Manage costs while increasing security with our service portfolio.
Case StudiesSee how other companies have benefited by partnering with us.
Fixed Price Offsite BackupFor Windows laptops and PCs.
Business continuity (BC) can mean different things to different people and this is one of the major issues for organisations; what can be considered a thorough BC strategy by some can be seen as lacking by others. This is not only the source of significant challenges at industry level (how can end users be confident that businesses in their supply chain have taken the necessary steps to ensure continuity in the event of a disaster?) but how do you address this discrepancy when it exists within the same company? How can an organisation’s management team trust that various departments have worked together to make sure that the business is protected should disaster strike?
Back in 2007 ISO, the International Organization for Standardization, published the ISO/PAS 22399:2007Societal security – Guideline for incident preparedness and operational continuity management. This was the first internationally-ratified benchmark addressing incident preparedness and continuity management for both the public and private sector. According to Dr. Stefan Tangen, Secretary of technical committee ISO/TC 223 ‘ISO/PAS 22399 represents a major breakthrough in addressing emergency and disaster preparedness, response and continuity. It was unanimously passed by the 50 countries that participate in the committee and provides an international agreed upon benchmark for emergency and disaster management for individual organisations.’ In the UK the British Standards Institution has created BS 25999, a Business Continuity Management Code of Practice offering general guidance, and the Specification for Business Continuity Management, listing the requirements that can be objectively and independently audited.
So where should companies start to build a sound BC strategy? First and foremost it is imperative that each unit within the organisation lists the core resources needed to continue to operate in a productive manner following equipment failure, a loss of power, data, etc, any tangible point of risk within their department. It is also important to outline how quickly these resources need to be brought back online to prevent disruption. Then, based on these criteria, the IT department should draw up the core elements of its Business Continuity strategy. Although the particulars will differ from company to company, they should all ensure that the Recovery Time Objective or RTO (how long you have to recover the data or system before its absence causes business continuity problems) is equal to or shorter than the Maximum Tolerable Outage or MTO. If the RTO is longer than the MTO then Business Continuity is not ensured and the business is still at risk. Recovery Point Objective or RPO (how much data the organisation can afford to lose or re-create) is also key; this factor will have a dramatic impact on the data protection strategy because if your business is involved in any sort of high-volume or intraday trading, currencies or commodities for example, synchronous data replication or mirroring will be your only choice.
But all the above planning will fall like a house of cards if the strategy is not seamlessly deployed across the organisation; in fact, in order to ensure continued operations, a Business Continuity strategy must be managed centrally to maintain focus on congruency between changing systems and the protection of those systems. Let us say for instance, that human resources demands to manage its own backup strategy, say through tape backup, because of the regulatory requirements posed by the Data Protection Act. However it has no training or method to make sure that those tape backups remain effective, and therefore cracks will develop in the BC strategy and these may result in a breakdown in the level of protection. So, while departmental management is not a good idea, departmental input is key; because your HR division will be highly aware of changes in legislation that will directly impact the data protection and retention policies. Other departments like finance will have their own very valid concerns.
Once the core elements of a Business Continuity strategy are in place, organisations should look at processes that will keep it in step with changes in the business and relevant policies. A sound starting point is to take a good look at the company’s business processes and its systems and understand their real risk exposure. For example although generally speaking an organisation located in central London is more at risk of terrorism than one based in a smaller town, the actual risk of terrorism is dwarfed by the risk posed by striking unions that may directly impact the ability of the business to maintain normal operations. Therefore it is important to take an objective stance in order to balance the impact of risk vs. likelihood.
Companies are rarely static, and to offer ongoing protection, a Business Continuity strategy should constantly evolve to match that company’s needs. This fluidity requires not only intimate knowledge of the business but understanding of both new technologies and relevant legislation. This often makes the use of an outside consultancy more cost-effective than relying on internal staff shifting their focus from business process development to devote time to keeping on top of the latest BC requirements. When you add the cash flow and efficiency benefits that come alongside the adoption of the service-based delivery method for business continuity, this becomes an attractive, low-risk option for many businesses.
So: you have designed and implemented a Business Continuity strategy, you are making sure it changes with your company’s needs, now it’s time to make sure it works. This is because it is unlikely that the paper version is going to unfold flawlessly in the real world. Testing is a challenging yet fundamental aspect of any Business Continuity strategy because it highlights any holes in the plan. Tests should be performed at regular intervals, at least once a year and ideally much more frequently, especially for organisations which are subject to strict regulations such as those in the financial, health and public sectors, where failing to conform to the criteria set out by bodies such as the Financial Services Authority (FSA) can lead to debilitating fines that can put a company out of business.
In order to virtually eliminate the chances of the plan failing to work an in-depth test should be carried out at least once a year; this would not only ensure that everything works at the technology level (including any new elements of the IT environment) but it also helps new staff become familiar with the various steps needed to keep the business protected. But testing and the resulting changes can take time so in order to minimise disruption it should be performed at times when the organisation is less busy, for example over the holidays.
Businesses aiming for a watertight strategy should have detailed documentation of the plan and policies so that it can be shared between relevant staff and passed from incumbent to new employees. They could also make a full time employee responsible for the company’s BC strategy, someone who knows its every aspect inside out, from data security and recovery, to communications networks and SLAs. For a belt & braces approach, if budget allows, a secondary backup system could be deployed where an additional data centre or site with mixed storage media would provide an extra layer of protection depending on the scale of the disaster.
The measures outlined above can help a business overcome most accidents related to critical business functions but like most insurance policies they can provide different levels of cover that (we hope) will never be needed. However, when the survival of the company is at stake, it would be foolish not to put a strategy in place that could make all the difference; the key is in striking the right balance between risk and protection.
DATAFORT'S Hi-5 can deliver full functionality to your employees wherever an Internet connection is available to them, an alternative office, home or even a WiFi hotspot. The Hi-5 service is backed by a £1M insurance policy.
The need for business continuity planning is greater than ever while the complexity of modern information technology systems is growing. Datafort’s new managed service portfolio is designed to provide the range of services that a modern business needs to ensure it is fully protected from everything that Murphy’s law can throw at it.