Failing to plan? - Business Works

Failing to plan?

Can you survive a disaster

Businesses depend on information technology more than ever before. Dev Barot, MD of Micronet, asks, “Can your organisation afford to suffer a disaster or system failure?” The importance of evaluating the potential impact of disruptions and the ability of your organisation to recover quickly cannot be overstressed.

A staggeringly large number of companies have very little in the way of basic protection in place; simple backup procedures are overlooked, never mind data security, firewalls, wireless security, server integrity and anti-virus protection.

Just how far do you go with all this? Duplicate everything from the building and all its contents, including the staff, to external links such as telecoms and ISPs and then hope that the mirrored site doesn’t suffer the same fate? In reality this is a ludicrous scenario for most business (although not all). Obviously Network systems should be well set up, secure and functioning correctly, with regular maintenance to ensure that all patches and anti-virus / anti-spam updates are installed routinely.

With SMEs watching spending (quite rightly in the current climate), the area of Business Continuity tends to get overlooked. Much focus has been placed on backing up data recently, however a good Business Continuity Plan (BCP) is much more than that.

« for businesses to survive ... »

For businesses to survive a partial or complete interruption of service, a practical logistical plan needs to be formed, tested and implemented.

You may think that there is very little chance that terrorists will target your business and this may be true. However, have you considered the loss of power, internet connection and e-mail facilities, telecommunications, the impact of a fire or flood in the IT room, or the sudden loss of key personnel in the organisation?

As the head of your business you should ask yourself a few simple questions:

  • Is your organisation prepared to continue trading if operations were disrupted?
  • Have you developed, tested and distributed procedures within your organisation to be used in the event of disruption?
  • Do you have a process in place for the recovery of live data, critical records and documents.
  • Are your systems adequately protected from external threats such as viruses and hackers?
« a good plan is worth its weight in gold »

Like all good insurance policies a BCP can be worth its weight in gold and could be what ensures the survival of the organisation in the event of an interruption; in short, by working out the best way to keep the business going.

One way of building the document is to break the process down into phases:

  1. Risk Assessment;
  2. Planning;
  3. Implementation;
  4. Testing and communication; and
  5. Maintenance.

A good BCP must have the backing and support of the senior management team and is typically developed and maintained as a discrete project in its own right. It is the senior management team that should, with the input of others, identify the mission-critical areas of the business and rank them in order of importance overall. This forms the initial basis for the overall project.


Risk Assessment

The definition of risk is a chance or possibility of danger, loss injury, etc. By focusing on identifying what could go wrong and by playing out scenarios in those areas in order of importance to the business, the probability of the threat and the potential impact of that threat can be identified and documented.

security, hackers, theft ...

Areas such as fire, flood, theft, terrorism, hackers or denial of service attacks, data security breaches, local authority compliance and financial controls are just a few areas which this exercise, if done correctly, should flag up.

One simple consideration on the IT side is just how long can your organisation survive without its IT function. Most organisations have “live data” which are changing throughout the working day – some have many hundreds or thousands of transactions per hour. One consideration here is in terms of backups. What would happen if the system failed catastrophically and all the data since the last backup were lost? The frequency of backups will depend on how easily the data can be recovered and how critical they are to the functioning of the organisation.

Armed with this documented information and the myriad scenarios, the planning phase can be entered.


Planning

In this phase, the most cost effective ways to meet the requirements outlined in the various parts of the Risk Assessment phase are identified, documented and, crucially, a strict timeframe for the work set out.

Taking the data loss scenario above, there are many options depending on the volume of the data and how critical they are. Simple measures to help protect data can be put in place easily and relatively cheaply – such as uninterruptable power supplies and fire protection systems. Data backups can be made using classic tape or disk systems (and security copies kept away from the site) and, for a little more, a “hot” backup system can be kept onsite that is continually mirroring the live data in case a disk fails. Clearly, a large organisation with a very active system that relies heavily on its IT will want more sophisticated solutions which may extend to having whole IT and communications suites off site maintained and updated continually that can be brought into action within hours or even minutes.


Implementation

This stage simply puts into practice the elements in the Planning stage. This is critical and starts the iterative process of checking. As systems are implemented, they are thoroughly checked, verified and their effectiveness compared to the criteria set out in the planning stage. Sometimes small (and sometimes relatively large) “gaps” are identified at this stage and remedies put in place.


Testing and communication

This essential phase of the process is to validate the planning stage, communicate the procedures to the organisation and to ensure that the solutions satisfy the requirements set out for recovery. Those involved directly in the recovery process should have their copies of the documentation and critical contact information etc always to hand and in an easy-to-access format.

effective testing is essential

Initial testing should involve a “test scenario” being run. A simulated disaster is enacted and the whole plan tested. Problems identified are resolved and, if sufficiently large, the process is run again.

On an ongoing basis, it is critical that the testing should be carried out on an annual basis as an absolute minimum. If sufficiently large changes are made to certain aspects of the organisation (a new building coming into action, a new mission-critical system being implemented) then the procedures should be updated and the test re-run.


Maintenance

Organisations change over time. For example, the introduction of a new product or service, or a change in technology will highlight different concerns, making continuous monitoring an essential part of keeping the integrity of the plan. Simple things like a critical person in the chain of communication leaving without the documentation being updated can have a disastrous effect. Monitoring will ensure that changes to the organisation are reflected in the plan, with new risks identified and solutions appropriately tested and applied.

« business continuity is for all sizes or organisation »

In the past, business continuity was critical mostly to only the largest organisations. Now, with the high level of dependency on technology and IT, it is an area that should be considered even by the smallest of companies. A sole trader may well have all his or her records on the home computer (contacts, VAT and accounting data, customers, etc) and should that crash due to a virus attack or someone else in the family accidentally erasing or corrupting data, it could mean weeks of work to re-create the information lost. Simple backups and protections are relatively easy and cheap to implement. For a larger organisation, the scenario is much the same, but the scale and risks maybe greater. Also, the potential loss of business may have wider implications on the future viability of the company itself and its ability to continue trading.

It is the duty of all senior people in organisations to ensure that adequate planning, processes and procedures are in place so that, should the worst happen, the business can continue with the minimum of disruption and loss.

For further information please contact:
Dev Barot, MD, Micronet Network Solutions
www.micronetworks.co.uk.
T: 0845 634 4151
F: 0845 634 4152
E: dev@micronetworks.co.uk




Tweet article
BW on TwitterBW RSS feed