Plan to stay calm in a crisis

80 per cent of businesses that suffer a major disruption fail within 18 months, as their customers go elsewhere.

Legislation and regulation, however – Sarbanes Oxley in the US, the Civil Contingencies Act in the UK and so on – are the principal drivers behind a new awareness of the importance of disaster recovery and business continuity that is manifesting itself in an unprecedented wave of interest in the ways and means by which a business can protect itself against the unexpected. Read original article.

And the unexpected is just that. Nicki Dennis, head of market development for the British Standards Institute, says: “It could be a fire or a flood or a terrorist attack, but most of the things that upset continuity are more mundane – drilling through an outside power cable, for example, or failure of the air conditioning. If you have a plan in place to cope with emergencies, it helps create a degree of calm.”

So what is disaster recovery? What do we mean by business continuity? A useful handbook published by IT Governance* says disaster recovery is the “methodical preparation and execution of all the steps that will be needed speedily to recover from a disaster, usually one caused by technology”. Business continuity is designed to ensure that: “certain business functions continue to operate in spite of disasters striking an organisation”.

Disaster recovery has historically focused on ways to recover from IT failures, but has morphed into business continuity, as the importance of people and an emphasis on speed of recovery has become evident.

“Do we have incidents? Absolutely. Have they affected our business? No,” says Karen Dye who has global responsibility for Sun Microsystems’ crisis management programmes.

She points to the importance for a multinational of observing continuity guidelines in each of the territories in which the group operates, but says the way the group is distributed worldwide is a strength. She points to the most important elements of the Sun plan.

First, that it is championed by a senior executive at headquarters – who reports directly to the chief executive – and by a champion in each of the business units.

Second, the plan is “owned” by the business units that take responsibility for implementing it.

Third, that with limited resources, there is an emphasis on what is most critical to the business.

Peter Power, managing director of London-based Visor Consultants, which specialises in advising companies on contingency planning, likes to describe the dangers as “bombs, bird flu and banana skins” – the latter frequently leading to the loss of a company’s reputation – a situation from which it can be difficult to recover.

Mr Power says that contingency planning has splintered into silos – enterprise risk management, corporate social responsibility, operational risk management, business continuity and data security.

He advocates a holistic approach, that could be labelled “corporate resilience”, which should attract lower insurance premiums. “It can give you competitive advantage” he argues. “Take it out of the box labelled ‘grudge purchase’ and cut your insurance bills.”

Michael Faber, vice-chairman of another recently formed organisation, the Institute of Operational Risk, agrees that business continuity and operational risk are two sides of the same coin. “There has to be greater integration,” he says. “That is the way forward.

“After all, our job is to provide the right information to the board so it can appreciate the true level of risk and take appropriate decisions.

“There is a danger that all these pockets of risk that are not talking to one another or sharing information will present a disjointed view to the board. The different disciplines need to co-ordinate and co-operate more.”

It is an approach that would be welcomed by the rapidly growing business continuity industry. Keith Tilley, who is vice-president, Europe, for SunGard Availability Services, the Philadelphia-based pioneer in disaster recovery centres, says customers are demanding a sharp reduction in the time between the onset of an incident and full data availability. “When we started in 1979, it was 24-48 hours. Now for priority applications, people are asking for 100 per cent availability.

“In the business, we talk about the ‘recovery time objective’ – how quickly does something need to be recovered – and ‘recovery point objective’ – what should it look like on recovery.

“A City trader would not want to lose a single transaction but might be able to survive for 10 to 15 minutes. An airline such as Ryanair needs its online booking system available at all times, otherwise potential customers would simply switch to competitors.”

A point made time and again by business continuity experts is that the development of an effective plan starts with a careful examination of the basics of the business. Edward Wilding, chief technical officer at Data Genetics International notes: “The fundamental question which businesses must keep in sight when preparing their business continuity programme is: ‘Why are we doing this?’.

“There is a world of different between appearing to comply with a given standard and creating and implementing a strategy that both works and is practical. Too many businesses try to adopt best practice or benchmark their procedures against competitors without thinking: ‘Will this work in the event of a catastrophe?’”

And David Porter, senior risk and fraud expert at Detica, emphasises simplicity. “Most business continuity plans are too complex and confusing for people to follow when they are in the heat of a crisis,” he says.

Once you have written your plan – and before consigning it to the shelf – you must carry out a table-top simulation in which all the key actors in the plan are around the table. You’ll be amazed at the number of holes and glitches that come out of this dress rehearsal.”

* Disaster Recovery and Business Continuity by Thejendra BS, IT Governance Publishing 2007. www.itgovernance.co.uk