The board of directors at Handleman never really considered business continuity to be a priority – until the Warrington-based music distributor was hit by an unexpected flood, which took out a number of servers and rendered its offices temporarily inaccessible.
Mark Bowell, IT support manager at Handleman, admits the firm had historically overlooked business continuity because it was hard to justify serious investment for something that might never be needed. ‘The problem is that vendors tend to come up with really unrealistic figures and there’s a lot of scare-mongering,’ he says. ‘We had a business continuity plan, but it wasn’t nearly broad enough.’
When a business continuity plan fails, chances are the blame will land squarely on the IT director’s desk, says Simon Mingay, research vice president at analyst Gartner. Mingay argues that chief information officers (CIOs) are increasingly being charged with responsibility for business continuity – but risk failure because they treat the issue as an IT problem.
In fact, IT leaders are being given responsibility for business continuity because their skills and experience make them the best person for the job – not because it is a problem that can be solved with technology, says Mingay.
‘Your average CIO has good project management skills, great risk management and he understands the core business processes at the heart of the organisation,’ he says. ‘Who better to take on responsibility for business continuity?’
Mingay says one quick and effective way to make clear the division between IT and business continuity is for the CIO to appoint someone to the business continuity team who is responsible for representing IT. ‘Whatever you do, don’t go along with your IT T-shirt on, talking about data centres and remote backup – that’s not what business continuity is about,’ he says.
Responsibility for business continuity planning at brokerage organisation Close Premium Finance falls to a committee, which is made up of representatives from IT and operations, together with all the main business functions.
‘It is vital because business continuity plans also cover things such as premises, business assets, employees, training and supplier relationships,’ says Jonathan Cattle, head of IT and planning with the firm.
So, how does the CIO ensure the business continuity plan will get the business – and not just its servers – back online when disaster strikes?
The most important thing is to do the groundwork before creating a formal plan, says Martin Byrne, who leads Accenture’s European business continuity practice.
This means a thorough business impact analysis and risk assessment – looking at what happens to an organisation if a particular business process cannot be completed for various periods of time.
For example, the first job of the business continuity committee at Close Premium Finance was to identify which of the thousands of activities carried out by the firm are most critical. In the event of a disaster, some activities must be restored as quickly as possible, such as customer service and payroll, while other, less critical activities, such as the staff canteen, could be restored over a period of days or weeks.
‘We have plans drawn up showing us how to restore the most important activities within an hour, then others within four, 12, 24 or 72 hours,’ says Cattle. ‘It is a process that has been refined through experience, as the company’s buildings have been seriously damaged twice by IRA bombs in London.’
As a CIO/business continuity manager, you will need to speak to business leaders across the company to get this information, although assess the responses in the context of the wider business strategy.
‘Realistically, everyone is going to tell you their service is vital, their systems must be up and running in 10 minutes or the business will fail – but not everyone is telling the truth,’ says Mingay.
Only when the impact analysis has been conducted should you begin the next stage – a risk analysis. This means identifying all plausible risks to your business, and the cost to the business of those risks. Once you have identified the risks, consider if it is cost-effective to eliminate or mitigate a risk, rather than planning to recover from a problem later. For example, if you have only one person who can run the payroll system each month, you may want to invest in additional training in case they are taken ill or leave the company.
For a CIO, getting board backing for investment in business continuity is likely to be the biggest challenge, says Crispin O’Connell, chief ICT officer at Cardiff County Council. ‘Because you’re hopefully never going to use this stuff, there’s a view that we’re throwing money away by investing in business continuity,’ says O’Connell. ‘It’s perhaps the biggest grudge spend in any organisation.’
At this stage, you will be left with some risks that cannot be eliminated or reduced. These are the risks a business continuity plan must address.
Once you have created a business continuity plan, it is essential to test it thoroughly, says Accenture’s Byrne.
‘Too many firms have an artificial sense of safety because they have a lovely plan on the shelf,’ he says. ‘But unless you test the plan, how do you know if your staff will be able to get to the new premises, if the backup tapes work, or if the remote access software works with your new payroll system?’
And just because a plan works once does not mean it will work for the rest of time. ‘Loads of businesses are still coasting along with the business continuity plans they drew up for year 2000,’ says Mingay. ‘The problem is that the world – your partners, customers, employees and the government – has moved on since then.’
There are no hard and fast rules when it comes to continued testing of a business continuity plan – it depends on how dynamic your organisation is, and the importance the board places in recovering from a disaster. In the financial services and retail sectors, companies tend to test business continuity plans at least once a quarter. But in a smaller or less complex company, once a year may suffice.
A full-scale test of business continuity plans can be expensive and complex, particularly if it involves partners, suppliers and regulators. But it is possible to conduct smaller tests more frequently.
‘A desk test, where you get the team together and challenge the test by thinking up different scenarios, is quite straightforward,’ says Byrne.
Best Practice: Business continuity
- Make it clear that you have consulted throughout the business.
- Use non-technical language that everyone can understand.
- Make it clear who is responsible for what. Make sure you include deputies to cover key roles.
- Use checklists that other employees can follow easily.
- Include clear, direct instructions for the crucial first hour after an incident.
- Include a list of things that do not need to be thought about until after the first hour.
- Agree how often, when and how you will check your plan to make sure it is always a living document. Update the plan to reflect changes in your organisation’s personnel and in the risks you might face.
- A good plan is simple without being simplistic, so do not plan in detail for every possible event. Remember that people need to be able to react quickly in an emergency: stopping to read lots of detail may make that more difficult.
- Plan for worst-case scenarios. If your plan covers how to get back in business if a flood destroys your building, it will also work if one floor is flooded.
reader comments