Business continuity: more than just disaster recovery

John Smith of Selway Moore Solutions explains that business continuity is more than providing a safety net to disasters

Business continuity and high availability are not just about providing a safety net against risk and disaster. Even though as a subject it has grown rapidly in importance, in many businesses it is pigeon-holed as something they might do 'in an ideal world' or as a discipline which is someway down the agenda because the perceived risk is not as powerful as other pressures they face.


What the vast majority are actually failing to see is the opportunity it presents to move a business forward. IT personnel tied up with day-to-day remedial activity because small faults can cause big problems could actually be spending their time helping the business to develop new products and services.

One of the 'problems' that companies have with spending money on business continuity preparation, technology or services is that it can seem like writing cheques for something they will never need.


With the exception of certain businesses that are bound by regulation and therefore must make provision to recover effectively from disaster, many companies weigh up their perception of overall risk against the cost, and opt for keeping their fingers crossed and spending the money on something else.

Ultimately, it's a question of priorities - as with any subject in business that potentially can involve significant financial outlay, spending on Business Continuity solutions has always had to stand up to close examination.


Given the situation where budgets are often competed for within organisations, it is easy to see why some businesses would opt for spending on IT projects with a more tangible and immediate revenue generation slant than something which may or may not swing into action depending upon circumstances.

But businesses need to ask themselves, and indeed to study, how much time, effort and money they spend dealing with what they might see as 'day-to-day' continuity issues - those that don't affect an entire infrastructure or last a long time, but occur relatively often.


Most companies seem to accept that it is a fact of life that systems experience glitches and short-term downtime and there will always be the need to allocate finance and resources to deal with this inevitability. Yet this is more a question of attitude, convention and habit rather than forward thinking.


Any business that can foresee circumstances where their infrastructure is resilient and flexible enough to free support and technical staff from remedial and ad hoc work should also be able to see the possibilities this opens up for positive technical development and innovation.

There are very few business tools whose millions of users would accept breakdowns with the same fatalism that we all seem to do with IT, but by bringing Business Continuity in is a mechanism for efficiency, by allowing those people with the technical skills to create rather than merely repair, a company can spend more time attending to its goals and targets.


Imagine an infrastructure, designed with resilience at its core which allows skilled technical people to work on product development, on customer service technology or sales tools - what Board wouldn't want their staff spending more time on these kinds of projects and less on repairs?

Business Continuity needs to be part of the foundation of any IT infrastructure - it's not just backup with bells and whistles anymore, and it certainly should not merely sit as an adjunct to corporate IT only to be used in case of emergency.


It can be specified as part of the overall approach to IT and be justified and measured as a legitimate and, in most cases, affordable use of budget.


Good Business Continuity practice does not automatically come with an expensive price tag attached, and insisting that technology lets us down less often than we have been conditioned to expect does not have to put a nought on the end of any budget.

Creating a situation where any given employee who relies on IT availability to do their job has most of the ad hoc downtime eliminated is an issue which can be addressed via Business Continuity techniques and technology. If they don't need as much technical support, then that unused resource can be re-allocated.

Companies should start viewing Business Continuity technology and practices as an opportunity rather than a diversion or an irrelevance. Yes it can and has proved invaluable in times of crisis, and will continue to do so, but for the majority of businesses out there it should now be finding a revised role as a part of their infrastructure specification and as a tool to help them move forward.

Basic Steps to your first Business Continuity Management

Managing a business can be challenging and exciting especially in Africa. Everyday comes different bringing in challenges from customers, the government, competition and the environment. Knowing this, there are some events you cannot plan for, or can you?

As businesses are now even more reliant on information technology, specialist plants and suppliers which, when they fail, cause disruption to the business. Even if not destroyed access to the business may be restricted by gas leak preventing normal business operations.

Some questions to ask your organization are:

·      What would we do if you lost access to your primary premises, plant and machinery through flood or fire?

·      How would we cope if your IT or telecommunication systems fail?

·      Where would we get alternative supplies if your key supplier closed up shop?

·      How would we cope with loss of key staff and high levels of absenteeism?

Disruption can happen anytime, how well you deal with the effects to your business may determine your future.

The introduction of Business Continuity Management (BCM) to your organization will help you prepare and mitigate against major disruptions your organization may face. BCM has been employed by large businesses around the world to enable them cope with major disruptions. The techniques employed can be scaled to any size business in any sector.

