Business Continuity: are you prepared?

Business Continuity: are you prepared?

Fire, floods, terrorism, national disorder. Is your business continuity plan fit for purpose?

Business Continuity prepare for stormy weatherSome parts of the UK have already been devastated by the weather over the past month. Areas of the UK that are statistically expected to flood periodically in tens of years are suffering again within a few years. Some of the residents and businesses have only just managed to clean the worst of the water, mud and sewage from their properties and are now facing more deluge of the coming days and weeks. The weather forecasters are predicting thunder storms and a month’s rain in the next 24 hours and possibly the worst snow we have seen. To make matters worse the temperature is due to drop significantly by the end of the week with the shower turning into the worst snow falls and blizzards we have ever seen.

“…flood defences are under pressure across the UK with little sign of their being any real flood defence investment in the foreseeable future.”

I was exchanging emails last week with one of our business partners living in Hebden Bridge. Hebden Bridge in Yorkshire was one of the towns badly effected by flooding just before Christmas. Although he was still contactable, he was spending most of his time in the town working with other residents helping with the clean up operation.

The British are renowned for their fighting spirit. An article in the Huffington Post summed up the spirit of the communities by saying “…locals have turned out to stick two fingers up at the disaster.” But, I do wonder how much more some of these towns and villages can take. Clearly something must be done to help the communities by improving flood defences or having the means to divert the water. But, flood defences are under pressure across the UK with little sign of their being any real flood defence investment in the foreseeable future.

London saw massive investment some years back when the Thames Barrier was built to control water levels in the city but even that may be ineffective against the ever rising water. Less than two years ago the Thames burst its banks downstream to the west of London devastating many properties demonstrating the limitations of the Thames Barrier quite clearly. The highly populated areas upstream of the Thames Barrier are also at significant risk when the barrier is closed – there are plans to reinforce defences but no funding.

“No one expected it to develop into a rapid worthy of the Grand Canyon within a month.”

There is a very interesting special report regarding the state of the UKs flood defences by the New Scientist dated 19 February 2014 – ‘UK must abandon or adapt in face of floods’. The report states in the opening paragraph that these weather events will keep happening. We certainly don’t need any more proof.

Many businesses will have been affected by the weather in one way or another. Around the time of the New Scientist report we were affected by floods when the basement of Hawley Manor flooded around a month after we moved in. When we moved in our insurance company advised us that we were only 100m from a river and we were at risk of flooding. On further investigation our MD Mr Hodges declared it a tiny little brook called the River Darent. No one expected it to develop into a rapid worthy of the Grand Canyon within a month. Unfortunately, the Kentish mud was no defence and it burst its banks.

Fortunately, we had a business continuity plan and for the first time in our 30 year history we had to use it. In true British style we had a team of people including staff, landlords, Fire & Rescue Service, UK Power, and other tenants all working in concert to rid the building of the river water and waste and restore normal service. By comparison to the flooding mentioned earlier in this blog ours was a minor incident. Just a taste of what it is like when the weather and water conspire against us.

“…even if this had been a major incident, our business continuity plan would have supported us for a much longer period.”

Mains Power Feeds in Basement of Hawley ManorHowever, even if this had been a major incident, our business continuity plan would have supported us for a much longer period. If needed, we would have had the time to regroup and reassess our longer term needs in the comfort that our customers were being supported. Our critical services are cloud based so they were uninterrupted. This meant there was less onus on our business continuity requirements. As it was we were back up and running by 1800 on the same day.

A business continuity (BC) and disaster recovery (DR) plan is essential for all businesses. I realise that many retail outlets are unable to operate if their premises are out of action, unless they have or can introduce an online offering to get them through when disaster strikes. BC and DR plan requires a full audit of all of your business applications. It is vitally important to understand where the applications are hosted including any dependencies they have on other internal and external systems and services.

Most businesses will have the majority of this information to hand but in my experience, not necessarily in the level of detail required for an effective BC/DR plan. If you have any doubts at all with regard to the validity of the information in your BC/DR plan the best course of action is to rehearse it. Put it into action in as near a live environment as possible. The majority of BC/DR rehearsals are understandably carried out during off-peak business times, so it is important to estimate the effect of all or a fraction of your staff working remotely on the fallback systems.

“…they had failed to consider the event that nothing was damaged and all of their systems were operational.”

