Real business continuity, Part 1 - The reality check
Look at just about any statistics on business continuity and they make pretty grim reading. Following a major disaster such as a theft, flood, fire or data loss, around 40% of businesses without a business continuity plan will fail immediately, with 40% failing within 18 months.
Recent disasters from terror attacks to Buncefield reinforced the idea that business continuity planning is indeed a good thing, it is also clear that smaller businesses are still to catch up. Recent surveys indicate that businesses with a turnover of less than £20 million per annum are most at risk, with the retail sector being the least prepared.
Should we be surprised? The merest mention of 'risk assessment' will send most business owners to sleep - although the price tag associated with an elaborate business continuity plan will soon bring them round faster than smelling salts!
Business continuity is an inaccessible subject for many people, often deemed too expensive as suppliers jump onto the 'climate of fear' bandwagon. Even where people don't question the need to shell out on what some see as an expensive insurance policy, the role of IT is sometimes inaccurately portrayed. It is typical, for example, when asking about business continuity to hear quite incredible responses citing technology buzzwords such as tape backup or online backup as 'the business continuity plan'.
But it needn't be like this. This short series of articles is about 'real business continuity' and is designed to take smaller businesses through a more pragmatic but thorough approach that won't bore their socks off or cost the Earth. We also wanted to separate out some of the IT element that causes so much confusion.
Real Business Continuity - Expert Guide series
- Part Two - Assets, what assets? looks at the assets your business needs to protect, and documents the anatomy of a typical disaster.
- Part Three - The Plan introduces the business continuity plan and some of the technology that can be used to support that plan - technology that might also offer other benefits.
- Part Four - The Checklist summarises everything in the form of a handy checklist that will enable you to produce a basic business continuity plan for your own small business.
Back to reality: Disaster prevention doesn't work
In 2003, I strolled into the German HQ of the world's largest mobile phone company amid a minor frenzy. Their computer systems had failed - call centres and shops were all down, and pay-as-you-go customers could not top up their handsets right across Germany, a situation which continued for the best part of a day.
The problem with disaster prevention is that no matter how deep your pockets, disasters still happen. This company had spent millions on multiple redundant computer systems, teams of highly skilled people working 24x7 and probably even had Bill Gates' home number on speed dial. But when push came to shove it made little difference - their systems still went down.
When companies ask me why their computer systems cannot be 100% reliable, I often give this response:
- You can't ever have 100% reliability (see above as a good example)
- You might be able to get close to 100%, but it might cost you £1m per annum.
- Spend between, say, £500 and £50,000 per annum and you might be able to reduce any downtime in the event of a disaster to hours or even minutes.
- You can easily expect a week's worth of downtime if you don't spend any money at all.
That's the pragmatic answer - and one that also holds true for business continuity. You'll probably need to spend something, but there is little point in spending too much because you'll never completely prevent disasters, nor completely mitigate their effects. If your business can be up and running within hours following a catastrophic failure, that's good enough for most people, especially when you explain how unrealistic and expensive zero downtime might be!
Information technology = Confusion
In reality,information technology often clouds the judgement of those looking at business continuity. Many people expect their IT systems and hence IT suppliers to provide the answer, but that's usually a mistake on two counts:
1) Neither party may understand business continuity particular well.
2) IT is only part of the business continuity challenge.
That, of course, doesn't prevent IT companies selling solutions to customers eager to buy on the basis that they've just 'solved' all their business continuity problems, hence the confusion.
In many cases, directors have quite unrealistic expectations when it comes to technical solutions. Take tape and on-line backup systems as two very good examples.
If a server was to fail completely or be lost in a fire, most directors assume they could be back working in a matter of hours. Few realised that a 'bare metal' restore from tape could take several days, mainly because they hadn't factored in real repair or recovery times. And you'd be horrified to know how few people take those tapes off-site - what's the good of tape backup if the tapes also perish in the fire?
In another example, the director of a financial services company assured me that their information was safe because they backed up on-line. When asked if they actually held a spare copy of the specialist backup software off-site as well - this would be required to restore any data - there was a long pause, followed by this cracker: 'Couldn't I just buy a copy from PC World?'.
The answer, of course, was no - but this does demonstrate what we're sometimes up against.
Next Week - Assets, what assets?
Clearly, we're going to need to stand back from IT for a moment, and next week we'll start with a long hard look at our assets.
About the author
Stewart Twynham of independent business IT advisers Bawden Quinn is a regular contributor on technology and security issues to AccountingWEB, and is the author of our influential series of articles on information security.