Play IT safe - a guide to business continuity

Recent research suggests most firms still lack a business continuity plan

With global financial markets in meltdown, it is easy for business leaders to become blasé about other potential disasters: when it already seems that the sky is falling in, what else is there to worry about?

Less panic-stricken leaders, however, recognise the value in contingency planning. After all, in the face of massive uncertainty, it is the ability to successfully mitigate foreseeable misfortunes that will allow most businesses to flourish.

And despite the continuing economic chaos, organisations are surviving and many are ready to take a closer look at their own operations. For any business to carry on in the face of threats ­ - whether terrorist, economic, environmental or acts of God ­ - business continuity is an imperative.

A worrying fact, revealed in the latest annual report published by the Chartered Management Institute and supported by the Cabinet Office and the Continuity Forum, is that only 47 per cent of UK organisations have a business continuity plan ­ a figure that has only increased by two percentage points in the past six years. Most companies in the UK are still ill prepared to cope with a disaster and are failing to prioritise business continuity planning.

However, Maxine Holt, senior research analyst at Butler Group, believes that large enterprises are taking business continuity more seriously than they are given credit for.

“The ones struggling are typically the mid-sized organisations, where there are other things higher up the priority list. Most of their time is spent fire fighting, so being proactive with disaster recovery and business continuity is not going to be top of their list,” she says.

Business continuity is not solely about disaster recovery ­ - the technological aspects of getting systems up and running again ­ - but also about how and where the business will continue to operate. Recent events such as the Buncefield oil terminal fire and the serious flooding across the UK last year have highlighted the need for businesses to develop extensive and long-term contingency plans, including partial or total relocation, in the event of a crisis.

Most commonly, the event that triggers the implementation of the business continuity plan is not a major disaster but a less serious event such as a local power failure. Therefore business continuity needs to include arrangements for short intervals of unplanned downtime as well as longer periods of disruption.

“It does not have to be a big disaster to require a business continuity strategy,” says Holt. “Systems outages of just a few hours can have a major impact on the ability of the business to continue its day-to-day operations.”

According to the British Standards Institution (BSI), there is a growing willingness from business leaders to engage with the concepts of business continuity. It reports that its new business continuity standard, BS25999, has achieved the fastest uptake ever. Launched in November 2007, BS25999 establishes the processes, principles and terminology of business continuity management. The standard specifies requirements for a documented business continuity management system within the context of managing an organisation’s overall business risk.

Andrew Morris, management systems director at the BSI, says that good business continuity processes should be combined with good risk management, to feed management information to decision makers to support good governance. “Business continuity is a main board issue and the responsibility of the chairman down,” he says. “However, it does not come free and that is why business impact planning will help to justify the costs. If something really matters to the business then it should make the resources available.”