When the Buncefield oil distribution depot blew up at 6am one Sunday last December, it was not just local residents who were hit.
Hundreds of businesses were also affected, with windows blown out, roads impassable and employees unable to travel to work. Among the most seriously affected organisations was internet retailer ASOS, which had a major warehouse on the same site as Buncefield.
‘When the explosion happened, it blew out all of the windows in the building, ripped the roof off and completely destroyed the sprinkler system in the warehouse,’ says Paul Cottingham, the retailer’s infrastructure manager.
‘We were fortunate that only one person was in the building – later in the day we might have had 30 or 40 people working inside,’ he says.
Although ASOS had a disaster recovery plan, nobody at the company had ever anticipated this kind of incident, says Cottingham. ‘Our plans were about losing connectivity to an office, or people not being able to read their emails,’ he says.
But IT managers are increasingly being asked to help businesses to prepare for – and recover from – incidents that may have little to do with servers or communication systems.
Rebecca Ellis, a consultant with Siemens Communications, says her organisation is increasingly seeing firms move away from disaster recovery to a wider view of business continuity.
‘Technology has evolved to a point where it is not just about rebuilding services quickly; it’s about continuing to deliver essential services throughout a period of disruption,’ she says.
About 75 per cent of UK organisations have some form of business continuity plan, but very few plans are adequate, says Simon Mingay, a research vice president with analyst Gartner.
‘The problem is that most people don’t draw up truly comprehensive plans, and even those that are comprehensive are rarely up to date,’ he says.
The first stage of devising an effective business continuity plan depends on knowing which services need to be delivered in the event of an emergency.
For example, customer ordering systems might need to be up and running in hours, while the holiday booking system could probably wait for a few days.
Such information should be gathered by the IT director in partnership with other business leaders, says Siemens’ Ellis – this is the only way to know what the business priorities really are.
Jonathan Cattle, IT director with City insurance firm Close Premium, says his organisation has plans drawn up showing how to restore the most important activities within an hour, then others within four, 12, 24 or 72 hours.
‘It is a process that has been refined through experience, as our buildings have been damaged several times by IRA bombs in London,’ he says.
Once you have put together a wish list of available services, the next step is to consider what technology will be required to deliver those services in the event of a serious incident.
Technology can dramatically improve disaster recovery – from data mirroring to off-site backup and so-called ‘battle boxes’, which ensure companies always have access to a safe copy of critical manuals, processes and software licences.
Most services fall into one of three major categories, according to Ian Masters, UK sales and marketing director with Double-Take software.
‘You basically have a choice of high availability, disaster recovery or remote recovery,’ he says.
‘Some products will offer more than one sort of recovery, so it’s worth spending some time comparing services to calculate the best combination of price and functionality.’
Some organisations are also using geographical information systems (GIS) and other modelling technologies to plan for major incidents, enabling IT and business leaders to simulate disasters and predict the likely success of recovery strategies.
Bristol City Council, for example, recently conducted a 36-hour disaster simulation exercise with emergency service and other key public sector personnel.
GIS software allowed the team to map out potentially vulnerable sections of the local population, according to the council’s emergency planning officer, Kevin Hattersley.
‘It means we can see where we have old people’s homes or where people are cared for by social services and if an incident occurs, we know who is likely to be most affected and need additional support,’ he says.
As well as technology, there are other things to take into account – for example, you may need to source alternative premises for IT equipment and personnel in the event of a disaster, or work with the human resources department to ensure that staff know where to go if offices are inaccessible.
Once you have created a plan, it is vital to test its effectiveness.
‘Too many companies have an artificial sense of safety because they have a lovely plan on the shelf,’ says Martin Byrne, who leads Accenture’s European business continuity practice.
‘But unless you test the plan, how do you know if your employees will be able to get to the new premises, if the back-up tapes work, or if the remote access software will work with your new payroll system in the event of a disaster?’
And just because a plan works once doesn’t mean it will work for the rest of time. Gartner’s Mingay says many businesses are still coasting along with the business continuity plans they drew up for the Millennium.
‘The problem is that the world – and that means your partners, customers, employees and the government – has moved on a long way since then,’ he says.
Backups over high-speed line
reader comments