If your organisation believes that Business Continuity is all about having back-up computers in the event of a disaster, it is wrong! Martin Turner, a senior consultant with systems integrator GFI Informatics and a specialist in Business Continuity considers what turns an IT-centred Disaster recovery plan into a true Business Continuity plan.
This article is about ensuring the continuance of your business. Mention Business Continuity and many organisations will say they are covered as they have back-up computers. The odd thing is that you will usually get this answer even if you ask business people rather than members of the IT department. The term Disaster Recovery is often confused with Business Continuity. Having “back-up computers’ will not provide Business Continuity; in fact it will probably not even provide real Disaster Recovery.
What does the term “disaster’ mean? This is something that disrupts the smooth running of your business. It can be anything from a loss of an entire set of offices, losing the people who run the business or losing data from a computer system as a result of a virus or malicious hacking.
How long can your organisation survive in the case of a disaster? If you are manufacturing company and you lost your premises, where would you relocate to, and how long would it take to relocate? If you are a public body and you lost your major systems, what impact would this have on your ability to provide service? If you are a financial institution and you lost access to your corporate data how long could you survive without it? Likewise, if you are a dot.com company how long could you survive if your web servers were unavailable?
Notice that of all these questions, only the final one relates solely to IT. For a dot.com company, the loss of the website (by losing the web server) is a disaster as anyone attempting to access the website would find it unobtainable and would go somewhere else, possibly never to return. For all other questions, a good Business Continuity plan could actually stop a company from going bust in the case of a disaster.
Obviously any plan will include information on Disaster Recovery – i.e. the technical side of Business Continuity. This will cover a full plan as to what will happen to voice and data communications, and how computer applications will be provided in the case of a disaster. The full Business Continuity plan will also cover other items relating to the business requirements, such as plans for the duplication or restoration of paper records and also details of where the business will relocate to if a disaster made the premises inaccessible
A Business Continuity plan is not something you can buy in a box! Each one is different, depending on the type of business of the organization, and perhaps more often, depending on the available budget. As usual, money rules! No board of directors will authorise investing a (potentially) large amount of money without a very, very good reason.
Therefore, the start of any Business Continuity plan is a risk assessment. This does not need to be expensive to carry out. As a starting point, the head of each of the main departments of an organisation needs to be asked simple questions such as “What would it cost the company if you were unable to access your offices or computers?’ and “What would you need to do first to re-establish your department’s functionality subsequent to a disaster?’.
A risk matrix can be produced showing a list of potential disasters that could befall a company together with the probability of that disaster happening, graded as red, amber or green. The impact of the disaster upon the organisation would also be graded as red, amber or green.
Clearly, the probability of a specific disaster occuring and its impact will depend largely on the particular circumstances of the organisation, such as location and type of business. For example, premises located near a river potentially may be susceptible to flooding, whereas those located on a hill probably are not. Similarly, a manufacturing plant suffering a flood may well experience a greater impact to its business than a service business with a largely field-based workforce experiencing the same “disaster’.
These are simplistic examples and obviously there will be other considerations, but they do serve to demonstrate how significantly this assessment of risk can vary from organisation to organisation or even within the different business activities and sites of a single company.
A final column in the matrix shows the estimated potential loss of finance per day in the case of the specific disaster occurring. Look closely at any item which shows red/red – i.e. a high probability and your organisation. This matrix is a powerful way of convincing the board that a full Business Continuity plan is essential.
Once there is an agreement to continue with the production of the plan, then each department in the company must be examined in some depth, noting the “things’ that are used in the day-to-day running of the business. This would include any paper records such as contracts, client instructions, correspondence, etc., together with details of the computer systems that are essential to the business. Other points to note would include the number of people required to run the business and who these should be as it may be necessary to run for some time on a skeleton staff. For each of the essential items there must be a plan to restore it in the case of a disaster.
All this talk of what to do in the case of a disaster is certainly not wasted, but the cheapest and most effective way is to avoid the disaster occuring in the first place! Stupid? Not at all, we are talking about protection against a disaster.
We are all aware of some aspects of physical protection in the form of fire alarms, burglar alarms, locks on doors, CCTV, etc. Technical protection can be split by hardware and software; with RAID drives to provide redundancy for disk drives, dual power supplies, clustered machines; with software protection including firewalls, anti-virus software, and ensuring the security aspects of any operating system are used correctly.
Prevention will always be more cost-effective than the creation of a full Business Continuity environment. However, regardless of the effectiveness of preventative measures, a Disaster Recovery site is usually required. There are many ways in which this can be provided, ranging from having a duplicate set of premises well away from the main premises (most expensive), through to having a reciprocal arrangement with a “friendly’ company to provide a certain amount of space in the case of a disaster.
Larger organizations tend to be spread across multiple sites and therefore may be able to make use of some space in a remote site to create a disaster site. A similar approach may be taken with regard to IT. For example, rather than having a set of computers set up and waiting on a remote site for a disaster to happen, it is more cost effective to have a test machine placed off-site which could be used for production systems in the case of a disaster at the main premises.
Whatever your situation; whatever size your organisation, you need a Business Continuity plan. Don’t employ consultants to write it for you, though. It’s your plan and it is unique to your organisation. So, do employ experienced consultants to help and guide you in creating it.
Infosecurity Europe is Europe’s largest and most important information security event. Now in its 8th year, the show features Europe’s most comprehensive FREE education programme, and over 200 exhibitors at the Grand Hall at Olympia from 29th April – 1st May 2003. www.infosec.co.uk