Business continuity - just an expensive policy?

Human eye Correy Voo of BT's business continuity, security and governance practice looks at ways to handle whatever may arise…

For those of us that don't have the powers of Mystic Meg, foreseeing the cause of the next disaster to affect your company can be nearly impossible.

True, if your office lies in the path of regular hurricanes, then you might have an idea of what will cause you problems, but these days companies are exposed to a much wider range of risks than ever before, including power cuts, road accidents, staff sickness or software viruses.

But you can still make sure you are prepared to handle anything that does happen.

Whatever the problem is that causes your offices to be inaccessible; your IT systems to go down; your employees to be unable to get into work; your customers to be unable to place orders - the first question the board will ask isn't what went wrong.

It will be to find out how long it will be before things are back to normal - and that is where business continuity planning comes into its own.

Companies that have got plans will be able to quickly move into new premises, recover their data, enable employees to work from home or switch to a remote call centre - to do whatever they need to enable the company to get back to work.

Any delays can be expensive and, in the worst cases, threaten the organization's very existence. But businesses still don't invest the time and resources needed to put the right plans in place.

The problem for the team responsible for business continuity (if indeed there is one) is that the benefits of all their plans aren't fully evident until something goes wrong. How can they prepare for something that might never happen?

Let's start at the beginning

There are some simple steps that any company can take to ensure they are prepared for whatever the future may bring. But it's not just about an insurance policy or a 'break glass in case of emergency' tool - McKinsey has stated that if you can manage risk successfully, there is a clear return on investment.

It says that over 80 per cent of investors would pay 18 per cent more for shares in a well-governed company. That's something that should make even the most cynical board member sit up and take notice.

How can you manage risk effectively and ensure the continuity of your business? Many organizations chose to base their strategy on industry best practice and, to help them, The Business Continuity Institute has produced comprehensive guidelines that provide a solid foundation for any business continuity plan. Companies will of course need to tailor the plan for their own company and circumstances, but the guidelines can be a good place to start.

Beyond that, there are three steps that companies should go through to make sure they are prepared for any eventuality. The first is to make sure they have a thorough knowledge of the business from the top down.

This may sound straightforward enough, but it needs to consider everyone from your shareholders to your customers and employees, looking at what they need from the business, what they consider to be important processes and activities, and how they would respond in times of trouble.

Your view must be balanced, accurate, comprehensive and current to ensure that the procedures you put in place to ensure business continuity are right.

Many companies find that it is useful to employ the services of independent business continuity experts, who have the benefit of being outside the organization, which makes it easier for them to create a sufficiently detailed and accurate view.

Company employees just 'know how things are done' and make assumptions based on their experience, which means they can easily overlook what, to an outside business continuity expert, may be an obvious issue.

One example of this is the company in which the team that operates the servers had assumed that the team that runs the network had planned in redundancy to protect against the loss of a single connection, when in fact it hadn't. It is a simple mistake, but one that could easily prove catastrophic.

This process of understanding the company from the top down will help you to identify its mission critical activities (MCAs). These are the processes and activities that your company does on a daily basis that are the most vital to its ongoing survival and success, and should be the ones that are most quickly reinstated should your business continuity plans be called into practice.

Once you have got a comprehensive understanding of the company's objectives, priorities and operations, you should then start to consider the risks it faces – from large-scale disasters down to the more routine events that could affect the its ability to conduct its MCAs.

For many companies, identifying these risks starts and finishes with IT failures – viruses or server crashes for example - but that's just a beginning. The risks of human error, one of your key suppliers going out of business, and so on also have to be thought through.

Risk vs ROI

The second stage of business continuity planning is to really understand how the cost of your plans is offset by their benefits.

The costs are easy to identify, from the resources and investment needed to develop and communicate your plans, the additional infrastructure needed so that if one part of the business fails, another part can take over, to the extra IT equipment you need for backups or to ensure you aren't vulnerable from a single point of failure.

But that's where the age old question gets asked time and time again - how can you calculate the benefits of protecting yourself against something that might never happen?

With a detailed understanding of how the company works and a comprehensive impact analysis, it is possible to predict the costs that could result from an incident both before and after the business continuity plan are put into place.

This allows competing and alternative investments to be assessed based on their ability to reduce the organization's overall financial risks.

In addition, many companies find that the analysis they go through when developing their business continuity plans actually delivers other, unexpected benefits.

For example, highlighting processes that could be completed more efficiently, or enabling the company to be more agile in responding to changing industry demands, because of the more comprehensive understanding of how each element of the business works together.

Test, test and test again

The third, and possibly most important, key to success of any business continuity plan is testing. Only when a plan is rehearsed will any weaknesses be revealed, and you will be able to prove to the board that in the event of a disaster your company can cope.

It's no good just assuming you can recover data from backup, or that a contact centre in Scotland can take over from one in London – you actually have to be able to prove it.

A plan shouldn't just be rehearsed once and then locked away in a desk and forgotten about, when you change a part of your infrastructure or organization you must re-plan for business continuity, and test your new plans again.

Business continuity management, if utilized consistently and regularly as part of normal business operations, can deliver significant competitive advantage. 

It is painstaking work, but it can make the difference between continued success and business failure.

This article first appeared in March 2006 ITNOWextra.