Business continuity planning for SMEs

Business continuity is best thought of as the test of how your business would cope when things go wrong. It is as important for small to medium-sized enterprises (SMEs) as it is for multinationals.

Business continuity is best thought of as the test of how your business would cope when things go wrong. It is as important for small to medium-sized enterprises (SMEs) as it is for multinationals.

Bob Tarzey, service director with a focus on SMEs at analyst firm Quocirca, says that SMEs that overlook business continuity planning do so at their peril. "The people and the IT are often the most important assets of the business. The risk of business failure is high for SMEs because many have one or a few locations, which house all the IT.

"And if you are lucky enough to have your IT in another facility that remains unaffected by some kind of failure, you have to make sure you can access it or ensure it can provide some failover," says Tarzey.

Why SMEs need a disaster plan

Tarzey quantified the scale of the risk inherent in a growing reliance on technology, citing research carried out by Quocirca in July this year that found that more than 50% of SME workers are PC users and more than 75% of SMEs operate more than one server.

The majority of SMEs also operate from more than one location, meaning their IT infrastructure is distributed geographically, representing a dependence on IT for everyday business tasks and further issues for IT management.

Yet with such a heavy reliance on IT, only 25% of the 602 Quocirca research respondents were either satisfied or very satisfied with the management of their IT systems.

All this does not bode well for the average SME's ability to assess its own business continuity needs, much less the likelihood of it having the knowledge and skills to act on them.

Planning for the worst

Graham Titterington, principal IT security and business continuity analyst at Ovum, advises SMEs to think about how the business would cope without IT. "No one knows their own business better than SMEs, as they often rely on limited resources. So they are in the best position to know how their business would cope with no IT systems for a morning, a day, or a week.

"Only they can know if their customers would be affected, go elsewhere, or even not come back if their ability to do business with them was taken away," he says.

Titterington says that assessing the financial impact of such an outage is also important to estimate the amount of investment needed to mitigate the risk of losing communication links, stored data and operational systems.

"Go through a 'what if' scenario. You might find a few minutes without the internet may not make much of a difference. It depends on what business you are in.

"An online retailer, for instance, would be in a different position to one not so reliant on the internet as its main means of doing business. "You may often find that the customer-facing systems can be prioritised over the back-office ones."

But some companies could find going without the ability to carry out back-office functions not so easy to cope with after a week.

Assessing the reliance on technology and the potential risk posed by its failure is the first step to quantifying its potential impact on the business, and understanding what data and communication links and systems most need protecting.

Regulatory compliance, often seen as a burden, can here be turned to an advantage when planning which IT systems to protect. Titterington says that the areas of legislation most likely to shape SME continuity planning are the Data Protection Act and the Freedom of Information Act.

"Data storage should always come first," he says. And whether it is tape or online, offsite data storage emerges as the key to unlocking the value of protecting the systems SMEs rely on.

Protecting your data

Fabio Torlini, marketing manager for hosting services company Rackspace, says that more and more SMEs are looking to outsource data storage and datacentre capacity for both compliance and business continuity reasons. "SMEs know it is better for them to go with a managed hosting provider than handle datacentre maintenance, data storage and security in-house.

"They know they can take advantage of economies of scale and technical expertise," he says.

And, just like Rackspace, a growing number of SME-focused IT suppliers are offering hosted or software as a service delivery models that claim to eliminate compliance pressures, boost productivity by reducing the IT and security maintenance burden and, most importantly, assure business continuity plans.

Peter Bauer, chief executive of Mimecast, has capitalised on the business continuity plans and IT management headaches firms encounter by taking e-mail out of their hands.

"We recognised early on that e-mail was becoming a killer application. You have to have your firewalls, anti-virus and anti-spam in place and often even SMEs can have four to five different categories of e-mail systems and archiving.

"We do all of this in one product and deliver it as a service over the internet. The user retains full control over the data, as though they were running the systems themselves," he says.

Outsourcing for continuity

Regardless of whether it is the data or mission-critical systems, the thing that all these providers have in common is outsourcing. Outsourcing is a key consideration for all small businesses reviewing business continuity plans.

The users of managed IT and communications provider ADS Portal use its desktop hosting service to ensure business continuity and alleviate risks associated with managing strategy and implementation in-house.

Gary Collins, ADS portal technical director, says that outsourcing IT, particularly for the SME, can provide multi-layer security, negating risks of virus and hacker attacks.

"Recently, the flood crisis across many parts of the UK resulted in companies having to close their businesses," he says. An affected ADS Portal customer was able to carry on with their business because all their data and applications were stored centrally, allowing staff to securely log on via the internet and continue working as normal.

But one key element all these offerings rely on is connectivity. Avanti Communications recently introduced a service that provides a back-up satellite relay in the event of the loss or disruption of a terrestrial broadband link.

Matthew O'Connor, Avanti managing director, says what makes managers really understand the inadequacy of their business continuity strategy is "when they realise their Blackberries will not work, because the servers sit on the wrong side of the firewall".

Tarzey says that third-party business continuity help and technology is plentiful for SMEs. His research showed that overall, about 20% of SMEs already outsource IT management to some extent. "From consultants to suppliers and hosted providers, there is plenty of help out there," he says.

In addition, trade organisations such as the Confederation of Business Industry, Institute of Directors and the government's practical, online guide for businesses can all help with business continuity advice.

Get your priorities in order

Titterington was pragmatic in his view of how much of the responsibility for business continuity any new technology or service could allow the business to delegate.

"Deal with real-world threats and prioritise in that order. Burglary, fire and flood first, then look at your policies for recovery, people and physical assets, followed by your information systems. It is all practical, common sense really," he says.

Read more on IT for small and medium-sized enterprises (SME)