Cutting short a crisis

Business comes to a halt when disaster strikes, however firms are investigating continuity strategies to help get them back up and running as quickly as possible

  • E-Mail
By  Peter Branton Published  April 23, 2006

Introduction|~||~||~|While major disasters, such as hurricanes, earthquakes or terrorist attacks, often result in incalculable losses of life, it can also cause insurmountable damage to businesses. In fact, newspapers often report on the economic bad news following these events. Catastrophes are, thankfully, few and far between, but firms caught in the middle of such events may experience business-altering consequences. Most organisations will find recovery a slow and pain-staking process and they may take months, or even years, to improve their sales performance. Others may not recover at all and close down. Companies, however, need not wait for large-scale calamities to understand how vulnerable their businesses are. A computer virus or a hacking incident — or even a power outage — is enough to cause significant disruption to their operation. Even what was once considered a ‘minor’ problem, such as a faulty hard drive or a software glitch, can bring about the same level of loss as a fire or a software virus if a critical business process is affected. The New York-based research firm FIND/SVP has calculated the average financial loss per hour of disk array downtime at US$29,301 for the securities industry, US$26,761 for manufacturing, US$17,093 for banking and US$9,435 for transportation. Aside from the financial loss, a company can also suffer from intangible damages, according to the research firm. Things like lower morale and productivity, increased employee stress, delays in key project timelines, diverted resources, regulatory scrutiny and a tainted public image can be equally damaging — maybe, even more detrimental — to the company. Can these nightmare scenarios be prevented? Definitely. In fact, firms can avoid experiencing the consequences of such disaster in many ways. ||**||Traditional ways|~||~||~|Until recently, classic recovery solutions concentrated on restoring data centres in the event of a natural or man-made disaster. Although traditional measures remain vital, they are far from sufficient in addressing the need for continuous operation of key business processes. As companies shifted from a centralised IT structure model to distributed computing and client/server technology, the availability of IT broadened from a single department within the company to almost every aspect of the business. This means that critical business data is no longer contained in the data centre but can be found across the enterprise — on desktop PCs, departmental local area networks (LANs) and even remote data centres. Likewise, key business applications such as enterprise resource planning (ERP), customer relationship management (CRM) and e-business, have imposed the need for ubiquitous data availability. As a result, businesses can no longer function without IT, and more importantly, they can no longer afford to experience lapses in their operation. For some companies, the order of the day is to have 24-7 accessibility or risk losing customers. To achieve this objective, organisations need to not only safeguard data but to protect critical business processes as well. In other words, they need a business continuity plan in place. Business continuity is often linked to disaster recovery, and some companies often use the terms interchangeably. The truth is there is a significant difference between the two concepts. While disaster recovery is the process by which you resume a business after a disruptive event, business continuity suggests a more comprehensive approach to making sure you keep functioning even in the midst of a disruptive event. Sadly, however, a lot of companies in the Middle East are ill-prepared to handle disruptions. Last year’s power blackout in Dubai that virtually paralysed the entire emirate serves as a grim reminder of the state of disaster preparedness of most companies. “I would say that there is a lot of ignorance, particularly in the Gulf region, when it comes to business continuity,” says Jason Phippen, director, Storage Business Unit, CA Europe, Middle East and Africa (MEA). “What you typically find, especially in the SMB (small and medium-sized business) level, is that unless they actually had a disaster, the majority of the companies are not really prepared,” he goes on to add. “There is a mentality of ‘It will never happen to me’,” agrees Ahmad Sayes, EMC Middle East’s business continuity practice manager. He considers complacency as one of the major reasons why so many companies in the region fail to recognise the value a business continuity plan can deliver to their organisation. “Typically, disasters are very few and far between and in the lifetime of many businesses they may not even have a disaster at all,” Sayes continues. “But the million-dollar question really is about what constitutes a disaster? It can be a virus, and that can cause a significant damage to any organisation,” he goes on to add. “Many small businesses undervalue their data from an IT perspective, seeing IT as a necessary evil and not as a strategic business tool,” says Justin Doo, managing director, Trend Micro MEA. But he is quick to add that there are exceptions to the rule. Generally, though, Doo finds it difficult to drive a detailed and critical message across companies in the region. “There are so many verticals and crossovers that finding a generic message or a message medium presents huge challenges. Many medium-sized businesses in the Middle East, however, have begun to understand the value of their IT infrastructure more clearly, although they find themselves often under-investing in some of the critical areas that do affect business continuity, such as security infrastructure and off-site data storage,” he explains. ||**||Planning models|~||~||~|When it comes to planning, the first thing that companies should understand about business continuity is that it is not purely an IT concept; rather it is a business model that can be applied to any type of business. While technology plays an important role, business continuity also requires the involvement and support of people — your employees, for instance — and the execution of processes meant to be followed when a disaster occurs. Without any one of these elements, your business continuity plan is sure to fail. Many senior executives and business managers believe business continuity is the responsibility of the IT department. However, it is no longer sufficient or practical to assign the responsibility exclusively to one group. With the company’s reputation, customer base and, of course, revenue and profits at stake, all executive managers and employees must participate in the development, implementation and ongoing support of continuity assessment and planning. “Before even starting to create a business continuity plan it is important to get the full support of the management. Without it, it will be very difficult to push the plan