Play IT safe - a guide to business continuity

Recent research suggests most firms still lack a business continuity plan

With global financial markets in meltdown, it is easy for business leaders to become blasé about other potential disasters: when it already seems that the sky is falling in, what else is there to worry about?

Less panic-stricken leaders, however, recognise the value in contingency planning. After all, in the face of massive uncertainty, it is the ability to successfully mitigate foreseeable misfortunes that will allow most businesses to flourish.

And despite the continuing economic chaos, organisations are surviving and many are ready to take a closer look at their own operations. For any business to carry on in the face of threats ­ - whether terrorist, economic, environmental or acts of God ­ - business continuity is an imperative.

A worrying fact, revealed in the latest annual report published by the Chartered Management Institute and supported by the Cabinet Office and the Continuity Forum, is that only 47 per cent of UK organisations have a business continuity plan ­ a figure that has only increased by two percentage points in the past six years. Most companies in the UK are still ill prepared to cope with a disaster and are failing to prioritise business continuity planning.

However, Maxine Holt, senior research analyst at Butler Group, believes that large enterprises are taking business continuity more seriously than they are given credit for.

“The ones struggling are typically the mid-sized organisations, where there are other things higher up the priority list. Most of their time is spent fire fighting, so being proactive with disaster recovery and business continuity is not going to be top of their list,” she says.

Business continuity is not solely about disaster recovery ­ - the technological aspects of getting systems up and running again ­ - but also about how and where the business will continue to operate. Recent events such as the Buncefield oil terminal fire and the serious flooding across the UK last year have highlighted the need for businesses to develop extensive and long-term contingency plans, including partial or total relocation, in the event of a crisis.

Most commonly, the event that triggers the implementation of the business continuity plan is not a major disaster but a less serious event such as a local power failure. Therefore business continuity needs to include arrangements for short intervals of unplanned downtime as well as longer periods of disruption.

“It does not have to be a big disaster to require a business continuity strategy,” says Holt. “Systems outages of just a few hours can have a major impact on the ability of the business to continue its day-to-day operations.”

According to the British Standards Institution (BSI), there is a growing willingness from business leaders to engage with the concepts of business continuity. It reports that its new business continuity standard, BS25999, has achieved the fastest uptake ever. Launched in November 2007, BS25999 establishes the processes, principles and terminology of business continuity management. The standard specifies requirements for a documented business continuity management system within the context of managing an organisation’s overall business risk.

Andrew Morris, management systems director at the BSI, says that good business continuity processes should be combined with good risk management, to feed management information to decision makers to support good governance. “Business continuity is a main board issue and the responsibility of the chairman down,” he says. “However, it does not come free and that is why business impact planning will help to justify the costs. If something really matters to the business then it should make the resources available.”

It is important that the business identifies exactly what services are needed because without the thorough planning that the scheme demands it will be impossible to build a business case. A vital part of the exercise is the business impact analysis that needs to be carried out at the start. Without it, an organisation cannot fully understand the crucial parts of its business and how they interact and affect other business areas.

“Some business continuity plans are based on not much more than a guess,” says Morris. “It is important that firms analyse the impact of the various business continuity issues that can arise.”

For example, a power outage will have a bigger impact on a high-turnover supermarket or an intensive-care medical facility than on a design consultancy or a manual warehousing operation. Each organisation has to evaluate its perceived risks and threats against its own internal processes and operations.

While IT certainly has a large part to play in ensuring business continuity, there is a danger that planning becomes too focused on IT continuity and not on true business continuity. Creating a cross-functional business team including business unit owners, legal, risk, IT, facilities and HR as well as board representation will ensure that the needs of the business stay central.

With so many calls on the IT budget, calculating what is an appropriate budget for business continuity is a constant headache. However, David Johnston, group IT director at bathroom and kitchen supplier PJH Group, believes that new technologies such as virtualisation, thin clients and remote working are making it easier to incorporate disaster recovery and business continuity planning resources into the overall IT strategy.

“With warehouses and distribution centres around the UK, if we lose a site, we can point the technology at another location and continue working,” he says. “However, if we lose access to our main headquarters, the issues become more serious. But we have the technologies in place that support voice and data connectivity for remote and home working, which can be extended to cover office-based staff.”

At the Royal College of Physicians, the cost of providing resilient IT infrastructure has been reduced through the implementation of virtualisation technology. “With VMware we no longer have to match servers one for one, and that gives us added flexibility in disaster recovery and business continuity terms,” says Christopher Venning, IT manager. “Our main concerns now are about recovery times.”

