RSS feedsEven though businesses rely heavily on their corporate data to operate, a high number are still failing to put adequate disaster recovery (DR) and business continuity management (BCM) plans in place.
Part of the problem lies in the fact that, although advisory bodies say organisations need to make adequate recovery plans, there isn’t a consensus as to what it involves.
Ian Sumbler, IT partner at accountancy firm Morris Owen, explains: ‘Five years ago, I would have said it meant back-up, but once you start talking to people, you realise that DR and BCM are big topics and back-up and recovery are only a small part of it.’
Smaller firms are less likely to have adequate procedures in place than big businesses. But that’s not to say all bigger organisations are covered.
According to a recent survey among 200 UK companies by security consultancy Activity, only 25% of organisations with between 250 and 499 staff were covered in DR and BCM terms. This fell to 13% for firms with 50 to 250 staff. Neil O’Connor, principal consultant at Activity, says that is likely to be proportionately lower among firms with fewer than 50 employees.
Another worrying finding was that, even among those companies that already have provision in place, as few as 15% believed that their plans would work in the face of a real-world disaster because of insufficient testing.
‘It’s a time and cost issue. Everyone’s conscious that they should do it, but a lot of companies don’t get round to it. But it’s also about maturity. The more mature a company becomes in terms of internal processes, the more they worry about the business being able to continue if things go wrong,’ says O’Connor. The principal motivation seems to be ‘when something happens to them’ or when major incidents occur such as last summer’s flooding.
A generally increasing awareness of the need to improve corporate governance and risk management procedures is also starting to emerge, and this is only set to grow following the further introduction of the Companies Act at the end of this year.
Learn through experience
In Morris Owen’s case, the impetus for action was generated by the firm’s Microsoft Exchange email server breaking in 2003. This caused ‘grief for a week-and-a-half’ before it was possible to get a replacement working. This experience brought home how ad hoc previous back-up and recovery procedures had been.
It also made him consider the potential impact should lightening strike the company headquarters in Swindon, as it had done a decade earlier, leading to the computer and phone system being wiped out. ‘If that happened now, we wouldn’t be able to recover properly. Given our reliance on technology, no one could work and client needs don’t wait for your disaster to resolve itself,’ says Sumbler.
This is particularly true in the case of the firm’s Virtual Accounts Office service, through which it provides about 40 customers with a menu of outsourced financial services ranging from invoicing and debt collection to handling client queries. ‘So if anything were to happen to our organisation, it would impact not just on our product delivery to customers but also on their ability to do business,’ says Sumbler.
As a result, he started work on developing DR and BCM plans to cover not just IT, but the entire business in the event of generic rather than any specific disaster. But he also required that the plans be signed by all partners and departmental managers with responsibility for implementation to confirm that they had read and understood them.
‘It’s too much for one person to do alone so you need to get buy-in and ensure everyone understands what they need to do to protect the business. The business owners can plan for recovery based on their idea of what happens on the ground, but that may be different to the reality. And you need to recover the reality,’ Sumbler advises.
The first things he explored were data and data flows ‘because it’s about what you do’. He looked at where and how data is used and how critical it is. Next on the list was telecoms provision, as you need to be able to communicate throughout.
Secure the supply chain
Another crucial element is the supply chain, which includes the supply of personnel. ‘You need to keep a contact list of all your suppliers, whether they provide stationery or IT. This means you can contact them and get them to deliver to the remote location where you’re doing the restore,’ he explains.
In Morris Owen’s case, that’s limited space in a remote office in Bristol provided by a third party, which, in the event of an emergency, would be used to house key personnel. Some staff would also be required to work from the firm’s site in Cirencester, while others would work from home.
As to who such designated key personnel are varies based on timing. ‘If a disaster happens in mid-January, the focus is on tax returns so it’s more important to get those staff and systems up-and-running first. But in the last week in April, the focus is on processing payroll so staff in this area get shuffled up the priority list,’ says Sumbler.
To test the ongoing validity of the plans, meanwhile, a small
representational team is assembled once a year to undertake a full test
simulation.
But there has also been another unexpected benefit. ‘It puts out a powerful
message to the client base that you’re not only protecting your business, but
theirs too and that’s a powerful sales and marketing message,’ he says.
Worth the cost
Moreover, introducing DR and BCM cover no longer has to break the bank. In fact, says Aiden Curran, head of ICT at law firm McVey & Murricane, the secret to keeping costs down is simply a matter of ‘always looking for smarter ways to do something’.
His organisation runs all of its business applications on central servers and uses Citrix thin client technology to enable the entire workforce of 60 to access them remotely over the internet using SSL virtual private networks for security purposes.
This means staff can work from home in the event of a crisis as data is backed up nightly to a remote site using Double-Take Software’s data replication product, thus negating the need to pay for third-party premises.
‘You don’t need to spend a fortune if you plan correctly and communicate with the right people. But planning is key. If you don’t, you can end up buying a licence for this and other resources for that, and the cost can really rack up,’ says Curran.
Even renting back-up premises can be cost-effective if requirements are thought through carefully. Morris Owen’s facility, which includes relevant telecoms and IT infrastructure to run the firm’s Iris business applications and provision for annual testing, costs less than £5,000 per year.
‘Most firms would not consider this a huge expense, but it might also be worth looking at the situation with your professional indemnity insurance. After all, you’re mitigating business risk so the insurance company might be able to do something on your premiums,’ says Sumbler.
Recovery position
Disaster recovery
- Disaster recovery is IT-specific and covers the procedures involved in restoring the data centre to full operational capacity.
- This involves regaining access to the IT and telecommunications infrastructure and includes building resilience into it from the outset.
- It also entails putting procedures in place to recover data from a previously defined point in time, within a previously defined timeframe and within a previously defined budget.
Business continuity management
- According to market researcher, Gartner business continuity management comprises five elements, one of which is DR.
- Second is work area recovery, which entails providing staff with the facilities they require to keep on working in the event of an incident.
- Business resumption covers the time from a problem occurring to the business determining whether or not it constitutes a full-blown incident.
- Contingency planning involves exploring possible repercussions if a problem occur with external agencies such as partners and suppliers and its impact on the business.
- Crisis management encompasses all the activities involved in handling the disaster itself and involves setting up a crisis management centre, not least to communicate with all parties.
Catherine Everett is a freelance IT journalist
