Business continuity planning (BCP) has traditionally been left off the agenda when enterprise strategy is being formulated. Seen, like insurance, as a pure cost, it is often neglected or even ignored completely, particularly by small and mid-sized businesses.
But in mid-2007 the business community in many parts of the UK changed its attitude to BCP following a series of high-impact events, including floods, tidal surges, power cuts and major fires. Many businesses are now facing up to the reality that the chances of their IT being severely disrupted by a disaster are much higher than they can live with.
Be prepared
That new acceptance is evidenced by the numbers signing up for some form of BCP. BCP service provider BT Global Services estimates that 20% of organisations suffer at least one major disruption every five years. Of those unprepared for that circumstance, 43% never resume normal business operations; a further 29% close within two years. These figures are likely to rise as major external risks – most notably from climate change – escalate. But a further key development, adds John Madelin, UK head of practice for business continuity, security and governance at BT Global Services, is the changing structure of multinationals, which are becoming increasingly networked and virtual. Consequently, businesses must now protect multiple points of potential failure, making the task of BCP ever more important and ever-more challenging.
As the British Standards Institute (BSI) has found, the numbers are starting to hit home, especially within the major business arena. In its annual survey of the FTSE 250, the BSI found that 51% now rate themselves as being very well prepared for an IT systems failure. While this figure is hardly overwhelming, it is a vast improvement on the 27% who said they were very prepared in 2006. Such a jump in one year suggests that businesses are becoming increasingly aware that they can barely sustain their business without IT. Overall, notes the BSI, the awareness of the importance of adequate provision for enterprise-wide business continuity is growing.
The provision for more robust business continuity is, in many instances, being baked into procurement processes and often involves the offsetting of risk through the use of third-party service providers. Increasingly, notes Aydin Kurt-Elli, CEO of co-location provider Lumison, businesses are choosing to pare down their in-house hardware, most notably servers and telephony infrastructure, and rely instead on hosted providers such as data centre operators and virtual contact centres. Given that business continuity heavyweight SunGard Availability Services finds that hardware failure is by far the chief reason for IT disruption (leading to the invocation of disaster recovery plans in 56% of cases), this strategy seems particularly persuasive. Because such providers often load-balance across several locations and exploit the scale provided by multiple large customers, they are able to provide far higher levels of resilience than the average company deploying hardware in-house.
Ever more frequently, businesses that once regarded this kind of outsourcing primarily as a cost-saving strategy now consider it a key part of their BCP. Software-as-a-service (SaaS) is a good example. By using web-based software from a variety of third-party ‘on-demand’ providers, businesses can attempt to eliminate the risk of a wholesale outage caused by physical damage to working premises. In the 2007 floods, for example, many organisations used this model to maintain operations in alternative locations. For smaller companies, adds BT’s Madelin, this is a cost-effective strategy.
Mobile working has also increased the physical flexibility of operations, and thereby the diversification of risk across the organisation. In particular, restricted desktop access – again experienced during last year’s flooding – is mitigated by mobile working facilities. But it is critical, adds Kurt-Elli, that as companies aim to diversify their risk across providers, they also make efforts to understand and, if possible, view the business continuity relating to those partners. Diversifying and outsourcing should reduce the impact of physical disasters but, cautions Madelin, there “is no silver bullet”.
Further reading
Back to the Effective IT 2008 Report contents page
Securing the future Central identity management systems are now a chief priority, but biometric technologies continue to disappoint
Staying afloat The flooding that hit the UK last summer proved a severe test for disaster recovery measures
Find more stories in the Security & Continuity Briefing Room.