Published on 11/03/2015 in Inspire
Your company has to navigate all kinds of danger. Handling each situation correctly is key. When you prepare yourself, you move from unknowingly being at risk to taking calculated risks yourself. We created an action plan.
In business jargon, we often use the term business continuity. As a concept, it’s easy enough to translate: making sure that your business keeps going as usual (as far as possible) in case of disaster. This philosophy isn’t new, but in recent years, it’s been a point of renewed attention. Business continuity encompasses all activities that are performed on a daily basis to guarantee the provision of services, the consistency and the resilience of your organisation, as much as possible. This, of course, is easier said than done. These steps can serve as guidelines in this endeavour.
1 Focus on preventing risk
When Leon Jorissen, IT Manager at plumbing supplies merchant Lambrechts, was brought into the company to restructure the entire IT department, he found the server, then called an AS/400, surrounded by some junk and a chain paper printer, in a small back room. The answer to his fi rst question concerning business continuity – What if this room were to burn down? – was a reassuring “We have insurance!”.
The very first step is a good understanding of what business continuity is, exactly. It’s the realisation within an organisation that an ounce of prevention is better than a pound of cure. That may seem obvious, but this little anecdote proves that isn’t necessarily the case.
Lambrechts has come a long way since then, Jorissen is glad to say. “We’re making sure all data is stored both on the server in our headquarters, and on a remote server in an external data center, where everything is constantly backed up. If our internal server were to fail, we’d barely lose a thing.” The investment in business continuity in the fi rst four years reached a total of between 120.000 and 130.000 euro, including software, hardware, and external services. “But everyone knows what could’ve happened if we hadn’t made that investment: 54 people in the logistics department unable to continue with their work. The way everything is organised today, recreating all data takes no more than a few seconds, which means we can rely on the external server rather fast if an outage occurs.
This story illustrates two fundamental characteristics of business continuity. Firstly, without an investment in infrastructure – an external datacenter, back ups, or emergency power and airconditioning for the internal datacenter – you don’t have a functioning business continuity plan. Secondly: the goal is to keep all activities running in all circumstances, not just to keep your infrastructure going. True business continuity implies that your employees can access the applications they need from any location and any device (discover how on page 17).
2 Understand your company
The most elementary way of keeping business continuity affordable is by making a correct assessment of your company and its activities and processes. If you can simply make an honest judgement of how important each aspect really is, you can save a substantial amount already. If, however, you consider every process to be critical, you will have to invest rather heavily in order to keep everything running through a disaster. When a company like Koramic, a manufacturer of building materials, took a closer look at its processes, it quickly became apparent that the production system itself was critical, not the supporting services. All attempts at business continuity had to concentrate on those people working the ovens, where the tiles and bricks were actually produced; they turned out to be the only ones who had to keep going.
When determining which are the critical processes and activities – usually described as a business impact analysis or BIA for short – it’s best to keep a few less than obvious questions in mind: how critical are your employees (usually more so in a service company than at a production plant), what happens when the phone lines go dead?
This is the ideal moment to determine your RTOs and RPOs, as well. The RTO is the recovery time objective: the speed with which you need to get a product or service back up, in order to experience minimal impact on the workings of your companies. The RPO is the recovery point objective. This is the indication of the amount of time there can be between the incident and the last backup.
3 Understand the risks
Without a substantial investment in infrastructure, you cannot build a strong business continuity plan. This step is a logical result of the previous one: once you know which are the most critical processes and activities, you understand the problems that would arise if they were to drop out. “This is the point were unknowingly being at risk becomes taking calculated risks,” says Alex Vanzegbroek of Beltug, the association of Belgian IT users.
This exercise isn’t quite as straightforward as you might think. Some processes aren’t crucial for the continued existence of your business, but are required by law to be heavily guarded. Other processes that don’t seem to be essential in and of themselves can cause very critical processes to drop out, making them a big risk factor.
