Real business continuity, Part 2 - Assets, what assets?
In last week's introductory article, we took a look at some of the realities of business continuity planning:
- The vast majority of businesses without a business continuity plan will fail following a disaster - if not immediately, then soon after.
- Many directors and owners assume that business continuity planning is complicated or expensive - but this really doesn't have to be the case.
- Sometimes technology is cited as the solution to business continuity, but unless this is part of a well thought-out plan, the results in the event of a real disaster could be disappointing.
It won't happen to me
If you think business continuity planning is just a good way for consultants to drum up more business, think again. While the "climate of fear" has certainly driven substantial growth in many specialist companies, the London Chamber of Commerce reports that one in five businesses suffer a major disruption every year.
Your information assets
Businesses depend on all kinds of assets - not only information or raw data itself, but all of the underlying systems needed to process and communicate that information. The following is not an exhaustive list, but is a good starting point to help identify what's important in your business. Without this list, you cannot move forward and create your plan:
Most businesses rely heavily on their telephones to communicate with suppliers, customers and staff, yet according to recent surveys only 40% of large businesses have included their telephone systems within their business continuity plans! Sure, BT can divert all incoming calls to your mobile, but that doesn't help when you've normally got 30 incoming phone lines.
Email systems are another bone of contention - getting the email system up and running and then getting the email flowing again could take many days in the wrong circumstances. Naturally, some businesses may rejoice at the lack of email, but others will undoubtedly suffer.
Communications technology can itself be a critical part of your Business Continuity Plan in its own right. Remote working, for example, can mean that it is no longer essential for staff to come to the office to work.
With all these facts in mind, that's why we've included communications right at the top of the business continuity agenda.
2. Information assets
This is probably one of the most recognisable components of Business Continuity - ensuring that your data is kept safe.
However, you need to remember that this data can take many forms, including:
- Paper based documents, files and certificates
- Vital notes scribbled on post-its and notepads (that critical password or URL)
- Important information contained in someone's head and never written down - "Jane would know how to reinstall that software' but Jane's on holiday".
Software needs a special mention here - you will almost certainly need access to a copy of critical software in order to access and use the data you've been religiously backing up, including: :
- All media and associated documentation (not just installation instructions, but support helpline numbers, licence keys and pass codes as well)
- Operating systems (particularly for servers) plus server software (eg SQL Server or Microsoft Exchange)
- Any updates, upgrades or patches which may currently be sat on someone's desk
- If you're backing-up on-line - don't forget the on-line back-up software itself plus all the access codes and passwords you will need to restore your data!
Having a copy of your data and the associated software is rarely enough - you will also need something to run it on. If your business relies on a server, then you may find getting things up and running from a recent back-up is less than speedy. Restoring from either tape or on-line back-up will generally require hardware very similar to that which went up in the fire. Those with tape back-up will also need access to a compatible tape drive.
Sometimes a PC can be used as a temporary home for your database or financial package, but you will then have to go through the hassle of reinstalling everything twice - once on to the PC and then again on to the replacement server.
4. Other Physical Assets
In addition to the hardware identified above, there may also be other physical assets on which you may depend. Good examples include the token you use to access your on-line bank account or even something as mundane as a chequebook.
Staff are clearly a critical part of any business continuity plan, and need to be accommodated accordingly. Recovering or otherwise safeguarding your IT systems is no use if your staff cannot then adequately access those systems. As mentioned earlier, remote working may allow your staff to remain at home whilst your office is out of action - provided your IT systems remain working.
Thankfully, people are also a fantastic asset in the business continuity plan - they are resourceful, flexible and adaptable creatures, which is why involving those very staff members in your business continuity planning from day one can be extremely beneficial to both staff and business.
When disaster strikes, the organisational structure will soon break down unless your staff know what to do, where to go, what process to follow, etc. Should people turn up at work? Should they just go home? Who do they call? Can work contact them?
One of the things that strikes most people when we carry out this exercise is how dependant IT systems are on so many other factors. People understand that they need to back-up their data, but what they fail to grasp is without the right hardware, communications, people, processes and a whole lot else in place, the chance of restoring that data in an effective and timely manner is extremely small.
The good news is that a little foresight and planning will make an enormous difference to the resilience of your business and ultimately the final outcome following a disaster.
The anatomy of a "disaster"
Many people associate the term disaster as a single finite point in time - however a true disaster is actually a much more complex beast:
- Often, there is a long chain of events which lead up to the disaster, possibly as a result of decisions that you or your business has made. These might not seem important now, but are likely become a major talking point once things calm down!
Disasters can take place over an extended period of time, you may not even know you're having one! What started out as a support call to your IT provider complaining about email problems might transpire three days later to be a complete system meltdown. A minor flood in the basement might not seem to be a big problem until it takes all the electrics out.
Disasters come in all shapes and sizes. A fire could take out only part of an office block, or could take out the whole building. A hurricane could take out the entire city.
Disasters often strike when you are at your least prepared. Critical personnel might be on holiday, or it could be out of hours.
Recovery from a disaster may well take time - buildings can take months to rebuild, but the fully equipped Portacabins didn't miraculously appear on site straight away. A real recovery following a major disaster will go through many phases as services and facilities are gradually restored, ideally in order of business priority.
Next week - Part 3
By now, you should have a much clearer idea of what's important to you and your business. We will use this information next week as we look at some real business continuity plans.
Real Business Continuity - Expert Guide series
- Part One - The Reality Check explains that you'll probably need to spend something on business continuity planning, but there is little point in spending too much because you'll never completely prevent disasters, nor completely mitigate their effects. The idea is to work out how long you can survive without your data - and have plan that will help you avoid that tipping point.
- Part three - The Plan introduces the business continuity Plan and some of the technology that can be used to support that plan - technology which might also offer other benefits.
- Part four - The Checklist summarises everything in the form of a handy checklist that will enable you to produce a basic business continuity plan for your own small business.
About the author
Stewart Twynham of independent business IT advisers Bawden Quinn is a regular contributor on technology and security issues to AccountingWEB, and is the author of our influential series of articles on information security.