Business Continuity Planning: Best Practice Guidelines

It’s absolutely no secret that today’s fast-paced world is driving an ever-increasing demand for ‘always-on’ services among businesses and end consumers alike. However, writes Mark Wass, in addition to being ‘always-on’ and keeping things running in the present, businesses of all sizes must be prepared for unexpected future disruption. From the technological to the economic or logistical, businesses face a variety of threats of disruption, each of which must be incorporated into the business’ contingency planning (otherwise known as business continuity).

Business continuity planning is now high on the agenda for organisations. Last October, the NHS booked hotel rooms for patients as part of its “worse case scenario” contingency plans for Brexit. In the same month, Goldman Sachs set up a disaster recovery trading floor in a WeWork office in central London to enable the bank to continue operating in the event of a major incident.

These examples may give the impression that business continuity is strictly within the remit of large organisations only. However, in the era of digital business, it’s clear that, regardless of an organisations size or ‘target market’/’target audience’, it’s now imperative to deliver uninterrupted service 24 hours a day, 365 days of the year.

As any company (large or small) which has suffered a service outage will contend, the ability to absorb the shocks of disruption and be resilient regardless of circumstance can make the difference between a business that flourishes and one that flounders. However, smaller and medium-sized enterprises (aka SMEs) often deem disaster recovery solutions – such as Data Centre co-location or server and networking back-ups – too expensive to core operations and so don’t fully invest in them. Instead, they often settle for what’s perceived to be a cheaper, DIY-style cloud-based platform approach and then assign responsibility for its management to a single individual.

However, an organisation’s core IT infrastructure will be hugely complex regardless of the size. Even the smallest businesses will find the consequences of disruption become compounded when seemingly esoteric questions are left unanswered: Where are the independencies in the network map? Which applications are hosted in private and public cloud environments? Is the data stored in the cloud protected from corruption or otherwise safeguarded from being blocked by a malicious third party?

With its central role in the basic functioning of all the operations of a modern organisation, from automating payroll to ensuring security, the continuity of IT infrastructure is simply too fundamental for it not to be adequately ensured. Formerly the remit of IT teams alone, knowing the answers to these complex technical questions is now a strategic business imperative.

The responsibility for the continuity of core IT must therefore be readily available and proactively shared among a number of key stakeholders within the organisation, benefiting both the business and the teams that it comprises with a faster and more accessible route towards recovery.

Common misconceptions

SMEs may think that, by sheer balance of probability, organisations with a larger IT footprint have a greater chance of one of their systems failing. In reality, an organisation’s scale should never be conflated with its vulnerability to disruption. In fact, the scale of IT can actually be a boon to an organisation’s business continuity capabilities via the greater capacity to divert essential operational processes away from affected systems to subsidiary infrastructure. This goes right down to the operating capacity of individual tools, with a recent report finding that medium-sized Data Centres will experience over three downtime events each year, with each lasting over 3.5 hours on average.

There’s also the belief that, if the office and/or core IT is hit by disruption, workers can simply log on from home or other remote locations via the organisation’s cloud environment. However, this creates two problems. First, how can staff work remotely if laptops and/or other resources are left in an office which is no longer accessible? Second, if staff either have their work laptops or can work from their own personal computers, how can the security of data be effectively ensured when using devices or networks separate from core IT?

The most effective way in which to reduce the impact of a workplace office loss is to instantaneously pick up the whole thing – people, information, management, support structure, etc – and transplant it somewhere else that’s equally easy to access and has the same feel and culture as the original.

By taking an holistic stance and incorporating point business continuity solutions such as workplace and IT disaster recovery into a larger resilience strategy, organisations can ensure that the loss of a workplace becomes a minor operational blip as opposed to a full-blown disaster.

Combating disruption

Mark Wass

Mark Wass

Ultimately, businesses need to be aware of the cross-over between the resilience of IT systems and the resilience of the business overall. With the right combination of having the right disaster recovery tools, planning for a diverse set of contingencies and sharing the burden of knowledge relating to the ins and out of IT infrastructure, firms can take the first steps towards ensuring overall resilience and availability of their products, services and operations.

A comprehensive business risk assessment conducted at regular intervals is key to gaining access to the information organisations need to reduce downtime during periods of disruption. Such assessments help to identify needle-in-a-haystack components which can quietly take down entire systems, calculate recovery time and outline the method and objectives of recovery efforts.

At the end of the day, regularly testing these small, but nonetheless vital aspects of business operations can be a far cheaper alternative to ad hoc recovery efforts which may not succeed in the first place.

Mark Wass is Director of Sungard Availability Services

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts