If business continuity has dropped down your board's priority list, you are not alone. Despite high profile disasters, many companies just have not got around to considering contingency plans. A plan which ensures information availability by keeping your people connected with your business data at all times is still perceived as desirable, not essential.
By far the most common reaction among smaller companies is to think 'it won't happen to me' - a naive point of view. Large companies tend to think they can call in favours or exert pressure for preferential treatment from suppliers, which is equally dangerous.
Companies frequently focus on the bigger problems first - but the reality is that a terrorist attack is less likely than an email outage. Both would have a serious impact on the ability of a business to operate and communicate.
Relying on public sympathy will not save you. Some natural or man-made disasters may engender sympathy from other businesses and the general public; others, such as systems or power failures will not. And compassion can be short-lived. It will not be long before the outside world expects you to be available.
Lack of good business continuity planning can have a grave impact. If a disaster occurs and a company is unable to continue business as usual, brand and reputation are guaranteed to suffer. This will eventually translate into a tangible effect, as sales and market share drop. Investors may withdraw existing investment, or be reluctant to put in further cash.
Compliance with an increasing plethora of regulations and legislation is another good reason why the board should be concerned with the availability of its information. This includes industry sector-specific rules, such as those laid down by the Financial Services Authority and Basel II.
More far-reaching for most companies will be enactment of the Civil Contingencies Bill. This will dictate that local authorities, emergency services, infrastructure and utilities companies make appropriate continuity plans in case of a large-scale incident, and will encourage all UK organisations to support this by looking at their own contingency plans. In addition, the Companies Act means that directors have a moral duty of care to employees and business, which if not adhered to, could lead to a prison sentence.
There are additional tangible and intangible staff-related benefits from business continuity planning. It will improve general staff confidence in the organisation, because it demonstrates that you have considered and planned for staff and workplace needs if the worst comes to the worst.
If you are affected by a disaster, staff attrition is likely to be reduced, thereby reducing the costs of post-incident recruitment and loss of reputation amongst peers.
Providing staff instructions can also prevent uninformed or malicious comment to the press. David McManus from B&CE Benefit Schemes mentions an incident which followed a small fire in the basement of one of the company's offices. No one was hurt, but the local press talked to a typist who had been among the staff. The headline that followed - '200 terrified staff flee blazing building' - was totally out of proportion. B&CE took immediate action and introduced a comprehensive media strategy. There was no harm done, but if the national press had picked it up, the damage to the company's reputation could have been a lot worse.
Making a start
It is tempting to assume you can cope with your business continuity needs without approaching a third-party supplier. However, independent research, carried out by IDC on behalf of SunGard in 2003 showed that outsourcing business continuity actually reduced expenditure by over 80%.
The first step is a business impact analysis (BIA) and risk review (RR).
The RR aims to identify potential causes of interruption, which will vary from business to business, but may include system failure, water leaks, power outages, fires, or the inability to access the workplace for any reason.
The BIA identifies the mission-critical business functions - the minimum needed for the organisation to remain in business. The most critical functions should obviously be recovered more quickly than those that are non-urgent.
Without a BIA and RR, companies run the risk of over- or under-engineering their business continuity solution.
The plan should include reactive, proactive and interactive elements: reactive so that the business can recover from a disaster, proactive to mitigate the risk of one happening, and interactive, involving high availability or managed solutions to keep the most important applications up and running at all times.
The right solution
The key is to prioritise the needs of the business against the business continuity aims and objectives. Only then will you achieve the right solution for your organisation. A consistent approach from the top down is needed.
Once complete, it is essential that the plan is tested thoroughly and lessons learnt. It should be reviewed at regular intervals, evolving as business priorities change.
As electronic information and communication are now essential to practically every organisation, business continuity should be a boardroom priority, so that the entity remains in being, no matter what happens.
- Keith Tilley is UK managing director, SunGard Availability Services, Tel: 0800 143 413, SUNGARD CUSTOMER ADVISORY BOARD
The customer advisory board provides a forum for communication and information sharing between SunGard, its customers and key professional, government and regulatory agencies. It currently comprises:
- Jamie Watters, business continuity planning manager, Abbey
- Richard McGrail, head of information systems, Baillie Gifford
- David McManus, assistant group secretary & group business continuity manager, B&CE Benefit Schemes
- Mark Welsh (chairman), UK contingency and audit manager, EDS
- Dr Sarah Walsh, head of facilities & business continuity management, Guardian Newspapers Limited
- Robert Dawson, groupware services manager, TPG
- Duncan Ford, UK head of business continuity management, Zurich Financial Services.