Establishing the right level of spend on business continuity is the key to effective planning. Helen Beckett reports
The business world has become accustomed to being on red alert, whether for reasons of terrorist threats or network security, and the UK firms are entering a more pragmatic phase. It is less a case of "it will never happen to me" than "what if it happens to me?"
Nonetheless, according to Robin Gaddum, practice leader for IBM UK Business Continuity & Recovery Services, small and medium-sized businesses still make classic mistakes. One is to assume that when disaster strikes it will be on a calamitous scale, rather than merely disruptive.
"There is a human tendency to assume disasters will be high-impact events. The reality is you are more likely to be taken out by a plumbing fault," he says.
And when interruptions do occur, they can really hurt or even finish the business that is unprepared. Gaddum quotes the National Archives & Records Administration figure that 93% of businesses that suffer more than 10 days of system downtime will file for bankruptcy within a year.
Gaddum recommends that smaller business use their new awareness for maximum impact and spend money on specific tools and strategies rather than on blanket contingency.
When he speaks to businesses about finding the appropriate level of spend for them, it is often in terms of finding their unique position between two bars.
The lowest bar represents "hygiene" contingency and is concerned with what a company must implement to keep its everyday business activity on track. This includes having anti-virus and back-up procedures in place to ensure computers and networks are an asset and not a risk.
Additionally, hygiene extends to policies that make sure the company does not fall foul of regulatory and legislative matters, such as the Data Protection Act.
The top bar is represented by best practice, encapsulated in the BS25999 standard. This standard is developed around the premise that a business continuity plan is implemented as part of corporate governance. The key here is to ensure that it is regularly updated and tested.
Once found, it is vital the company keeps its relative position constant. The two bars are bound to rise, and so the danger is that companies will not be adequately covered for their business risk.
"Too many companies regard continuity planning as an exercise and decision carried out at a single point in time," says Gaddum. Instead, he says, it should really be about risk governance.
Good governance also means having someone own the issue of contingency and continuity. In the small business, this will likely rest with the owner-proprietor. "They are absolutely the right person to know the risk - often they are betting their house on the business," says Gaddum.
He encourages small companies to think outside the four walls of their business when assessing and formulating contingency plans. Management games are useful to expand lines of thinking, and he recommends companies think through impacts and responses to a hypothetical emergency to improve readiness.
Gaddum says small steps can be useful for a small company good communication can work wonders when the supply system crashes for two hours. "If you play golf with your customer, picking up the phone and explaining the situation can win you time and maybe save your business," he says.
This special section for small and medium-sized businesses looks at the issues of business continuity planning. The threat of terrorist attacks may dominate the news, but smaller firms are more likely to be brought down by something as mundane as a plumbing leak. The trick, say the experts, is to continually monitor your plans for what to do if disaster strikes - you cannot get by without a once-and-for-all solution.