Office Memo 25

Home > Office Jotter > Office Memos > Office Memo 25

Time for a snack at Office Jotter?

Office Memo 25

8 January 2007

Business Continuity -- Not Just for Big Fish

Smaller companies are less likely than large organizations to have robust procedures in place to deal with unexpected events. In a survey of 1,000 businesses for Bank of Scotland, nearly half had no agreed plan for how to react to and deal with events such as fires, floods, terrorist acts or natural disasters.

Why are there still companies without a plan?

Only 37% of sole traders surveyed had a procedure to deal with a disaster, even though over half recognised it could put them out of business. Of 505 owner managers without a business continuity plan, 47%said that they hadn't thought about implementing one. Nearly 30% said it was unlikely such an event would affect them anyway and 11% said they had no time to think about it.

It seems the more employees a business has the more likely it is to have a business continuity plan. Some may argue that with more staff, these organizations have the resources to put a plan in place and manage it. This can often be a problem within smaller enterprises.

There would appear a common perception is that business continuity planning is costly, complicated and only achievable by large corporations and is only needed by them. In truth, even if you are a 'small fish', the same potential dangers are the same. Major incidents, though thankfully relatively rare, or more common events like a power breakdown could have a devastating impact on any business whatever its size.

At Network Disaster Recovery, we have found that about 70% of invocation calls that we receive are because of hardware or power problems. The Bank of Scotland survey revealed that 84% of small companies use computers and 58% of them back up files to a remote server. It seems there is some planning for IT failure is being carried out but by no means enough.

It is not simply having a back-up tape or disk stored remotely that needs to be considered but an all-encompassing approach. What happens, for example, if your staff can't access your premises or your main supplier goes out of business? It is about the business continuing to run, keeping continuity.

Perhaps it is also that businesses find business continuity planning a daunting subject - possibly a scary one. It demands that we face the unthinkable. What if a flood or bomb destroys our building or a critical system fails, putting a key business department out of action? Where do our staff go? Where will our customers go? And will they come back?

We suspect that business continuity planning is being seen as too ambitious and too complex. It is this mystique that is preventing some getting started on business continuity planning.

Are plans becoming so complicated that those same plans are no longer practical for the organisation to test them any more? If this were true, the whole plan would be worthless. If a plan is unproven, the organisation remains unprepared.

Taking complexity out of business continuity planning

The desired approach to business continuity turns plans into realistic recovery procedures and practical testing exercises. Simple but effective plans work best.

Take a step back and watch how your business works. This lets you identify where real problems or risks may lie. You can then consider your options are for dealing with them and what plans may be needed for this. This is where a smaller company may find it easier than a larger one. The smaller the organisation, the fewer business processes it may have to consider.

1st step - Consider your approach to risk analysis

The impact of a risk can be viewed as combining the chance of an event occurring and the consequences should it occur. An assessment of the risks should therefore start by considering which threats are the most serious. The next stage is to consider the outcomes of each risk and decide which of them to accept and which to mitigate.

2nd step - What to mitigate

You may decide simply to live with those risks with a low impact. Where the consequences would be disastrous for the business, no matter how unlikely to happen, it should be included in the plan.

The next step is to decide how to protect against the risks. This might involve working with third parties. For example, if something should occur to prevent senior managers from continuing work, should you arrange for interim management staff to be available at short notice?

3rd step - Test the plan and keep it evolving

You need to test the plan in practice before you can be sure the organisation is protected the best it can be. Testing the plan that will show what might go wrong in a real recovery situation. The risk analysis will identify where the focus for these tests should be.

A realistic test will highlight any elements you overlooked in planning. It is then that it becomes possible to refine the plan, to add any elements you missed first time around. The plan then becomes more realistic and more workable.

It is imperative to make a plan that can be tested. You must then to test the plan and continue to test it regularly - at least yearly. This makes sure that it evolves with changes in business practices and systems.

Awareness

In serious situations, people do not sit down and read through their plans. Initially, they work to a rudimentary checklist of actions and communications based on the plan. In a disaster, there will often be confusion, panic and miscommunication. To limit this, business continuity planning should be part of the company culture. Employees should be aware of the procedures and what, if any, their responsibilities are. You can then manage matters more smoothly. This readiness will only come through testing and training.

Neither daunting nor over-complicated

A business continuity plan is not something that needs to be daunting or over-complicated. It should be simple, realistic and workable. Some parts of a plan may be more involved than others but you should develop the overall plan logically. Step back, see how your organisation works, assess the risks, mitigate them, and prioritise and separate processes into smaller parts so you can tested those sub-plans.

A simple, logical and realistic business continuity plan that can be tested is the best way to be prepared. Know where your staff will go, how you will deal with customers and how you will continue operating in the face of an interruption. What better way to keep swimming - however big the pond?

***

Dennis Thomas, Managing Director, Network Disaster Recovery, contributed this article. Our thanks go to him.

Network Disaster Recovery is exhibiting at Business Continuity -- The Risk Management Expo 2007. This is the UK's largest event for managing risk, resilience and recovery. It takes place at London's Excel, Docklands, from 28-29 March 2007.

About Office Memos

An Office Memo is an extended comment on what is happening in the world of the electronic business and elsewhere. Some memos will have appeared in Office Jotter; others are simply referred to in it.

You are free to disagree with, amplify or even agree with anything that appears in Office Jotter or an Office Memo. Of course, the rest of us will never know this unless you write in with your views, so please comment, in the blog or with an Office Memo*.

Content from Office Jotter or Office Memo may be circulated freely, so long as you remember to credit its source.

Thanks,

Roger Whitehead

Publisher and editor

*No more than 1,000 words at a time, please. I edit material for publication but as lightly as possible.

Copyright Roger Whitehead, 2007. I hereby assert and give notice of my right under section 77 of the Copyright, Designs and Patents Act 1998 to be identified as the author of these publications.