Emergency services

While companies in the Middle East have begun to understand the necessity of disaster recovery solutions, few organisations have truly grasped the all encompassing nature of business continuity plans.

  • E-Mail
By  Neil Denslow Published  March 24, 2003

I|~||~||~|Although companies are becoming increasingly aware of the technological side of business continuity planning, few have gone beyond IT and addressed the people and procedural aspects that have to sit along side it. The failure to do this has left the vast majority of Middle East organisations with a false sense of security. As such, when disaster strikes, they will be left with fully backed up systems, but nobody to access or use that information.

While the awareness surrounding business continuity plans (BCPs) has greatly increased since 9/11, most companies still equate it with disaster recovery (DR). However, while DR is a key part of business continuity, it is only focused on IT and a company’s BCP
has to consider a much greater range of issues.

“When companies think business continuity, they think IT and they think disaster recovery. However, while IT is a very important component [of a BCP], it’s not the whole story, as there are also critical processes that are conducted by the business that feed into IT,” says Carl Greiner, vice president & director, enterprise datacenter strategies, Meta Group.

“If those processes are not there, if people can’t get in, if the building is not operable, then what happens to your business at that point?” he asks.

Despite the all encompassing nature of BCP, the bulk of companies that plan for a disaster consider it to be solely the IT department’s responsibility. As 80% of reported disasters are hardware or software failures, the CIO does clearly need to play a key role in the planning process. However, other disasters, such as a 9/11, fire or power black out, won’t just affect IT. Organisations therefore need to consider the company-wide impact of a disaster and treat BCP as a business issue with board level direction.

“In the US, they see disaster recovery as a business issue at the highest level, while in EMEA they see it as a technology issue that won’t affect the business. [However,] if you don’t have the technology on which your business is based available then your business stops. So, how can that not be a business decision?” asks John Poulter, vice president, emerging markets, EMEA, Veritas.

To ensure that a company can successfully overcome a disaster, it first has to undertake a business impact analysis (BIA). This allows the business to identify the critical applications and processes that need to be maintained — something that is vital as it is simply too expensive to have complete clones of the entire workforce, IT infrastructure and business facilities that are permanently on standby.

A BIA can be undertaken by either an inhouse team or by outside consultants. Either way, it needs to be an objective assessment that truly identifies what is vital, as opposed to just important. “If you ask a business head what’s most critical they’ll say everything, but in truth this may not be the case,” says Greiner.

“[For instance,] there might be areas in the business dealing immediately with customers, like a call centre or a billing application, that cannot afford any downtime… and others, maybe accounting, that can afford some,” explains Roland Roth, sales director Middle East, HP Services.

||**||II|~||~||~|Based on the BIA, a company can then draw up a BCP to ensure that it can support its critical applications during a disaster. This should encompass both the IT infrastructure needed to run critical applications, as well as the personnel to activate and utilise the systems.

“[Companies need] to identify key personnel within in each department who would be critical to the business continuing to run in the event of a disaster. These people should [then] be responsible for their own department,” explains Andrew O’Connor, principle professional services engagement manager, StorageTek Professional Services.

During a disaster, it is clearly the IT department’s responsibility to get the IT infrastructure up and running. However, other parts of the company also have activities they need to undertake. HR, for instance, needs to find and check on personnel, and then ensure that no one involved in the BCP team is overworked or suffering from stress. The sales and marketing team, meanwhile, needs to ensure that the company’s customers are still able to undertake transactions and that the business’s reputation is not harmed by the disaster.

In an ideal scenario, customers won’t notice that the company is having a disaster, as the BCP will ensure that all critical processes are seamlessly maintained. However, if there is a fire, for instance, then press coverage may lead customers to believe that the company is out of business. The sales team therefore needs to assure key customers that the company is able to maintain its service levels before competitors start telling them the opposite.

“Bad news spreads very quickly, and it’s only a very short matter of time before competitors are seizing on the fact that the company is temporarily out of business, and start touting for business with their customers,” says O’Connor.

Once the company has identified all of these key roles and responsibilities, it needs to assign them to staff with the appropriate skill sets. Most companies would automatically turn to departmental managers to fill these roles, however, they may not be the best people. “Sometimes during disasters, I’ve seen qualities in [departmental heads] that you really wouldn’t want. They’ve really been in blind panic,” says O’Connor.

“You may find that someone who is great at running a 100 person team is not the same person when they have to run a 10 person team and they only have two months to rebuild the operation,” agrees Mohammed Amin, general manager, Middle East region, EMC.

The best people for the BCP team are those who have a good knowledge of the business, clear leadership skills and the ability to work well under pressure.

