Monday, 11 March 2013

Cost Effective Continuity

I first wrote this article in 2006 and re-reading it today it strikes me that the issues are as resonant today as they were then... so here it is.  Enjoy!

What is business continuity?

Organisations today across the public, private and voluntary sectors are becoming increasingly aware of a broad spectrum of risks to their IT infrastructure, which could affect their ability to function at peak performance.  At the simplest level, a mobile worker whose notebook computer is lost, damaged or stolen may be unable to give that critical customer presentation as the only copy was on the notebook.  At the other end of the spectrum, major disasters such as earthquakes, tsunamis and hurricanes have brought it home to everyone that whether you live in the developed or the developing world, Mother Nature can strike with little or no warning and cause havoc.
Given the wide variations in risk, it is perhaps advisable to think of business continuity management as a collection of strategies and tactics to enable organisations to be prepared for, respond to and ultimately recover from, disruption of any sort.  But it is not sufficient to think purely about getting the organisation back up and running.  There are legislative and regulatory factors, such as Data Protection, Freedom of Information and The Combined Code on Corporate Governance, to name but three, which require organisations of all types to have effective risk-based controls, including business continuity plans, in place. 
Organisations need to be resilient to a degree of disruption.  They need to be able to operate to an acceptable level of performance for the duration of the disruption and throughout the process of resuming normal operations.  These factors imply that more resources will be required than in periods of normal operations… where will these resources come from?
Additionally, the threat of any potential disruption can affect a business’ customer loyalty, productivity and revenue, as well as its reputation and brand.  How will these issues be managed?
At a simple level, if your organisation has a large number of notebook users, how is backup of the data on those notebooks managed?  If a notebook is lost or stolen, how quickly can that worker return to being productive?  Can your business be certain that there is nothing stored on a notebook which, if it were to fall into the wrong hands, may breach that organisation's obligations to protect confidential commercial or personal information?  Where a computer is stolen, does that business have the means to trace it and make it inoperative?  There are solutions out there that can do just that.
On a slightly larger scale, if an office building or facility becomes inaccessible for any reason, how will your organisation inform its staff?  What should they tell them?  Should they work from home?  Should they go to an alternative site and if they do, will the site be not only equipped but up and running?  Who will deal with enquiries from the press or investors, customers or suppliers?
At the most devastating levels, where large areas are affected, what can or should your organisation do to avoid making a difficult situation worse, and to assist the emergency services within the community?  Should your organisation help others because you are better prepared?
Business continuity management is about providing sensible, practical and affordable answers to all of these questions.  But as we will go on to explore, implementing a business continuity plan doesn't have to break the bank.
Who needs business continuity?
Every organisation regardless of size or sector should think about having some form of a business continuity plan.   Primarily it can make your organisation more resilient and likely to succeed in the case of a disruption.  If that is not motive enough, then consider the range of legislation and regulatory guidance, including that of insurance and audit providers, which effectively makes it mandatory.
There is also the question of how much downtime or degraded service your organisation can afford before it imperils the survival of the organisation.  In this instance, “costs” take a number of forms, for example:
There are also issues of customer service which can be addressed through implementing robust business continuity arrangements. Naturally, the extent of those arrangements will vary according to the type, size and budgets available to each individual organisation, of which some examples follow...
·       Public bodies in the UK, such as the emergency services, local authorities, the armed services and central government departments are obliged by the Civil Contingencies Act 2004 to have robust business continuity arrangements in place which allow them to continue to function and continue to communicate with each other and the general public throughout a major incident.  The "throughout" in that sentence is a very significant change in policy, as it effectively requires all Category One Stakeholders to have complete resilience built into all business process and their supporting technologies, permitting no significant downtime for any process involved in collecting, processing or disseminating information.
·       Companies listed on the world's stock exchanges are now required to have robust business continuity arrangements in order that their auditors can declare them to be "going concerns".  The disclosure requirements of the Combined Code on Corporate Governance, the Higgs Report on the Role of the Non-Executive Director and the Sarbanes-Oxley Act require company officers to be personally accountable for the reliability of the information they present to the world regarding the state of their companies.  How can they do this in good conscience if they cannot guarantee that the information used to compile the annual accounts after a major incident in their data centre is identical to the information held the moment before the incident?
·       Small and medium-sized companies, the heart and soul of every economy, have the same, if not greater, exposure to risks such as virus attacks and computer theft as their larger competitors, but tend not to have the resources to manage their IT infrastructure in the same way.  Whilst it may be possible for many small to medium sized businesses to run for short periods without their computers, many are so dependent that even a few hours of downtime could impact their survival.
Whatever business continuity arrangements are in place, they will serve no useful purpose unless they are rehearsed on a regular basis, as all staff should be aware of what the plans contain and know what to do in case business is disrupted.  Major incidents and natural disasters naturally stir up high emotions.  The people in charge of implementing the business continuity plans must be calm in a crisis and know precisely what to do.
Are there any rules or guidance to help make informed decisions?
There are a number of national and international standards, Acts of Parliament and European Directives, which have implications for the nature, and extent of business continuity arrangements.  Few, if any, directly specify requirements but all refer to objectives or outcomes, which would be difficult or impossible to achieve without robust business continuity arrangements being in place.  A few examples...
·       BS 25999-1:2006 provide guidance on best practice in Business Continuity Management;
·       BS 25777-1:2008 provides guidance on best practice in IT Service Continuity Management;
·       BS ISO/IEC 20000 and the IT Infrastructure Library provide guidance on best practice on Service Management;
·       ISO 27001 provides detailed guidance on best practice in information security management, which is one aspect of IT Service Continuity Management. This standard also provides detailed buidance on physical and environmental security;
·       ISO 9001 provides guidance on best practice in Quality Management Systems. When implementing any business or IT service continuity arrangements it is highly advisable to apply the quality assurance and control recommendations found in ISO 9001.
·       Both Turnbull and Higgs Reports refer to organisations being required to maintain robust risk- based controls, including business continuity arrangements though until the publication of the Civil Contingencies Act in 2004, there was no effective consensus on what "robust" really meant.  Now, we have clear guidance that in order to be robust, business continuity arrangement must implement a "zero tolerance" strategy for critical processes and systems.