through the entire company,” says Kevin Isaac, regional director, Symantec Middle East and Africa. “Additionally, senior managers, even business or departmental managers, should be involved in the strategic design of the business continuity strategy as it will help to create a realistic plan that will be focused on the business interests of the company,” he adds. Ideally, particularly for large organisations, a business continuity team should be formed, who will be responsible for designing the strategy and initiating the whole business continuity management process. The team will serve as the focal point during the whole process, and they will also be the ones setting a time scale for the project as well as creating the budget necessary for it. It is also the business continuity planning team’s role to identify threats and conduct a risk assessment. Risk assessment will help them pinpoint the main areas critical to the business. As it is impossible to address all possible threats, risk assessment will help the team prioritise depending on likelihood of the risk and business impact. Phippen says that there are two things that the team should keep in mind: the recovery point objective and the recovery time objective. “Recovery point objective is concerned about how much data you are prepared to lose,” he describes. “Recovery time objective, on the other hand, is about how quickly you can get your whole environment up and running again,” he adds. Once the risk assessment is completed, the team can then formulate preventive, detective and reactive measures in order to protect the company. This is where policies come in. There are no cookie-cutter templates for creating business continuity plans, and one-size does not fit all. The uniqueness of your plan should be reflected in the kind of policies your team defines. In general, though, your policies should address the following: individual roles and responsibilities of both management and staff; information about threats, hazards and protective actions; notification, warning and communication procedures; emergency response procedures; accountability procedures and emergency shutdown processes. For SMBs who normally do not have the resources to allocate for such a project, companies like EMC, Symantec and 3Com are offering consultancy services to address their needs. These consultancy units are staffed by experts in business continuity and disaster recovery who can help them through the whole planning and implementation process. Once you have developed a business continuity programme, test the plan. Assume the worst-case scenario possible and put your business continuity plan to the test… again and again. According to Sayes, testing and maintaining your business continuity strategy is the most critical aspect of the entire exercise. Even the best-laid plans, if not properly and regularly updated will prove ineffective after a certain period of time. “I cannot stress enough the importance of testing,” points out Sayes. “For some companies, they forget about their business continuity plan after it is installed, thinking that it will work for them just fine. It’s only after they have a disaster that they actually realise how strong their plan is or not, which is quite worrying,” he says. “The only way to ensure that your business continuity plan will be able to successfully work once a disaster strikes, you need to make sure that it is properly tested and regularly updated,” he goes on to add. “Companies need to test their business continuity plans very frequently. If a company has defined a plan and they don’t revise it or test it for a year that could be very, very risky because during that year most companies would have changed their IT infrastructure,” says Isaac. They might have added new servers, new storage or new applications, and if those are not included in the business continuity plan, and they put that plan into effect, there could be problems,” warns Tahir Khan, systems engineer at 3Com Middle East. To make it easier for companies to update their plan, at the very start, the business continuity initiative should be flexible enough to allow it to evolve. The plan should provide room for revisions to address the ever-changing internal and external conditions a company faces, as well as to counter new threat scenarios. Rather than being developed around specific ev- ents, such as a fire, the plan would be more effective if it is written to adequately address specific types of events and the desired outcomes. Getting companies, particularly SMBs, to commit long term to their business continuity initiative is perhaps the most critical and the most difficult to achieve. While complacency — again — places prominently among the top reasons why there is a lack of long-term commitment from companies when it comes to business continuity planning, according to Khan, the lack of funding also hinders SMBs from maintaining their business continuity initiative. “SMBs, on the whole, are not too cash rich. More often than not, they cannot support the financial requirements of testing, as testing can be costly. It often requires them to invest on another server environment that mirrors their existing one and they cannot afford that. At the same time, they cannot use their existing environment because that would mean reinstalling everything and they cannot afford to do that and disrupt their operation,” explains Khan. “The differences between a large company and an SMB are resources, resources, resources,” says Doo. “A large corporate will have a larger pool of internal and external human resources that it can call on during the planning and implementation process. A large corporate will typically have greater funding for projects too. SMBs suffer from restricted access to both human and financial resources. They will need to offset the value of the data versus the cost of putting full business continuity plans in place,” he elaborates. ||**||Final thoughts|~||~||~|The road to business continuity enlightenment is long and winding. But it is something that every company should embark on. Business continuity is so vital to business success now that it can no longer remain a concern of the IT department alone. The time, money and customer confidence that can be lost due to downtime or business interruption can seriously damage a company of any size — and the reputation of its key executives — both short and long term. The risks are even greater for e-businesses and companies that operate in the 24-7 global environment. To assure survival, companies must adopt proven strategies to protect both business processes and vital information and implement corporate-wide program- mes for continuity and recovery management. While for some implementing business continuity would seem complex and expensive, bear in mind that you face risking the fate of your business. As CA’s Phippen says, business continuity should be treated like an insurance policy — something you can fall back on at the moment of great need. Without it, you may risk losing everything. ||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code