This is one reason why testing the BCP is so important, as it is the only way, short of a real disaster, to see how someone performs under stress. “Most of what customers learn [from testing] is how to handle the people, because the technology is already proven,” says Amin.

Furthermore, the BCP also needs to identify who will act as a back up to the primary team member in the event that they are absent during the disaster. “One of the first things in a disaster plan… is that someone has to form a team from people who are actually available on the day,” notes Andrew Calthorpe, senior corporate vice president, STME.

To ensure that adequate back ups are available, the company has to have replicated skills within the organisation. The most effective way to do this is to have cloned staff offsite, who can seamless replace staff from the primary site. However, this is clearly an expensive option, which few companies will be able to either afford or justify.

The use of outsourcing can lessen the cost associated with having to replicate IT skills, but some inhouse staff will still be needed, as they know the systems best. “The best combination is some of the company’s people and some [staff] from an outsourcing company,” explains Amin.

An even cheaper option than outsourcing is to cross-train workers, so that personnel are able to stand in for colleagues in the event of a disaster. The company will then have workers with both the IT skills and company knowledge needed to make systems work effectively.

A third level of preparation is to have manuals available that will allow anyone with a modicum of IT knowledge to get critical applications up and running. HR therefore needs to be involved in BCP “as this allows companies to build these third party training manuals and cross-training programme, and also to work with all the other groups [involved in the BCP] to hold the key personnel together,” says Poulter.

The company will also need to consider how staff will actually operate during a disaster, starting with how they will get from the primary site to the secondary one. If this involves travel to a foreign country then it will be a major undertaking, especially if all airplanes are grounded, as happened after 9/11.

For companies that have a secondary site in the same city, transportation should be a less complex undertaking, as staff can use public transport or their own cars. However, this still needs to be carefully planned and tested, as no company wants to discover during a disaster that there are not enough parking spaces at the secondary site, for instance.

Aside from the logistical issues involved, moving staff around also means that companies need to plan how they are going to feed and accommodate them. These support issues can be lessened by enabling employees to work from home, which many may prefer to do anyway.

After 9/11, for instance, many staff were heavily traumatised and just wanted to stay at home with their families. This possibility needs to be considered beforehand, as it will require the provision of laptops and access to a remote network.

“Some [companies] have thought about the people that run the systems and that they need to get them from here to here, but not a lot of people have thought about what’s the most people friendly and cost effective way of providing a solution,” says Poulter.

“[However,] part of the disaster recovery planning process is deciding which personnel are needed on a remote site and which personnel can work remotely from home in a far better and less stressful environment,” he adds.

||**||III|~||~||~|Who needs to travel to the secondary site should be clearly recorded in the BCP manual, which needs to be widely shared within the organisation. Companies should post it on their intranet site and distribute paper copies to members of the team, which will then ensure that everyone can access the manual in the event of the disaster. “It’s no good having one copy of your disaster manual in your machinery room if your machine room has just burnt down,” notes Calthorpe.

However, although a BCP manual needs to be distributed to staff members, this should not be seen as the end of the planning process. This is a mistake companies often make as “they normally look at [BCP] as a project… They do it for six months, document it, everyone understands what they’ve got to do and then they forget about it for a few years,” observes Greiner.

Such a policy, however, will quickly see the BCP become outdated as few companies stand still. In reality, staff come and go, new applications are implemented and different business processes are introduced, all of which need to be reflected in the plan. “If you are serious, it has to become a part of all the things you do in the business. This is quite a shift and it is why so few companies are properly prepared,” says Greiner.

Staff turnover is a good example of this, as a key part of the BCP plan is a call list of people to notify about the disaster so they can activate the plan. However, if some members of the team have left the company, and the call list hasn’t been updated, then the plan will fall apart before it’s begun. “A lot of companies have also had to lay off a lot of staff because of tough times, which may also impact on their BCP,” adds Greiner.

To address this, companies need to constantly review their BCPs to ensure that all changes are factored in. The BCP also needs to be regularly tested to ensure that it will work in the event of a disaster. Most vendors recommend that companies test the technological side of their BCP at least once every six months, and test moving personnel once a year.

“You have to continually go back and test because it’s a moving target. The business changes, roles and responsibilities change, personnel change — there are so many different parameters that you have to keep ahead of,” notes Poulter.

Few companies actually test or constantly review their BCP however, and only think to do so once a disaster has struck. Such an approach is foolhardy as the changes will be too late and the company will be left in a position where it is unable to maintain service levels or access critical data. As such, the very survival of the company itself will be greatly endangered.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code