Multiple Sclerosis Society

"We started on the road to business continuity management after we had problems with our back up window and the whole scenario developed from there. Someone asked the question, 'what happens if there's a fire' and it started off a train of thought. We started small, but are moving forward bit by bit," says Chris Moore, Head of IT at the Multiple Sclerosis (MS) Society.

The MS Society is a charity with 45,000 members, which undertakes fund-raising activities, provides respite care, distributes research grants and provides information to people whose lives are affected by multiple sclerosis in the UK.

Its business is supported by five key applications, one of the most important being its donor database, which holds records relating to donations over the previous 50 years. In the past, the organisation had backed up its storage tapes manually and held them offsite, but about two years ago it signed up to InTech Partner's zBac online back up service.

"Most of our back ups are once a night, but this shrank the window down from two hours to 20 minutes. It also gave us an element of disaster recovery (DR) as the back ups are already offsite and it is part of the service to restore the data in case of disaster," Moore says.

But she acknowledges that "if the server room goes down, we have a problem", and as a result is currently in the process of undertaking risk and business impact analysis and evaluating full disaster recovery and business continuity options "to focus trustees' minds on the importance of this".

Such options include agreeing to share 'house room' with charities of a similar size should an unforeseen incident occur, renting shell buildings or leasing space in specially provided DR facilities "which is not cheap, but is more affordable than it was".

"It's a big item on the budget and isn't sexy, so we're going to have to impress the importance of business continuity on senior management and the trustees. The last possible occasion to do something is when things go wrong, so we have to concentrate minds," Moore concludes.

Case Study: James Galt 

"Business continuity isn't cheap, but you get what you pay for and without it we might have taken a month to recover rather than a day. You have to think about what the impact will be if you don't do it and weigh that up against the price of the contract, and for us it made good sense," says Mark Taylor, IT Manager at James Galt. 

James Galt is a toy manufacturer that turns over £8 million, employs 33 staff, and is based in Cheadle, Cheshire. Although now part of larger organisation, Findel plc, it still operates autonomously and has had full business continuity management (BCM) plans and facilities in place for several years.

As a result, it was able to recover its business and IT systems rapidly with the help of SunGard Availability Services after a suspected arson attack at its headquarters in August last year. 

"Due to the nature of our business volumes and the type of business we are, we considered it crucial to restore critical functionality in 48 hours. But our phones were online from 9am on the Monday after the incident and we were taking orders within 24 hours of putting our business continuity plan into action. We gained the maximum benefit of being prepared," Taylor says. 

The organisation had previously spent nine months getting its BCM strategy in place, one month of which Taylor spent analysing risk and the potential impact of any incident on the business. Six months were spent working to devise a more detailed plan; the rest of the time was spent implementing and testing the scheme. 

"It was a challenge because people already have their days filled undertaking their own roles and you're asking them to take on more and involve them in another part of the business," says Taylor. "That's why there had to be top-level agreement and management has to be seen to endorse it. Also, you can't give the work to people to do in one big chunk. It has to be manageable and fit into their day." 

But ensuring the plan is kept up-to-date and relevant is also crucial, he adds, which means that annual testing is a must.  

"Testing is a key part of this. The first test you do is a real eye-opener - it makes you realise what you haven't done! But that's great because you can tackle problems in advance. It's all about minimising risk," he says.

Read more on Business continuity planning