There are five steps to an effective BCM process:

Stage 1 – Understanding your Business

The first stage is to understand how and what you need to make your business work and who has an interest in how well you perform.

·      Do you know who your stakeholders are- these are those who have interest in the business?

o   These will include your customers, employees, sub contractors, suppliers, banks, investors, insurers and auditors

·      Why do you need to identify them?

o   At the time of a major disruption these stakeholders will want to know how soon you will be back in business and what the effect of your disruption will be on their operations and investments.

·      Do you know which of your activities are most critical and if you could not continue them for any reason what would have the greatest impact on your business?

o   The impact may not initially be financial; it may be your reputation that is damaged, which in turn could cause new business to be reduced.

·      Consider how soon the disruption will impact your business; some activities can have immediate effect. Knowing this will help you prioritize activities that need to be restored

·      Do you know what you need to undertake these activities?

o   Identify the people and skills involved, what computer, software and data you require

o   Are there key drawings and specification that you need access to?

o   What communication do you need, both fixed and mobile

·      Who are your key suppliers

o   A failure by supplier may have serious consequences for you, preventing you delivering to your customers. The customers will hold you responsible, not your supplier.

Stage 2 – Business Continuity Management strategies

The next stage is to determine how you will restore the critical activities. In the initial stage you will have identified what you need to get up running first and what resources you need. There are several choices that you can make at this point.

The activity may be seen as so important that you may decide to provide a duplicate to avoid the failure occurring, eg find a second supplier for that critical product; back-up critical data off site. Alternatively you may decide that you will provide a partial level of service, perhaps to your most important customers, within a specified timescale, restoring full service as and when you are able.

Finally you may decide to do nothing in the short term, waiting until full business recovery has been completed.

Any strategy must recognise the internal and external dependencies of the organisation and must have general acceptance by management functions involved.

Stage 3 - Developing and implementing a business continuity management response

Having decided what it is you need to restore and how soon you will do this, create the business continuity plans that will enable you to quickly recover what is critical to your business.

The business continuity plan is at the heart of the business continuity management process and sets out what is to be done, who will do it and how to contact them in an emergency, where you will work from if the normal business location is unavailable, key suppliers for the essential services you need and where the critical data is stored. The plan will also detail who should be informed about the disruption.

The structure, content and detail of the plan will depend on the nature of the organisation and the risk and environment in which it operates. In particularly large or complex organisations, it may be necessary to have departmental plans, of which you may integrate into one high-level plan.

Stage 4 - Building and embedding a business continuity management culture

Documenting the business continuity plan is one element of developing a business continuity management strategy. Its success, however, depends upon implementation of the recommendations made across the entire organisation; a programme of training for those directly involved in the execution of the plan; and an education and awareness programme to ensure understanding and adoption of the plan in relevant parts of the organisation - this applies to both staff and suppliers.

All stakeholders should be informed that you have introduced business continuity management and what to expect if your business suffers a disruption, as this may give you a competitive advantage over others and customers will have more confidence in your reliability. It may even pre-empt their own demands for you to install business continuity management as part of future contracts.

Stage 5 - Maintaining and auditing business continuity management

Business continuity management does not end when the plans are written. They must be tested to see if they will work when you really need them. It is too late to find out the errors and omissions when you have to use the plan in earnest. Plans must be kept up to date as the business structure, suppliers and customers may change, as may contact details for key employees.

Be prepared to deal with any disruption, whether large or small, public or private, that would prevent you from satisfying your customers needs. Considering a BCM plan? Talk to Artco solutions on enquiry@artcosolutions.com or visit us on www.artcosolution.com

SELLING BUSINESS CONTINUITY TO FINANCE DIRECTORS

Nick Sutton, operations consultant, with Automata Global Business Continuity Solutions, discusses how business continuity professionals can gain more budget allocation for their departments by highlighting the direct benefits of business continuity to their finance directors.

The profile of business continuity has never been higher. The increasing reliance of businesses on technology, coupled with the increased risk of terrorist attacks – as highlighted by the recent tragic events in London – has meant that businesses are increasingly likely to suffer significant disruptions.

Despite this, a common problem encountered by many business continuity managers is the difficulty of getting budget allocated to spend on business continuity. One recurring question is “How do I convince CFOs/financial director to loosen the purse-strings and spend budget on BCM?” While these senior finance figures may be able to accept the more general benefits of business continuity, there are a number of benefits which directly relate to their roles and responsibilities. Convincing financial directors that business continuity management will directly benefit them may be the most direct and successful way of getting budget allocated. Some of these direct benefits are shown further on in this article.