Regardless of the approach to business continuity favoured by any given organisation, there is an inevitable trade-off between failover protection and cost, admits BSI’s Morris. Nevertheless, once a plan has been agreed, it is essential that business leaders regularly test and revisit those plans, he adds.

“Because every business is different, each business continuity solution should be unique,” says Morris. “We also need to remember that some exercises are just too expensive, awkward or risky to try. Shutting down and restarting a key server or network is often problematical and the advantages of trying may be outweighed by the risk.”

Twice a year PJH Group tests its business continuity plans by reinstalling a complete working environment on replacement equipment. “We’ve got it down to about six hours from the initial phone call,” says Johnston. “We hope things will never be so serious that we need to completely rebuild our systems, but we know we can do it and exactly how long it takes.”

And the stakes are high. Once disaster strikes, nearly half of all companies fail to recover. Business continuity has become an essential part of corporate life and standards such as BS25999 are helping to minimise the risk of such disruptions.

Five organisations that can help you keep disaster at bay

British Standards Institution
BS25999 is the world’s first British standard for business continuity management. Designed by experts from industry and government, it aims to establish the processes, principles and terminology of business continuity management (BCM).
www.bsigroup.co.uk

Teneros Application Continuity Appliances
Teneros has introduced a range of application continuity appliances for Microsoft Exchange 2003 and 2007 that promise a cost-effective and comprehensive continuity solution for email in the event of a temporary or permanent failure. The Teneros appliance maintains an ongoing backup of the Exchange mail store, and in the event of a problem or failure, it springs to life and takes over, ensuring no disruption to email service or functionality. Remotely managed by Teneros, these appliances could prove useful for companies that rely heavily on email communication to ensure the smooth running of their business.
www.teneros.com

Gematech
In the event of a crisis, communication is essential. Without it, most business continuity plans will fail as companies lose contact with staff, suppliers and partners. Gematech’s BCM Lite application has been designed to ensure continuity of incoming calls by seamlessly routing them to any other number anywhere in the world. In addition to voice and fax calls, the system is capable of re-routing data and videoconferencing calls to other locations. Any number of business continuity call diversion plans can be set up in advance and invoked remotely using a secure web link.
www.gematech. com

Troux Technologies
Troux Technologies offers software and consulting to help companies build a disaster recovery and business continuity plan. Plugging into existing IT architecture, Troux’s business continuity planning application automatically links the most important business processes to the plans, locations, people and technologies that support them. Claiming to significantly reduce operating costs by replacing manual and high-risk business continuity and disaster recovery tasks with automated processes, the software can assist with generating business impact analysis and recovery plans as well as providing overall co-ordination in the event of an emergency.
www.troux.com

F24 Crisis Communication
F24 provides a rapid, automated communication service in the event of an emergency, ensuring that key personnel are notified immediately or warnings to the general public issued. Within the first minute of an emergency being declared, hundreds of people can be instantly alerted using voice, fax, text or email, while telephone conferences are set up between designated people. No additional hardware or software is required to use the service, only a phone line and a computer with internet access.
www.f24.com

Five technologies that can bring peace of mind

Cloud computing
Ubiquitous access to all corporate data, applications and services, which are seamlessly delivered to a browser, promises to be the ultimate in business continuity – so long as access to the cloud and its hosting services is not disrupted.

Remote datacentres
Having a remote datacentre significantly reduces the risk of severe data and systems loss. With two or more datacentres the risks can be reduced further as systems and data can be mirrored to provide increased resilience as well as disaster recovery and business continuity options. Employing robust storage solutions together with regular backup and archiving procedures, data loss and disruption to the business is further minimised.

Thin-client technologies
Requiring no processing or storage capacity, thin-client systems are inherently more secure and robust than traditional desktop and mobile systems. Because data and applications remain under central control and are not resident on the device, business continuity is much easier to manage in the event of a disaster as local data and applications will not be compromised. The technology is easy to set up, so new users and remote locations can be configured quickly.

Virtualisation
Virtualisation allows companies to consolidate the number of servers that they run and streamline development and testing procedures. Because a virtual machine is independent of the hardware it is running on, copies of these virtual machines can be saved offsite to protect against the effects of a server failure. While the use of virtualisation for business continuity is still in its early stages, it has the potential to play an important, strategic part in any business continuity strategy.

Virtual private networks
An effective business continuity strategy must include the possibility of access to the office and office-based computer equipment being restricted or even denied. Virtual private network (VPN) technology enables secure access to critical applications from a remote location using an internet connection. In
the event of an emergency, remote and home workers may continue to work, gaining access to central systems when they become available, and the VPN can be easily configured to support other employees working from home or a temporary office location.