Behind Closed Doors: Business continuity planning is a disaster waiting to happen

We have still not taken on board the need to get ourselves properly organised to sustain operations in the event of circumstances...

We have still not taken on board the need to get ourselves properly organised to sustain operations in the event of circumstances beyond our direct control, says Colin Beveridge.

The sad fact is that for many organisations, business continuity planning (BCP) has disappeared below our corporate radar. Moreover, where they exist, disaster recovery plans may well be completely inadequate for a changed, connected, world.

Ten years ago our planning parameters were fairly narrow and it was so much easier to identify a passable continuity strategy. After all, our businesses were largely independent, discrete, operations with limited exposure to external threats and dependencies.

Today almost all of us rely on many third-party constituents for our business activities. Not all of these are immediately apparent to us due to the widely practised principles of badge engineering parts of our business operations. This can make contingency planning a minefield for the uninitiated and lull us into a false sense of security if we don't follow the value chain right through to the source.

Notwithstanding the bits and pieces we can't see, or don't know about, we also seem to struggle with the infrastructure elements that are under our noses daily: our hardware and software assets. It wasn't always that way.

In the run-up to the Year 2000 date rollover we had no alternative but to bite the bullet and find out exactly what we had out there in terms of IT. Business continuity planning and disaster recovery came to the forefront of the corporate agenda and our IT asset registers were brought up to date, in many cases for the first time.

It's
"The tragic and traumatic events of 11th September should have served as a wake-up call for those of us who had slipped back into slumbering complacency"
Colin Beveridge
a crying shame that the rigours and stringency we adopted to deal with the Y2K problem were largely allowed to lapse. We seemed to think that the heat was now off asset management.

We relaxed and quickly forgot the importance of maintaining accurate and timely asset data. If that wasn't bad enough, the same indifference has frequently been paid to all those expensively-produced Y2K business continuity plans, the majority of which are quietly gathering dust in the cupboard and have not been updated since late summer or, if you are really lucky, autumn 1999.

The tragic and traumatic events of 11th September 2001 should have served as a wake-up call for those of us who had slipped back into slumbering complacency. Or so you would have thought.

This is obviously not the case though. If a recent report from industry analyst IDC is anything to go by, the majority of major European enterprises still do not have formal business continuity plans. And, I suspect that, if the big boys don't think it is worth the investment in BCP and disaster recovery, the smaller companies are certain to be in an equally poor, or even worse, state of unreadiness to survive a major catastrophe.

Of course, all things are relative and effective risk management is all about striking an appropriate balance between likelihood, impact and mitigation cost for threats. After all not everyone needs a hot-standby facility, do they?

Maybe not - but there are very few businesses nowadays that will not be seriously affected by a total or partial loss of their computer facilities, or business data even for a very short time. In this ever-faster world of the internet and 24/7 e-commerce, loss of service for an hour is now a long-time, a day is now a lifetime and a week can now be near-fatal.

And yet, it seems, many of us are happy to carry on blithely without an effective business continuity plan safely tucked in our back pocket, just in case the real world dares to break into our technology-induced reverie.

When I am feeling really bloody-minded about this topic and not getting what I expect as the proper level of attention from a complacent infrastructure manager, I usually pull the pin from the grenade (metaphorically speaking) and ask what will be happening to our e-business during the 48 to 72 hour period it will take for the internet's various DNS servers to propagate the IP address of our re-constituted web-sites?

When I am feeling really bloody-minded about this topic and not getting the proper level of attention from a complacent infrastructure manager, I usually pull the pin from the metaphorical grenade and ask about a worse case scenario. What would happen to our e-business during the 48 to 72 hours it would take for the Internet's various DNS servers to propagate the IP address of our re-constituted Web sites if our server connections were destroyed?

Are you happy with your business continuity plan?
As Colin observes, many businesses have not bothered to update their business continuity plans since Y2K. Is this good enough given the events of September 11? Are you confident you'll be able to keep the IT aspect of the business running following a major disaster? >>

Colin Beveridge is an interim executive who has held top-level roles in IT strategy, development, services and support. His travels along the blue-chip highway have taken him to a clutch of leading corporations, such as Shell, British Petroleum, ICI, DHL and Powergen.

Read more on Business continuity planning

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close