Several major disasters made IT directors take a closer look at their
business continuity and recovery strategies last year and ask the question: are we resilient enough?

Hurricane Katrina, the London bombings and the Buncefield oil depot explosion all led to firms’ business continuity plans being put into action – many relocating to secondary sites to carry on with their operations in the process.

But while big disasters, such as fire and floods, hit the headlines and highlight the need for a coherent business continuity strategy, everyday events including hardware and software malfunctions can equally affect a company’s ability to operate.

According to business continuity analyst Datamation, 70 per cent of businesses suffer systems downtime each year, at an average cost of £52,000 per hour, and 90 per cent of disasters are caused by failures in IT systems.

The research also suggests as many as 40 per cent of firms that experience a major disaster and do not have a business continuity strategy in place never recover.

For all these reasons we are seeing a big increase in business continuity spending, says Graham Titterington, principal analyst at Ovum.

He says that while IT directors are investing heavily in IT security to stop hackers and viruses from bringing down their systems, they are also increasing their investment in data backup, storage and relocation.

‘This growth has been witnessed for at least four to five years and we can expect it to continue to grow at a pretty good rate for a few years more,’ says Titterington. He suggests that the spending increase can be attributed to a number of factors, both old and new.

‘Some of the requirements for business continuity are the same as they have always been,’ says Titterington, citing natural and man-made disasters as big influences. But he says that increased awareness, through media coverage, is having a big effect on investment.

‘There is more awareness of the risks that are out there. Changing attitudes are also influencing investment in business continuity,’ says Titterington.

‘Because of the internet, the world is becoming more interconnected, but at
the same time there is now a greater risk and interdependence. People are a lot more aware of hacking, phishing and worms than ever before, and the same is true with physical threats.’

He says greater reliance by companies on web services and customer expectancy for always-available provision is also leading to a greater investment in business continuity systems.

‘The shift to on-demand services is leading to an immediacy in businesses,’ says Titterington. ‘In the old days, people could wait a few hours if a service went down, but now they will just move elsewhere.’

The growth of hosted services firms, such as customer relationship management specialists Salesforce.com and RightNow, means businesses have to invest in more resilient networks to ensure that they can link to data centres all the time, says Titterington.

And with the increase of home working and a growing trend for key business functions to be moved to branch offices, he says companies also need to do more to ensure that critical data is backed up throughout the business, not just at the headquarters.

‘Companies are beginning to realise more and more that there is important information being held in the branch offices and, in some cases, on home workers’ machines,’ says Titterington.

‘I think we will see more attention paid to bringing this outlying information into the overall business environment.’

Michael Rasmussen, vice president and analyst at Forrester Research, agrees that recent catastrophes have brought business continuity into sharp focus in the IT department.

‘One of the big investment drivers for business continuity has been the disasters we have seen recently, such as the tsunami, earthquakes and explosions,’ he says.

But while IT directors are focusing on protecting themselves against large one-off disasters, he questions whether they are prepared for more wide-reaching threats, such as bird flu.

Now that the virus has hit humans in Turkey, Rasmussen wonders how prepared companies would be if employees needed to work from home rather than relocate to other offices.

‘With the threat of the bird flu scare, a lot of companies need to ask “how well positioned are we to have people working at home” or “how well will our operations run?”,’ he says.

Ovum’s Titterington agrees, saying the growth of remote and home working should be more closely tied into business continuity strategies, so that employees do not have to travel to backup premises when disaster strikes.

‘Home working needs protecting and, to some extent, it could also be a solution for business continuity itself for many companies,’ he says.

Rasmussen also believes that different industries are tackling business continuity to varying levels of success, with some needing to do more than others to be fully prepared.

‘For the most part, companies are reacting and trying to get out of the woods. Financial services tends to be the most mature market for business continuity, but we are seeing a lot of focus in retail and the supply chain,’ he says.

‘The manufacturing industry tends to lag behind quite a bit, mainly because disaster recovery has not been as much of a focus and there are less regulatory issues there.’

But Rasmussen questions whether business continuity and disaster recovery strategies should be the sole preserve of IT managers.

‘In the past, the IT department has taken the leadership of business continuity, but this shouldn’t be the case, because disaster recovery concerns a bigger part of the company than just technology,’ he says.

Many companies, especially in the financial services industry, are already recognising the need to centralise continuity plans and are moving responsibility into the operational risk department.

Rasmussen says European directives – such as Basel II in the financial services industry and Solvency II in the insurance industry – are forcing companies to think about business continuity across the whole organisation.

‘It is definitely going to have an impact on the IT department: business continuity and IT security should demand a greater position in the organisation,’ he says.

‘There should be dual reporting relationships for business continuity within the company.’

But for IT departments to keep control of their business continuity budgets, Rasmussen says employees need to learn the language of business, rather than speak technical terms that other departments cannot understand.

‘The IT department often lacks understanding of the business process or risk to the business if a system goes down. A lot of the challenge for IT is putting the issues into a business context,’ he says.

If IT can lift its game and improve how it communicates company-wide, business continuity could move to the heart of the business, with IT directors taking an instrumental role.

Case study Great Ormond Street Hospital - Hospital cures system downtime worries

London’s Great Ormond Street Hospital (Gosh) is the UK’s top children’s hospital, treating more than 90,000 patients each year.

Crucial to its success are IT systems that analyse medical test results and provide doctors and nurses with patient records.

‘It may sound dramatic, but it’s not an exaggeration to say that lives may depend on the integrity of the IT at Great Ormond Street Hospital, so it is essential that we have a contingency plan in the event of any problems,’ says Mark Smith, Gosh’s head of ICT.

The hospital uses IT to manage three critical functions. All of the hospital’s financial and logistical planning systems are run over HP and ICL systems.

Clinical systems, which match blood samples, X-rays and other tests, also rely on the same systems.

Gosh’s patient information management system (PIMS), which holds patient demographics, check-in details and records of a patient’s previous appointments, also run over the computer network.

Smith says an inability to access IT systems would mean that staff at GOSH would be unable to view essential information, such as patient records and clinical data.

‘This would obviously have a major impact on the ability of doctors and nurses to carry out medical work effectively,’ he says.

But the hospital’s IT department, and business continuity firm SunGard, have worked together to put safeguards in place.

‘Lives would not be at risk from a loss of IT systems, as we always have manual backup arrangements in place, but loss of such systems could require staff having to work additional hours, and this could not be sustained indefinitely,’ says Smith.

SunGard provides Gosh with both an on-site and a remote disaster recovery service, meaning the hospital can react to all kinds of disasters.

Remote disaster recovery systems are secured, says Smith, to ensure that medical records are protected.

‘While the hospital has manual backup systems to ensure it can continue to provide care to its patients under any circumstances, there are also other significant benefits – including reduction of clinical risk – to be gained by using IT systems to provide clinical information to doctors and nurses at the bedside,’ he says.

‘The contract with SunGard ensures that any disruption is minimised, and SunGard’s NHS Net connection ensures that all data remains confidential.’

The hospital now has a business continuity strategy in place to ensure that, even in the worst situation, all of its critical data can be accessed within two days and, in most cases, much faster.

Smith says the strategy provides staff and patients with confidence in the hospital’s resilience and ability to cope in crises.

‘We have only had to invoke disaster recovery once, to overcome a software problem with one of our systems – and thanks to SunGard, the systems were available to our users within 24 hours.’

‘The main benefit is that we have confidence that in an emergency we can restore the hospital’s systems quickly, without the risk of incurring unplanned financial costs.’