Business Continuity

Business Continuity - The Show Must Go On

Seminar Speakers

Organisation Speaker Role

Paladin Crisis Management Peter Clark Director

Kingston Communications Alex Black Specialist, Business Continuity

Telamon Systems Steve Derbyshire Managing Director

Seminar Speakers
Organisation	Speaker	Role
Paladin Crisis Management	Peter Clark	Director
Kingston Communications	Alex Black	Specialist, Business Continuity
Telamon Systems	Steve Derbyshire	Managing Director

The disaster at the Buncefield oil depot late last year cost businesses local to the site £70m. This was an unfortunate incident which emphasised the importance of having a disaster recovery plan (DRP) in place in order to maintain continuity of the business.

If disaster strikes then it is possible to fall back on insurance to cover costs of buildings and machinery, but it does not cover the risk that that customers will go elsewhere while a company is rebuilding its infrastructure.

It's not just about major disasters either - for smaller businesses, where security is not as sophisticated as in bigger companies, business continuity may be put at risk merely by theft of PCs or servers.

There are two keys to a successful disaster recovery plan - detailed planning and robust testing of plan.

Plans do not have to be hugely sophisticated or expensive to implement. Smaller companies can take advantage of relatively cheap modern technology in order to put in place a basic contingency plan. A simple solution may be to have a reciprocal arrangement with a neighbouring business whereby companies host backups of each other's data.

Testing should include practical exercises, so staff can see how the plan will work in practice, and to ensure that it is completely viable.

Q: Do I really need a disaster recovery plan?

A: It is now common for large companies to demand that their suppliers have tested DRPs in place - particularly as supply chain resilience driven by 'just in time' delivery is dependent on guaranteed continuity. In some sectors, regulatory bodies insist on this reassurance too. Another advantage of demonstrating a robust plan is in place is that companies find they can negotiate a discount on insurance. For some small companies, the penalty of not having a plan in place is that they may not recover at all from a disaster.

Q: What are the essential first steps in a DR plan?

A: First you must consider what is important to your business, analyse what your systems are doing and prioritise in terms of what would need most urgent attention in the event of a disaster. For a small company where a server is stolen or destroyed it is clear where the priority lies. In a larger company it is a case of looking at which systems are most crucial to business continuity, and which staff need to be in place first to keep the business running.

It is important that a DR plan is not driven by the IT team, who may not understand the impact of loss of certain systems on the running of the business. In developing a plan you should pull together representatives of all areas of the business who can present the likely risks/challenges.

Consider the likelihood of a particular type of disaster and plan accordingly. For instance, do you have neighbours who present a particular hazard. It is essential to gain buy in from senior management to the plan. Finally, agree which staff are critical in the first instance to keeping essential elements of the business running.

Q: If you have a reciprocal arrangement with a neighbouring company, for instance, to hold back up data for your organisation, is there a recommended minimum distance they should be from you?

A: This depends very much upon the type of disaster you are likely to be protecting against. If you are both very close to a fuel storage depot, or under the flight path of a busy airport, geographic distance is important. If the most likely disaster is theft, then proximity is much less of an issue. You need to carry out a risk assessment of the likely events which could affect your business continuity before making a judgement on this.

Q: Is a DR plan just about addressing IT issues?

A: No; it should be stressed that disaster recovery is not just an IT issue; it is a people issue. Communication is key. Be sure that if you have a plan, staff know the detail of the plan and have been fully trained on implementation. Staff also need to know what the triggers are for activation of a DR plan and who has authority to implement it. It makes sense to ensure those responsible for the plan are not just the top executives, who may be engaged elsewhere.

Q: Do you have any recommendations on communication with staff?

A: Management of information is essential. For example, contact addresses for all staff should be kept off site so they can be reached in an emergency. Even if they are not key to the recovery effort it is very important for morale to keep them in touch with what is happening. Directing communications externally also prevents panic inbound traffic which may clog up communication systems. One suggestion is to issue staff with a credit card sized information sheet with details of key contacts to communicate with in the event of an emergency. Another is to have text messaging set up to inform all employees of the status of events at regular intervals.

Remember to include and communicate with all staff; remember the 'non critical' staff left at home! Involve everyone in the rebuilding of the business as a team building exercise - often staff on the ground have ideas about how to make a business run even better.

Q: Is a DR plan essential if we have business interruption insurance?

A: It is important to be clear that if processes to prevent and deal with disaster are not in place, you may not be covered by insurance. Check exemption clauses very carefully, and the timescales for which cover applies. A 12 month indemnity is common, but 18 months is much more realistic.

Even if you are, you have the immediate problem of getting the business back to a state where it can trade. Many businesses don't recover from disaster because they haven't planned for continuity and by the time they are back up and running, customers have gone elsewhere.

Q: What are the practical problems we are most likely to face in an emergency?

A: The main one is often of access to premises. Even if your company has not been affected, a local emergency may mean the area is evacuated and you are unable to access your building. The power of local authorities/police is very strong in civil contingences, and it is worth understanding in advance what constraints this may place on your business. For example at the Buncefield depot the emergency services threw an immediate cordon around the area and prevented any access for any reason whatsoever for some time, for safety reasons. Therefore if you leave back up tapes on site you could find you are not able to access them if a disaster occurs.

Another issue can be communication - it is not uncommon for cell networks to be closed down by authorities, or to fail through overload. One answer to this could be remote hosting of a website well out of area (or country) to be used to as a vehicle for communication with staff/customers. As a simple solution pager messages often do get through where mobile phones fail.

Q: How does my quality management system tie in with a DR plan?

A: The information that you are required by your QMS to record can be vital to business continuity and you should look at what data this can feed into your DR plan. For example, home addresses of staff, where spares for your systems are kept, which are key customers and their contact details, suppliers etc. All of this information is crucial to a DR plan and is often already readily available to you through existing data capture.

Q: What are the practical problems we are most likely to face in an emergency?