George Malim is editor of VanillaPlus magazine.
Business continuity and disaster recovery have long been associated with banks and multinationals, but as any business caught in a crisis has learned, meticulous contigency planning is sound advice for all
Banks and trading houses have been at the forefront of business continuity since the phrase came into being. Their businesses are particularly exposed to technological failure and other security threats due to the large volumes and high values of transactions they conduct. However, other businesses have only recently come to the realisation that business continuity plans are essential.
Datamation research claims downtime of technology can cost businesses up to £5 million per hour so it's no surprise that businesses are taking the whole process more seriously. And it's not just technology that can threaten a business' survival. Storms, floods, hurricanes, terrorism, fire, war and loss of key personnel can rapidly damage any business. "Only 8% of companies without contingency plans in place will survive a disaster," said Keith Tilley, UK managing director at SunGard Availability Services. "12% will fail within five years, 40% will fail within 18 months and 40% will never re-open after a major incident."
However, highly publicised threats such as that posed by terrorism do not pose as significant a menace as loss of IT or telecommunications capacity, loss of key workers or natural disasters. A recent survey by the Chartered Management Institute found that 25% of respondents had been caused disruption by loss of IT capacity in the last year, while just 1% had sustained terrorist damage.
However, protecting a company's technology and the data stored within its network can be vastly expensive. Businesses can insulate themselves from nearly all forms of risk by replicating their data centres at multiple locations and frequently updating the data stored. But this comes at a cost.
The very secure business has to sustain large departments to manage this process – or engage consultants or outsourced service providers – all of which come at huge cost that may be prohibitive to all but the most sensitive businesses.
"The first thing a business needs to do is attach a value to its data and know what it wants to protect itself against," said Carl Windsor, chief technical consultant at data centre provider TeleCity. "Businesses need to understand the effect of what the loss of a customer database is going to be, for example. Many businesses think cost is going to be a barrier to entry but in many cases that cost of entry can be very low. We're trying to break the mindset that securing your data is going to be expensive."
It's not just loss of data that presents a major threat to businesses' ability to operate. Significant resources have to be devoted to protecting businesses from technical threats such as viruses and worms – now one of the largest threats companies face.
The benefits from the resources devoted can be intangible. Business continuity plans are all about investing in the worst case scenario. "The return on investment calculation can be extremely difficult because the benefits are intangible," added Windsor.
Understanding business continuity is the first thing businesses should accomplish before writing the big cheque. "Business continuity is the ability to carry on business if there has been a consequential loss of either data or critical presences," said Mark Vickers, managing director of NetServices. "You have to have key man life insurance for your most important people as a fundamental. If someone is worth £500,000 to you, you need to insure him for £1m to ensure growth is not halted."
Vickers says that once companies have taken care of human resources, they need to turn their attention to their physical presence. "Companies should ensure their service capability is distributed so they could lose a single site and their ability to distribute would not be compromised," he says. "Planning for the loss of one site should be fundamental to a business continuity plan. For example, a plan should allow for a lost location to re-stocked, re-housed and the workforce re-employed within six months of a disaster."
Beyond physical presence, data is the next obvious threat – and skimping on protecting your data is often a false economy. "You only find out you've lost something when you want to use it and the only time you find out if your parachute works is when you come to use it," added Vickers. "You must capture the data but the idea of copying it once is foolish. You must capture multiple copies of your data at multiple locations and at different timeframes. This needs thought to develop a policy that suits your business. It is worth planning a bespoke solution – companies should not accept a solution that doesn't exactly meet their needs."
According to Windsor at TeleCity, approximately 65% of attempts to restore data stored on tapes fail so relying on this solution isn't always worth the money it costs. Skimping on business continuity can make it pointless as one company that operated in both of the Twin Towers found. It simply replicated its data in both towers. "It was an economical solution – but both buildings are gone," added Vickers. "Copies of data should be stored at least several miles apart – 20-25 miles is a safe distance, protecting you from everything this side of an atomic bomb."
According to the research from the Chartered Management Institution, the message is getting through – at least with larger organisations which are more likely to be driven by corporate governance requirements. The number of organisations in the UK that have any sort of business continuity plan in place and have a turnover of in excess of £11 million stands at 69% and of those, 44% identified corporate governance as a driver compared with 29% in 2002.
Petra Cook, head of public affairs at the Chartered Management Institute, explains the importance of business continuity plans:"It's very tricky to prepare for the unexpected but a business continuity plan does help you plan for the anything from floods to supply chain disruption such as if fuel supplies are disrupted. You can't plan for the individual disaster but if you've never thought of any disruption your thought process will take twice as long and your initial reaction isn't always the best considered one."
Cook says that having a plan in place is only the beginning of the process and continual practice and updating is the only way to ensure companies are in the right position to react if a disaster happens. "It's particularly important to rehearse the plan and it needs continual review, updating and practice because something as simple as moving around office furniture could necessitate a change in the plan," she said.
It is also important to address potentially detrimental factors outside the business. For example, a manufacturing business that receives raw materials from an external supplier could be damaged if that supplier suffered a disaster. The watchword is to ensure suppliers also have disaster recovery processes in place and you have alternatives lined up in the event of a disaster.
Cook, however, does not advocate hiring in vast amounts of external advice. The Business Continuity Institute has templates and a business survival guide and there are consultancies, she claims, that can provide good indicative guidelines. "There are several consultancies out there but this doesn't mean you have to get an expensive external supplier. A lot of business continuity planning needs to be done internally and organically. A disaster is likely to happen long after the consultants are gone and the business will have changed significantly since the original consultant-authored plan was drawn up."
Consultancies can, however, prove very useful – especially in insulating firms from technological threats. Phoenix Equity Partners, which manages over £450 million in private equity funds from approximately 75 investors in eight countries, has engaged ihotdesk, an outsourced IT consultancy, to manage a comprehensive disaster recovery plan. Strict Financial Standards Authority guidelines meant Phoenix, which was not willing to compromise on risk management and security, began investigating a plan after its management buy-out from Credit Suisse First Boston in 2001.
"We came to recognise ihotdesk as strategic business partners and sought their advice in 2001 on a comprehensive solution," says Steve Darrington, CFO and partner at Phoenix. "Governments understand the criticality of disaster recovery and so must businesses."
Phoenix identified its objectives with ihotdesk, which included 24/7 support with no lapses or downtime, 24-hour recovery, which meant that should it become necessary to invoke its disaster recovery plan, Phoneix will have all systems backed up and running from an alternate server site within 24 hours, and remote access allowing Phoenix' team to work remotely.
Phoenix had identified the systems that were critical to its business, which were then mapped by ihotdesk ready to be switched over to the disaster recovery site whenever required. Phoenix was given detailed instruction on the invocation process and regular testing of the solution has resulted in a seamless transition to the data taken from Phoenix' latest off site back-up.
Admittedly, Phoenix, in common with most financial sector businesses, has a highly mission critical network and consequently can bear the cost of such a comprehensive solution. But, as Vickers points out, "The costliest solutions can cost £400m so what's reasonable is open to interpretation – determining the value of the data is key to coming up with a workable policy.