Business of IT: drawing up a business continuity plan
Business continuity is back on the agenda, as companies recover from a year of snow, ash clouds, and snow again. But creating a good continuity plan neither just about planning for disasters, nor a task for IT alone, says Stephen Pritchard.
Severe weather, flu pandemics, power failures and transport chaos: events that disrupt a business come in many guises. And they happen more often than many organisations admit.
Although it is the large-scale catastrophes, such as natural disasters or terrorism, that make the headlines, most of the problems that affect a business' day-to-day operations are far more mundane. Even the IT industry term "disaster recovery" rather overstates the point. Good business continuity planning is less about reacting to disasters, than ensuring that the organisation continues to operate or trade, even when something goes wrong.
Business continuity planning does seem to be moving back up the agenda. According to Forrester Research, business continuity and disaster recovery planning is now the top priority for small and medium-sized enterprises (SMEs) for 2011, and the second highest priority for enterprises. After a few years where financial constraints limited business' willingness to spend on anything but the bare essentials, analysts now believe that companies are putting more money into their longer-term survival.
As Forrester researcher Stephanie Balaouras points out, it is not that there are more disasters or disruptive events per se, but that awareness of those events is increasing. The US-based Centre for Research on the Epidemiology of Disasters (CRED) calculates that between 2000 and 2009 there were 392 "disasters" worldwide, on average, costing $102.6 billion annually.
Those figures do not include the thousands of smaller failures, outages and disruptions affecting businesses on a weekly basis. Some events such as the recent heavy snow in much of northern Europe are a temporary inconvenience for most organisations. Others, including IT systems failures and virus or malware attacks, have put companies that are not prepared out of business.
[/pb]Low awareness, low preparedness
However, despite the clear dangers, only around half of all businesses are said to have a business continuity plan, and even fewer have one that can really be considered effective. Bharat Thakrar, the global head of BT Global Services' business continuity portfolio, puts the percentage of companies with that have a BC plan at 48 per cent, with the figure for SMEs "even lower".
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Stuart Hotchkiss, author of the recent BCS book Business Continuity Management: In Practice, believes the problem goes deeper. "My guess is that 50 per cent of businesses have no plans. Of the remainder, half have out-of -date plans, which would never work in practice, and I would guess that only 10 per cent of companies do any kind of yearly testing," he says.
This lack of preparation comes despite evidence that disruption can be fatal to a business. According to research carried out by RISE, a cloud-based provider of data centres, which recently launched a business continuity service, 20 per cent of companies will suffer an outage. Of those that do not have a recovery plan 43 per cent will never re-open, 80 per cent will fail within 13 months and 53 per cent fail to recoup losses incurred as a result of the incident.
As Forrester Research points out, one reason for low levels of preparedness is that it can take a headline-grabbing disaster to force boards to pay attention to business continuity. But there are other ways to focus directors' minds on the issue, including the risk of falling behind competitors who will be more attractive to customers and more profitable if they suffer fewer failures and the pressure of industry regulation.
"By investing in a business continuity plan, companies are able to protect their revenue and services from being impacted due to adverse weather, network or server problems or any interference with their day-to-day operation," says Steve Holford, chief marketing officer at Rise. "This 'security of service operations' is a crucial part of business planning, as the costs of operational downtime and recovery can be significantly higher than investing in a flexible business continuity plan."
[/pb]The sheer price of downtime should, however, be sufficient to attract board-level interest. For Magnus Leask, IT director of Fast Track, a sports marketing company that runs events such as the Aviva UKA (Athletics) Grand Prix, the cost of continuity planning is low, when set against the cost of lost business.
"For Fast Track, average downtime per day during 2010 would approximately amount to 100,000 - 150,000," says Leask. "Our disaster recovery investment of 100,000 with [vendor] Neverfail, and the supporting hardware infrastructure is therefore an insignificant amount. The returns on this investment are large when we encounter problems."
IT recovery or business continuity?
For IT departments, though, it is vital to recognise that a good business continuity plan has both IT and non-IT elements. Conventional, IT focused disaster recovery keeps systems running, but does little, for example, to help employees caught out by the weather. But an IT system that is prone to failure poses its own challenge to the business' operations.
"IT departments must remember and recognise that IT is there to serve the end users," says Andrew Barnes, a senior vice president at Neverfail, a vendor of business continuity technology. "The most important benefit of a disaster-proof BC plan is that the employees can continue to work as soon as possible after a problematic event."
To do this, IT departments can turn to technologies such as remote and mobile working and, increasingly to cloud-based services, from simple online backups or Google Apps to more complex systems employing cloud infrastructure to store data remotely and run backup copies of applications.
Good communications management is also essential: companies need to ensure that they can circulate alternative email addresses and contact numbers of key personnel, and that staff working on a Plan B can connect to backup services, for example if the main VPN or datacentre is down.
[/pb]"IT is a resource for the business, not an end in itself," cautions business continuity expert Stuart Hotchkiss. "If an IT infrastructure claims to be five nines, or 10 minutes of downtime per year, but the actual plans are so chaotic that is takes 20 minutes to find a phone number, what is the point? IT is rarely the problem in reality."
The fact that good continuity measures go beyond IT recovery plans emphasises the need for IT to be part of a multi-disciplinary team. "Ideally, business continuity should not start with IT," says Thakrar. "Start with sponsorship of the project at the board level in order to form a mandate for the plan that goes across the company. IT will be an essential support function to this."
Then, the project planning team needs to look at the organisation's business processes, to see which need protecting or replicating. Few organisations will be able to protect all their processes, systems or applications to the same degree. An orderly system for recovering data and bringing applications and processes back on line should also be part of the plan, so that all employees know what is offline, and how quickly it is likely to be recovered.
Plan, test, and plan again
No plan will be effective, however, unless it is tested. Businesses need to test both the practicalities of their BC arrangements can staff reach a recovery centre, do emergency communications work as well as the technical recovery of IT systems and data.
"One of the greatest risks with BCP and DR plans is that a lack of testing results in failure. Testing should be the fundamental part of any business continuity plan," says Leask. He recalls that under earlier arrangements, ongoing testing was not part of the approach. "When we believed a solid strategy was in place, the reviews and testing were left on the shelf and cracks began to show in terms of our infrastructure's end to end availability.
"We now run a full DR test every six months which involves the migration of all critical applications across to our recovery site. As an example, from this rigorous testing we have been able to detect problems when running Exchange 2007. The solution was less than ten clicks of a mouse to fix, but the implications could have been extremely detrimental to the organisation in the long term had the testing not occurred in the first place."
Testing takes time, and can costs money. But for IT directors who have had to deal with an outage, it is testing that can make the difference between survival, and failure. Only testing shows that the chain in command does work, and reveals where bottlenecks or vulnerabilities sit within systems themselves.
"No test means no plan or no capability," warns Hotchkiss. "Any change in circumstances needs a review and a plan needs testing yearly. This keeps it in people's minds."
Forrester calculates that business continuity and disaster recovery should account for six to seven per cent of IT budgets. That is not cheap, but it is money well spent.