Real Business Continuity, Part 3 - The Plan
The previous article in this series looked at some of the key assets that businesses depend on. The next step is to produce your business continuity plan. Rather than bore you with too much theory, we thought we'd start by looking at some of the practicalities.
10 top business continuity recommendations
1 - Outsource key services
The introduction of 'hosted exchange' email from companies like Star, hosted financial applications such as Online50, global CRM solutions such as Salesorce.com and the plethora of online project management software has changed the way businesses use software. Businesses can now lease the entire package as a service on a per-user basis rather than buying hardware, software licences, support, back-up and the rest separately.
Reliability goes up, costs come down (and are spread), and you gain other advantages. With Hosted Exchange you can access email on a Windows-powered mobile as easily as on your desktop, while Salesforce.com offers an array of mobile working options.
Most important of all, business continuity is built in. These applications will be running on expensive servers in top-class data centres - far better than you could ever manage at the office. All you require is a PC, laptop, PDA or mobile with Internet access anywhere in the world to keep working.
2 - Use a data centre
If your favourite software is not available online, you could still consider moving your 'production' servers to a data centre.
This typically comes in two flavours - straight dedicated servers where you lease everything including server, backup, firewall and support, or co-location, where you provide the hardware and pay a monthly fee to co-locate it. Whichever option you choose - like for like, the costs today are generally lower than hosting a server yourself.
3 - Think remote/mobile
London's 7/7 attacks told us to expect large scale evacuations, suspension of the public transport network or worse - with staff unable to reach work, even though the office is still fully-functional.
Remote working is a great way to solve that problem - Virtual Private Networks and Voice over Internet Protocol (VoIP) telephony (see later) mean your staff can work with their PC and telephone extension seamlessly from home.
Mobile working simply takes that one stage further, placing information directly on to your laptop or in the palm of your hand via your mobile phone. Even putting business continuity to one side for a moment, think of all the benefits this kind of technology could bring into your business right now.
4 - Back-up online
Online back-up ensures your data is held securely off site, away from the threat of fire, flood and other disruptions. It's usually more reliable than tape back-ups, although sometimes not as convenient for very large recoveries.
Not all online back-up software is created equal. Some are quite simple pieces of software designed to back-up a single PC, lacking the functionality of larger/more sophisticated solutions.
Attix 5 marketed by Techgate (amongst others) offers tools which can manage/monitor multiple PCs - plus you can access your data securely from anywhere over the web without any special software. This can prove invaluable when you need to access important files but the server is still lying dead in pieces on the server room floor.
5 - Maintain spare equipment off-site
When disaster strikes, logistics kicks in. Everyone assumes that they can simply roll up at their local PC World, buy a PC and everything will be fine. But the reality is usually very different.
Setting up a PC takes long enough when things are going well, but by the time you've factored in finding the software, installing it, finding the activation keys (or calling the telephone helpline because you've lost them), you can understand the importance of keeping a computer ready to use.
If your business relies on a server, then having a duplicate off-site might seem like a luxury, but a machine holding the most recent copy of your accounts/CRM/payroll package and ready to accept the latest data backup will help to keep your business moving.
6 - Use voice over IP
Internet telephony in the form of VoIP has many uses, not least at times of crisis. Because calls can be routed over the internet, it no longer matters that your ISDN lines have failed or have been dug up by the local water company.
Services such as sipgate and Skype can provide local incoming telephone numbers which can reach you anywhere, whilst other options exist for larger organisations looking to re-route their entire office telephone exchange.
7 - Keep an off-site media library
Most business applications are supplied on media which, once installed, sits in drawers or on desks gathering dust. Registration codes and installation instructions often get mislaid, whilst the regular 'service packs' or updates get added, then forgotten about.
When the day comes to reinstall from scratch, losing CD number 5 of 6 is no joke. Keeping copies of critical software offsite will ensure safe recovery.
8 - Talk to your suppliers
Don't wait until disaster to start thumbing through the Yellow Pages for equipment suppliers. Most IT/telecommunications providers offer some kind of disaster recovery/support service - from being able to supply equipment and spares at short notice, to much more sophisticated responses.
Talk to your suppliers and discover what solutions and services they can offer, and what advice or support they would be willing to give you.
9 - Write your continuity plan
Documentation is often the weakest link of business systems and processes - and not just within the IT arena. Unofficial processes develop organically over time - and we all know how these can break down when 'Sally is on holiday' or 'Brian is off sick'.
Consider the impact of a major crisis where the workforce might be scattered or unable to communicate, and you can see the importance of good documentation.
10 - Test, test, and test again
Finally, the middle of a crisis is not the time to discover that your backups are incomplete or that some critical part of your back-up plan doesn't work. Testing is a critical part of business continuity planning, but is rarely done well - usually because it can be a disruptive and expensive exercise.
That doesn't mean it's any less important. Those that do carry out testing will often discover plenty of flaws in the plan - where things simply don't pan out as expected. Even where things do work, they may take much longer to implement in practice: for example - how long would it actually take to restore that database or critical server?
The next, and final, article in this series will recap on everything covered so far in the form of a simple checklist to help you produce your business continuity plan.
Key components of a Business Continuity Plan
1. The What? - Answers 'what are we trying to protect?'
- What are the three most important things going on in your business today?
- Where are your weakest links?
- What are the worst three things that could happen right now?
2. The Why? - Answers 'why are we doing this?'
- What is the likelihood of the worst three things happening to your business?
- How long could you survive?
- How much could all of this end up costing you?
- How much should you be spending to make the problem go away?
3. The How - Answers 'how can we make this problem go away?'
- What steps can be taken to prevent the problem happening in the first place?
- What steps can be taken to mitigate the affects of the problem?
- Are you able to insure against the problem?
4. The When and Where - Key checklists and processes
- Identification of key assets and where they are to be found
- Security codes, activation codes, encryption keys, passwords, etc.
- Contact numbers/email addresses of key suppliers, customers, staff and IT helplines.
- Instructions/methods relating to the recovery of key systems, data, etc
- Procedures/protocols for use with key suppliers (eg ISPs, the bank, security companies, emergency services, etc).
5. The Who
- Who is responsible/accountable for developing the plan?
- Who is responsible/accountable for testing the plan?
- Who is responsible/accountable for activating the plan?
Real Business Continuity - Expert Guide series
- Part One - The Reality Check explains that you'll probably need to spend something on business continuity planning, but there is little point in spending too much because you'll never completely prevent disasters, nor completely mitigate their effects. The idea is to work out how long you can survive without your data - and have plan that will help you avoid that tipping point.
- Part Two - Assets, what assets? looks at the assets your business needs to protect, and documents the anatomy of a typical disaster.
- Part Four - The Checklist summarises everything in the form of a handy checklist that will enable you to produce a basic business continuity plan for your own small business.
About the author
Stewart Twynham of independent business IT advisers Bawden Quinn is a regular contributor on technology and security issues to AccountingWEB, and is the author of our influential series of articles on information security.