The benefits of business continuity
The general benefits of a good business continuity programme are well-known and numerous, but here is a brief summary of some of the major plus-points:

• The planning that goes into the conception of a programme – including BIA and risk analysis – can often prove to be a valuable way of taking stock of an entire organisation’s processes. The enhanced understanding of an organisation afforded by a business continuity programme can lead to the enhancement and streamlining of processes and subsequent expenditure reductions. 
• Disciplines involved in protecting organisations such as physical security, logical security, risk management, insurance etc can be given improved focus if they are conducted in conjunction with a business continuity management programme emphasising mission critical activities.
• In many organisations rational structures may be overlooked when growth becomes the most important driver. A business continuity management programme can assist in rectifying this problem by mapping out the organisational structure. This assists in highlighting where bureaucratic and inefficient structures have developed.
• The effective handling of a business continuity incident – particularly a large-scale one – can have a positive effect on a company’s market value. Successfully negotiating a potentially devastating incident can increase public confidence in an organisation. In the case of an industry-wide incident, a company may be judged against its competitors on how the incident is managed. By successfully handling a business continuity incident when its competitors fail a company may achieve stand-out in the market.

Specific benefits for financial directors 

Business continuity can provide a number of benefits to financial directors, some of which are less obvious than others. Most financial directors will have one eye on the rising costs associated with running a business, particularly as they become more dependent on increasingly complex and expensive IT infrastructures. One expense that can often spiral out of control is that associated with storage area networks (SANs) and the memory used by them. Garry Poole, CEO of Automata, has seen how BCM can help in this area: “One of the areas in which I have seen clients make the largest savings is in terms of their expenditure on IT storage. BCM specialists can help identify the critical storage needs of an organisation. IT departments are often working blind and need input from people who understand an organisation’s needs. This is where guidance from consultants has often proved to be invaluable, helping to focus IT budgets significantly.”

The introduction of the Sarbanes Oxley (SOX) Act as well as the Companies Bill (often considered the UK’s equivalent to Sarbanes Oxley: seehttp://www.dti.gov.uk/companiesbill/ ), has raised the profile of business continuity in the world of finance. SOX is primarily focused on ensuring the accuracy of financial data and the ability of an organisation to report that data correctly. Accuracy of data is of course inextricably linked to IT security and resilience and this is just one area in which business continuity can play an important part of an organisation’s strategy. The focus that BIA can give to IT strategy and expenditure - through its identification of needs, shortfalls and priorities -makes for an IT infrastructure that can be relied upon to produce accurate data. One theory well-known amongst business continuity specialists is the ‘Backlog Trap’. The after-effects of interruptions to normal work flows can result in severe backlogs, built up while attention is focused on dealing with the abnormal situation or during resultant system- downtime. The increased workload brought about by clearing this backlog can often lead to errors being made or shortcuts having to be taken, both of which can affect the accuracy of data. Business continuity programmes can ensure that system-downtime is kept to a minimum and will also put in place measures to ensure backlogs are minimised and are subsequently cleared effectively.

One provision of SOX is the requirement that companies must disclose to investors the various scenarios and contingent liabilities that have the potential to affect the value of their investment. In this regard business continuity becomes profoundly relevant since it identifies these potential threats to an organisation. Furthermore, a business continuity programme can also minimise (and in some cases entirely negate), the likelihood of these threats being realised. Given the choice between investing in an organisation with a sound business continuity programme or one without such a programme, one would clearly be reassured by the knowledge that the investment was being made in a company with some inbuilt resilience.

The scandals that have rocked the financial world either side of the Atlantic have further highlighted the importance of IT security in maintaining the integrity of accounting data and financial reports. It is always difficult to legislate for crimes committed from the inside, and detecting fraudulent behaviour, often by employees with vast knowledge of the particular systems, is even more troublesome. However, business continuity can provide some protection against this very real threat. By helping an organisation understand its normal work flows, processes and system dependencies the various practices common to business continuity can help an organisation detect unusual activity, assign correct authority and permissions to individual user accounts and put in place checks and balances to monitor usage. While this may not provide a foolproof defence it may be that earlier warning is given. The ultimate responsibility lies with the people who decide how to account for profits, losses etc, but a business continuity focused IT infrastructure can certainly help facilitate this accounting.