If some or all of your critical business systems are Cloud based on hosted on your own servers in a data centre the BC/DR plan will be less complex. In which case, any BC/DR rehearsals need to emulate a real life scenario as close as possible. Disasters come in many guises. Several of the London bombing disasters we have been involved with in the past caught some businesses unaware by the sheer fact that their building was not rendered out of action. However, the police cordon was such that no one could access the building. The businesses had BC/DR plans but they had failed to consider the event that nothing was damaged and all of their systems were operational. They just could not get staff into the office.

This leads on to the next part of the plan: what can possibly go wrong? Having made a list of all of your applications and fully understanding the dependencies you then need to understand fully where disaster may strike. Disaster could be local, e.g. a network cabinet; it could be the entire office or complex, or a section of the building or a remote office. The type of disaster will also have an effect on the plan based on the length of recovery time. This will obviously be different for fire, flooding and bomb damage, but what about failure to gain access to your premises due to a police cordon? This maybe because of a nearby disaster or for some other reason such as public disorder. The more disasters you can think of the more effective your BC/DR plan will be.

“…the ability of your business continuity plan to see you through the disaster recovery period will lie in the detail.”

An important part of your plan will be a facility to support all or a group of your staff working remotely. Working remotely could be from home, or from Wi-Fi hotspots in cafes or hotels. Wherever they are working, they will need IT support so this also needs to be included in the plan.

You may need to consider where any key members of staff live, especially in areas prone to flooding. If you have any dependencies on staff members that may be preoccupied with their own personal disaster there needs to be a fallback plan. Some will see this as a step too far, but I cannot emphasise enough the ability of your business continuity plan to see you through the disaster recovery period will lie in the detail.

“The plan will be the blueprint for all other departments in the business to work to, including IT.”

Business Continuity inclement weatherThe middle of a disaster is not the time to discover you are short of licenses needed to support remote users. If your remote access facility was originally designed and licensed to support a fraction of your users you may get a nasty shock when the majority of your users are unable to access their applications when working remotely. This is just one example of the type of problem that may occur in real life But not show up in a disaster rehearsal.

Use your plan to test and validate your systems. Your plan must define the number of users you expect to support right down to their roles and access requirements. The plan will be the blueprint for all other departments in the business to work to, including IT. Even though IT play an active role in the development of BC/DR plans they may not consider the impact of the switch from local to remote users unless asked.

In times of disaster information security may be overlooked. This is another vital element in the BC/DR plan. Your business will be at its most vulnerable while everyone preoccupied with dealing with the disaster at hand. Network security could slip through the net unless it is detailed in the plan and all of the key people nominated in the plan know their responsibilities.

“Your provider may have a user friendly customer portal where DR arrangements can be preconfigured and actioned when required.”

If you did not consider telephony as one of your business applications above you will need to go through a separate audit process for your telephone system. If you have a legacy or IP telephone system dependent on on-premise equipment you may need to consider some replication of equipment.

Your incoming telephony service provider may have inherent BC and DR facilities as part of their service offering. If you have a SIP service with your main business numbers terminated within the Internet Telephony Service Provider’s network there will almost certainly be options available to reroute incoming calls in the event of a disaster. Your provider may have a user friendly customer portal where DR arrangements can be preconfigured and actioned when required. Whether the process is manual or semi-automated via a preconfigured script, it needs to be clearly documented in the plan to ensure nothing slips through the net in the event of a disaster.

The types of handset required needs to be included in the detail and agreed with the respective departments. IP soft phones may be the most cost effective option and easiest to deploy but they may not be appropriate for all users. They may increase demands on the already stretched IT support team too. These are considerations that are easy to overlook during the planning stages and even in disaster rehearsals. as I mentioned before, the success of the business continuity plan lies in the detail.

“…all businesses need a business continuity and disaster recovery plan.”

Regardless of whether or not the government makes the heavy investment required to protect us against the rising water table all businesses need a business continuity and disaster recovery plan.

If you need assistance with developing and writing your business continuity and disaster recovery plan we can help.

Useful links…

Astro Business Continuity

The Daily Express – Weather Hell

New Scientist – UK must abandon or adapt in face of floods

The Guardian – Beyond the Thames Barrier

Huffington Post – Hebden Bridge flood pictures reveal northern resilience