How can you ensure Cost-Effective business continuity?

It may seem like a daunting prospect, and one with a potentially very large bill attached, to seek to implement such "robust" business continuity arrangements.  But it can be done.
·       Cloud services provide highly resilient and professionally supported services for organisations of all sizes... it is to be hoped that those reqponsible for maintaining security standards and regulatory requirements will rapidly incorporate the existence of these services. Of course, due diligence is required and especial care should be taken when trusting sensitive, personal or confidential information to "the Cloud";
·       For small to medium sized businesses, networking organisations are popular where business people from a local area meet on a regular basis to share experiences and, hopefully, pass business or leads to one another.  These fora are ideal for finding other businesses with whom to establish reciprocal arrangements in case of theft or temporary loss of premises.  If these "collective continuity" agreements are backed up with contracts with third party suppliers to provide small numbers of computers at very short notice, disruption can be kept to a minimum.  If data held on a notebook computer is essential to the running of the business, a cost-effective approach can be to maintain backups online, which is more secure and less prone to error than using tapes.  Ideally, an integrated service could deliver replacement equipment within a few hours with data already restored, getting you back to work immediately;
·       For larger organisations, it is common for them to maintain a secondary data centre as a replica of their primary site. This requires a very significant investment for which other uses need to be found in order to give the sense of getting value of money.  By using virtualisation and/or clustering technologies, it is possible to partially populate the secondary site with the minimum amount of equipment required for short-term operation and rehearsing of business continuity plans.  In the event that it is necessary to run many or all services from the secondary site, a contract to have access to the required number of additional servers can be put in place at a fraction of the cost of purchasing those devices;
·       Where the cost of equipping and maintaining a secondary data centre is beyond the means of the organisation, contracts can be let for the provision of mobile server rooms and office space, usually in the form of specially designed 12m/40ft trailers;
·       For very small companies, it is well worth considering applying the collective purchasing philosophy not only to business continuity arrangements but also to the procurement of "back office" facilities such as file and application servers, which can be shared securely by a number of small businesses.
In order to ensure that organisations maximise the effectiveness of the resources invested in business continuity arrangements, it is vital to have a strategy, which seeks not only to protect, but also to enhance the organisation through these measures.  Repeated research studies in different parts of the world clearly show that organisations that invest wisely in business continuity arrangements and aim to manage risks in a proactive way will survive for longer, suffer fewer major incidents, return more on assets deployed and have better reputations than those organisations who operate in a more reactive way.