Real Business Continuity, Part 4 - The Checklistby
In this final article, Stewart Twynham runs through the key points of business continuity, and asks some searching questions. Use these as a checklist - to make certain you and your staff understand both the need for business continuity, and some of the key issues.
Business continuity is important
- Following a major disaster such as a theft, flood, fire or data loss, around 40% of businesses without a business continuity plan will fail immediately
- A further 40% will fail within 18 months.
It that's not compelling enough, you need to be asking yourself the following questions:
- How would your customers react if something happened that you weren’t prepared for? If you missed an important deadline - would they simply take it on the chin, or would they go elsewhere? Might you not incur penalties for late delivery? Would you be in a position to deliver at all if you suffered major damage to your infrastructure?
- How would your staff react to a major problem? People are a critical resource at times of crisis - flexible, creative, dedicated - or at least they can be. If things look bleak, will your staff hang around to find out?
- How would your suppliers react? What if you cannot take delivery of goods, or (even worse) be in a position to pay for those goods? Will they continue to support you?
- How would your shareholders react? If your reputation suffers, what could be the financial impact on your business as a result?
- How would your competitors react? If you were unable to process or fulfil orders, would they simply stand back, or would they be offering special discounts to your disgruntled customers?
The answers to these questions may well set the tone and pace of your business continuity planning!
Business continuity isn't all about money
Thankfully, being prepared doesn't have to cost a great deal of money - it's simply about being prepared. Certainly, big companies do spend a great deal of money on business continuity, but their circumstances are usually different - shareholders will demand it, and losses could be substantial.
Take a typical small business that depends on a variety of IT systems:
- Do nothing, and you can easily expect a week’s worth of downtime in the event of a major problem.
- Spend £1 million a year and you might get close to 100% availability, but disasters will still happen, no matter how much you spend.
However, if you plan to spend (depending on the size of your business) between £500 and £50,000 per annum and you should be able to make a huge difference to the outcome.
- Could you reduce the chance of disasters happening in the first place, perhaps by outsourcing key systems, or maintaining more reliable ones? We discussed some of these options in part three of this series.
- Could you reduce the length of any downtime in the event of a disaster? Is there a small investment (time, money) that you could make in your systems that would make them more resilient? Do suppliers offer better service level agreements for a small uplift? Do you have the right agreements in place at all?
- Could you work to reduce the impact of any downtime on your business? If your staff knew what to do, who to contact and so on, would that make the process of recovery much faster? If your people better understood what was happening, would they be able to keep customers calmer, and suppliers happier? Good PR at times of crisis never does any harm.
- Are your insurance policies up to scratch? Will they fully cover you for the risks that you cannot prevent/mitigate? For example, you may have cover to protect you following a fire, but will it also cover the associated business disruption? Are there any exceptions or exclusions you need to be aware of (for example related to a terrorist incident?)
Business continuity is not just about IT, either
Don’t forget, what happens to your supply chain or your staff during a disaster is just as important as your IT Systems.
Identify your key assets
An important part of business continuity planning is identifying the key assets within your business. We covered these in part two:
- Communication systems
- Information assets
- Physical hardware
- Premises, and other physical assets
Questions you need to ask yourself:
- What would happen to your business in the event of a fire/flood or major theft? What contingencies should there be in place? How much equipment would you need to get back to work? Where would you get it from? Where would your staff work?
- How would you cope with a serious IT or communications failure? What’s the back-up plan? Who would you call? What service level agreements are already in place? Are the right technologies or solutions in place which might prevent or mitigate such a failure? Most people take such systems for granted - do you fully understand the implications of losing a key IT or communications system?
- Have you considered the key services that your business relies on? Not just the obvious ones like water, gas, electricity, etc - but also think about technical services that power your IT systems such as your broadband connection, email services, internet service providers, DNS (Domain Name System - the system that keeps your domain working). Often, these services represent a single point of failure.
- Is there any other equipment which is critical to your business? How easy would it be to replace? If it cannot be replaced - should you consider having two (in different places), or do you perhaps know where you could borrow one? If it’s unique and irreplaceable, should you be spending money on better security and/or fire protection for this one item? Would your insurance cover consequential losses?
- What if there was illness/injury of critical staff? Loss of staff may trigger the business continuity plan, or may threaten it - after all - they could be key players in the plan. How well are your business processes/continuity plans documented? Are all employees aware of what’s happening in the business in the event of a problem?
- What if staff couldn’t get access to the premises, or indeed even travel to work? Is there a business continuity centre they could divert to, or could they simply work from home? Do you have other offices that you could use? Do you have friendly suppliers/customers with excess space that you could call upon? Do you have the contact numbers of your local serviced offices - could you set up a simple arrangement with them?
- Would your people know what to do should disaster strike? What if key people are on holiday at the time? During the disaster, could your key staff keep in touch even though they may be in different locations? Does every member of staff have a phone list to hand?
Tip: Split the responsibilities
Business continuity is a little like eating an elephant - there is just so much to think of that you need to break it into smaller pieces. If your company is fortunate to have enough staff to be able to split the responsibilities - then do it.
- You will reduce the workload on individuals
- You will reduce the dependency on individuals
- Individuals can better research their own areas and become local experts.
Real Business Continuity - Expert Guide series
- Part One - The Reality Check explains that you'll probably need to spend something on business continuity planning, but there is little point in spending too much because you'll never completely prevent disasters, nor completely mitigate their effects. The idea is to work out how long you can survive without your data - and have plan that will help you avoid that tipping point.
- Part Two - Assets, what assets? looks at the assets your business needs to protect, and documents the anatomy of a typical disaster.
- Part Three - The Plan tackles some of the practicalities you will need to deal with and sets out the key components of a business continuity plan.
The aim of this series was to make the subject of business continuity more approachable, and encourage small businesses take a wider, more pragmatic view. But we’ve only scratched the surface. Thankfully there are plenty of other places you can go if you need further help and advice, and here are some links you may find useful further reading, before you hit Google:
- London Prepared
- Business Link
- Preparing For Emergencies Case Studies
About the author
Stewart Twynham of independent business IT advisers Bawden Quinn is a regular contributor on technology and security issues to AccountingWEB, and is the author of our influential series of articles on information security.