Business continuity - is it expensive and hard?

In A Brief History of Time, Professor Stephen Hawking quoted his editor as saying that 'each equation would scare off half the readership'.

Having included the somewhat essential equation E=mc2 Hawking expressed his hopes '... that this will not scare off half of my potential readers'.

To a certain extent the increasing prevalence of the words business continuity' in the media risks having the same effect on readers, says Carl Windsor, chief technology consultant for TeleCity. 

Of course Hawking's concern was that a certain amount of reference to equations was necessary. 

In the same way, no business should ignore the perils of operating without a business continuity plan in place.  

Only 51 per cent of businesses surveyed by the Chartered Management Institute in January 2005 had a business continuity plan that covered their critical business activities.

The report also revealed that only 66 per cent of large organizations (defined as having a turnover of over £11 million) have a business continuity plan (BCP), with this figure dropping to only 33 per cent for their smaller counterparts. 

Are those businesses with no BCP conscious of the risks they are taking in the hope that it 'won't happen to them'? Or perhaps they are aware of the need for a plan but have not found the time or resource to prepare it.  

Let's discuss the first of these two possibilities for a moment. Risk acceptance can be a valid strategy, but it should be used as a measured approach, taking into account the likely impact and possibility of any particular event.

However, the following statistics gathered by the London Chamber of Commerce, demonstrate that such a strategy contains inherent risks that stakeholders may wish to consider: 

  • 90 per cent of businesses that lose data from a disaster are forced to close within two years of the disaster.
  • 80 per cent of businesses without a well-structured recovery plan are forced to close within 12 months of a flood or fire.
  • 43 per cent of companies experiencing disasters never recover.
  • 50 per cent of companies experiencing a computer outage will be forced to shut within five years. 

Thinking the unthinkable is essential. The horror stories about businesses closing due to disaster are not urban myths propagated by business continuity consultancies hoping to drum up extra business. The fact is that one in five businesses suffer a major disruption every year. Businesses cannot avoid business continuity planning.  

So, now we've addressed those businesses considering the risk acceptance' approach let's turn our attention to those procrastinating due to lack of resource.

Recent major telecom outages and the real and ongoing threat of terrorist acts have given rise to numerous articles urging businesses to take disaster recovery and business continuity planning more seriously, reminding us that it’s a topic for the boardroom. Of course such planning is vitally important and quite rightly needs the highest management and board level buy-in to be successful.

However, by positioning continuity planning as a topic solely for senior management such articles can give the impression that provisioning for the worst necessarily involves significant investment in both management time and money. In fact, when compared to the possible losses that can be incurred by not planning ahead, the overall cost is minimal.  

Diagram showing likelihood versus impact 

Diagram - Accepting risks to your business should only done following detailed  consideration of the impact and the likelihood of the event occurring. Should the likelihood and impact both be high, steps should be taken to mitigate the risk.

Most UK businesses could achieve a significant improvement in their levels of resilience for a modest, or even neutral, investment and these steps can be taken now – without waiting for the high-level business continuity plan or expensive preparatory consultancy. 

For instance, working towards BS7799 compliance is a useful starting point when constructing your BCP (even if you never envisage becoming certified to the standard, it is based on industry best practice and is generally a good framework). 

Whilst commonly thought of as an IT standard, it is actually a standard that promotes good practice for information security management and there is no restriction to what form that information takes.

An information asset can range from a phone or a notepad to a database or CRM system. At the core of the standard is the need to identify all information assets and implement measures to protect their confidentiality, integrity and availability; good practice for all businesses.

The standard includes: 

  • Identification of information assets and their owners.
  • Assessment of the value of those assets.
  • Assessment of the risk to those assets.
  • Measures taken to reduce or accept  the risk to the assets.
  • Development of a continuity plan. 

It is at this point that most budget-limited IT managers start to wince at the thought of a significant amount of work and investment. This doesn't necessarily need to be the case as reducing the risk to your assets could include tasks as simple as: 

  • Adding more comprehensive security and access methods to your buildings.
  • Provisioning resilient power for your  servers.
  • Provisioning resilient methods for you to access your data.
  • Storing your data offsite. 

The critical importance of IT means that severe damage is inflicted, in terms of both lost revenue and customer dissatisfaction, when systems and networks fail or access to the information is lost.

However, it is extraordinary how many companies will allow their business-critical and customer facing applications to run on servers located in a basement or corner of an office with no uninterruptible power supply (UPS), unsuitable cooling and expensive, single-sourced connectivity.

The costs involved in moving these servers to a third-party data centre (less than most businesses imagine) would be quickly won back by savings made in management resource, space and power, with the added benefit of increasing the levels of IT and network resilience, as well as physical and logical security dramatically increasing.  

It is important to take a good look at the fundamental dependence that you have on your business facilities – physical access to your premises, email, telephone, the availability of the customer database, billing engines.

How resilient are they all? What backup do you have in the event that they are not accessible? If you have no continuity plan, how would your business function without those facilities? What could be done to make them less susceptible to single or multiple failures?

In terms of IT provisioning this might mean offsite data back-up, mirror server sites or resilient connectivity agreements (after all, it’s not much use having your data backed up somewhere if it can’t be accessed when needed).    

Appropriate levels of straightforward IT and business continuity provisioning, commensurate with businesses' needs, are affordable for almost every UK organization. A practical, smart approach will save time and money while offering the level of resilience and business protection required.

More and more companies are embracing standards such as BS7799, which demand business continuity plans for all third party suppliers.

Making the effort can give your business a competitive edge in addition to bringing the obvious benefits to your own business security. So those businesses who’ve been putting off taking any action should get on with it! You’ll see it is less daunting than you imagined. 

Further reading 

  • Business Continuity Management 2005, Chartered Institute of Management   
  • London Chamber of Commerce and Industry - Disaster Recovery: Business Tips For Survival 
  • Expecting the Unexpected: Business Continuity In An Uncertain World
    www.homeoffice.gov.uk 
  • Manchester Evening News: BT apology for phones meltdown

This article first appeared in March 2006 ITNOW.