You need a thorough understanding of your business processes to make a correct risk assesment. It’s therefore crucial that you gain insights in the myriad ways your business processes are interconnected in order to make a correct risk assessment. Companies often use a kind of scale to determine risk: how big is the potential impact of a certain event on your operations or reputation, and what is the likelihood of this event actually happening to your company? A simple example: companies with headquarters in Zaventem have a larger chance of having to deal with an airplane falling on their buildings than businesses in Namur do.
4 Draw up the business continuity plan
As soon as all possible risks have been identified, you need to design a fitting reaction to each risk. What that reaction is, will depend both on the severity of the risk and on the likelihood of the event. For instance, a company might state that there’s only a very small chance that their building will be destroyed entirely, but were it to happen, it would be a top-level crisis. The combination of a small likelihood and an extreme impact means that this risk should be considered of average importance. Subsequently, a fitting reaction can be designed.
All of this will result in a complete business continuity plan, describing a scenario for each possible risk, while respecting the priorities you determined in the business impact analysis. You’ll create a procedure detailing how and to whom an incident needs to be reported, how it must be treated by the crisis management team and which staff members will make out that team, how people will communicate with the crisis manager, where employees need to go when their building is unavailable, etc.
An interesting note here is that the exact priorities can vary depending on the moment the incident occurs. When the software used to calculate wages, for instance, is down, the priority of this incident will be higher at the end of the month than at the beginning.
5 Document and communicate your plan
When the complete business continuity plan has been drawn up, you need to make sure it’s visible, by providing each employee with the necessary documentation. Some companies use a manual for crisis management, spread throughout the company in different shapes: a poster for each manager, always within reach; a copy that is kept off -site (in case that site would be destroyed entirely); and copies on each fl oor or in each department.
6 Test the business continuity plan
Once the manuals have been placed in key locations and the infrastructure has been prepared in order to kickstart an acceptable recovery scenario for each possible risk, you’ve reached the last phase: testing your plans. The test phase is the most underestimated, debated, and neglected part of the entire business continuity pipeline. Nonetheless, a test can yield valuable intelligence, sometimes in unexpected places. “Tests always teach you something – unexpected things happen all the time,” Alex Vanzegbroek concludes. The test phase is the most undervalued part of the entire business continuity pipeline.
Tests are also crucial to determine the feasibility of a business continuity plan. Such a plan is usually drawn up by a team of two or three people, and therefore can’t usually take into account every practical aspect that could hinder its proper execution.
A frequently encountered example: a restore, the retrieval of previously saved data, often takes much longer than expected. The test runs of the necessary hardware and the transit to the backup system usually go rather smoothly, but the tests of the procedures during an incident often go wrong.
7 Start over
Every once in a while, and every time the company goes through radical changes, the business impact analysis must be repeated, and the business continuity plan must be redesigned and altered where necessary.
Ontex, a company that produces personal hygiene products, has a business continuity steering committee that gathers every few weeks (or, when the need arises, more often) to see if the plans or infrastructure need to be changed, “even though we started out as a small company with a single building in Buggenhout,” stresses Patrick Pittoors, IT manager at Ontex.
Ontex is an excellent example for big and small companies, because their concern with business continuity grew gradually as the company did. “Not just because of our fi rst experience with downtime, but also because of the company’s growth,” says Pittoors, “which in turn exponentially magnifi es the consequences of downtime.”
Keep your company going: important distinctions
1 What is the difference between business continuity and disaster recovery?
In disaster recovery, the key point is to get all infrastructure up and running again, as fast as possible, after a catastrophe. Business continuity centers around the question: how do I make sure my company remains functional, even during a disaster?
2 What is the difference between backup and storage?
The terms backup and storage are often used interchangeably, but they’re inherently diff erent. A backup is an extra copy of a fi le, program, hard drive, or complete system, created to fall back on when the original fi les have been damaged or were lost. Storage is the term describing the part of the IT infrastructure were data are kept, both the original fi les and the backups.