The show must go on

Business continuity should no longer be considered a tedious task. Given that eight out of 10 businesses without a tried and...

Business continuity should no longer be considered a tedious task. Given that eight out of 10 businesses without a tried and tested continuity plan suffering a major interruption to business go out of business within a year of suffering that disaster, this is no surprise.

Business interruptions have cost the UK an average of £3.04bn each year for the past seven years.

According to Richard Waterer, marketing manager at business continuity specialist Adam Associates, business continuity management can best be defined as 'the ongoing process of ensuring the continual operation of critical business processes through the evaluation of risk and resilience, and the implementation of mitigation measures'.

Waterer points out Adam Associates (www.adam.co.uk) core disaster recovery business does not cover AS/400 direct, although 'a lot of the business continuity planning we do for clients involves making decisions on this technology, where it is considered critical'. Business continuity is about the business of survival. IT and telecom (eg mobile phone) theft is increasing. Where once it was silicon chips that were highly sought after, today the thieves' attention focuses on complete workstations. The Association of British Insurers estimates the value of IT theft at £600m per year in England alone.

'Any event, no matter how small or seemingly trivial, has the potential to constitute a threat to a company's survival,' says Waterer. 'Anything which stops a company operating at its expected level has to be considered a disaster.'

Business continuity demands total commitment at board level, the dedication of key individuals in a company, assistance from business continuity specialists, and an enthusiastic and informed staff to execute all the necessary processes. Minimising risk plays a vitally important part in the overall scheme too. Risk has to be addressed at the outset, and allowed to influence all future planning.

Safetynet (www.safetynet.co.uk) has been operating for 15 years, and has notched up over 190 invocations and averted 1,510 standbys. All invocations were successful. It's got pole position on the AS/400 grid (it recently forked out over £500,000 for two of the largest AS/400 Risc processors).

Success seems to know no bounds. The company has been picking up scattered laurel wreaths. In a recent IDC report on levels of satisfaction with business continuity services providers, Safetynet scored the highest customer satisfaction rating (4.8 out of a possible 5.0), ahead of the likes of IBM (4.7), Hewlett-Packard (4.5), Guardian (4.1), Comdisco (4.1), Compaq (4.0) and SG-RS (4.0). IDC surveyed business continuity users across the UK, France, Germany and the US.

Safetynet md Paul Barry-Walsh says: 'Business continuity has been regarded as a niche interest for too long. Turnbull has made it a board level concern, and we are working to ensure UK organisations understand how business virtually protects not just IT and operations processes, but also reputation, share, and brand values.'

The Turnbull report - 'The combined code of corporate governance' - was published last October by the Institute of Chartered Accountants of England & Wales to the Stock Exchange (available for £7.50 from 020 7920 8841). The report requires companies to put in place controls to manage financial risk, and non-compliance with Turnbull has to be disclosed in company reports.

The Cadbury Report recently stated the obligation of directors to protect shareholders' assets against risks. As such, risk management is migrating from the IT manager's in-tray and into the boardroom.

'It's something all companies cannot ignore and the sooner they sort it out the better,' says Barry-Walsh. The Home Office points out 50 per cent of all businesses which experience a disaster, but have no effective plans for recovery, fail within the following 12 months. The Institute of Risk Management estimates 60-plus per cent of small businesses do not have a disaster plan, which is seen as 'too high for comfort'.

Safetynet's sales director Michael Burke says: 'Users with 200Gb disk, and a 12-hour recovery window now have 700Gb, which can't be handled within 12-hours. Such users are now looking at mirroring to hit their recovery windows. The www world is very much 'wild wild west' territory and e-continuity is critical. Equally mirroring is playing an increasingly important role.'

Douglas Byars, md at The Associates International (www.associates-intl.com), a software house providing high availability products for AS/400, says: 'Historically, the high cost and major effort required to install and operate a high availability solution have prevented all but the most determined from implementing a complete disaster recovery plan for their AS/400. A number of new products have come onto the market which have solved the above drawbacks, which makes it surprising still how few installations are running a full contingency plan.'

Adding another spin to the continuity issue, David Priscott, sales and marketing director at Transoft (www.transoft.com), says: 'The AS/400 community is coming under increasing pressure to tackle e-business, particularly business-to-business. Note there are some 650,000 AS/400s out there. Also, AS/400s are installed at 98 per cent of Fortune 500 companies. Our approach enables users to move at low risk to e-business without dumping legacy RPG or Cobol.'

Contrary to popular belief, there's a lot of bespoke stuff out there. The AS/400 world is not populated with packages. Many businesses with AS/400 want to get into e-business, and don't necessarily know how to go about it. They want to move from legacy code quickly, and at low risk. Here, Transoft offers its TCF (Transoft component framework) product, which integrates advanced component based development with a company's proven mission-critical legacy applications and data. Nothing has to be dumped or duplicated. This can help to ensure the viability of a business in the e-world.

There are many pressures, emanating from outside the industry that are putting a company's risk provision under scrutiny. An increasing number of businesses are feeling obliged through demands from that increasingly powerful species - the customer - to implement a security and quality process. That typically takes the form of BS7799 and ISO9000. Politicians are diving in too. Y2K for all its speculation did elevate the need for contingency planning and survival of business risk. The result? Business continuity cultures have been installed in many businesses globally that otherwise wouldn't have been aware of the dangers.

The Home Office opines it's the companies which have trained and exercised their people in implementing their plans which have the best chance of surviving a disaster. True, the AS/400 has an excellent uptime record, but business continuity is more than keeping the company's processor chundering away. Those who fail to grasp that fact could be in for a shock.

Waterer reinforces this, saying: 'If the board doesn't buy into the concept, ask each of the directors the following question; 'please will you sign this form that says you were not prepared to invest in business continuity after I'd highlighted to you the risks our company faces'. That might focus their minds.' l

Implementing plans

Disaster and continuity planning begins at the top with the executive board, and cascades down through management, to operational level. It can be divided into eight steps:

Agree there is a need and start the process.

Assess the risks - internal and external - their probability, and severity. Identify crucial systems, and where the business is vulnerable.

Identify ways of eliminating, or preventing, the exposure to risk.

Agree how to obtain and deal with specific disasters - identify a disaster team, and external sources of help.

Plan for business continuity - how the company will carry on business with minimal interruption - a business continuity team, alternative premises, external resources.

Look at how critical systems will be recovered once the emergency is over, and how to get back to normal.

Plan communications, how to support staff, minimise loss of reputation, and restore shareholder confidence

Finally, assign responsibilities, document the plan, train people, test the plan, publicise it, keep it current, and make it a permanent part of the company culture.

Further useful information is obtainable from the companies mentioned in the text, plus the Business Continuity Institute (www.thebci.org), Institute of Risk Management (www.irmgt.co.uk), or Survive (www.survive.com). The Home Office produces a booklet 'How resilient is your business to disaster?', which can be obtained by phoning 0870 606 7766.

Remember it can be the obvious things that bring a company down. Power failure accounts for over 10 per cent of all business interruptions. Recent 'love-bug' virus attacks, and expected FBI-flagged more virulent strains, highlight the tip of an iceberg. An Audit Commission report showed virus incidents reported by Government departments and agencies in the late '90s rising by 350 per cent. The average outage time of business interruption in the UK is: fire - 28 days; IT failure - 10 days; and theft - 26 days. The proportion of organisations reporting an IT theft has increased 60 per cent and average estimated cost increased from £7,700 to £25,000-plus.

This was last published in July 2000

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close