Do Australian companies really need a business continuity plan? ZDNet Australia finds out what all the talk is about in disaster recovery and continuity planning.
The majority of Australian business--mostly small to medium--do not have a business continuity plan, say analysts and industry professionals, leaving them unprepared to cope with work interruptions. And for the companies that do have a plan, a lot of them aren't regularly updating or testing it. But for all the hype of disaster recovery, and the constant references to the New York terrorist attacks, do Australian businesses really need to be covered for disaster?
Living on our island far away from the rest of the world we are lucky because we don't live with the constant threat of IRA bombings, like the UK, and we don't suffer from frequent earthquakes or tornados like the United States. And it is for these reasons, so say the experts, that the two countries, the UK especially, are well ahead of us in business continuity planning.
However we do have our own natural disasters, such as the recent bushfires in Canberra, and in the Blue Mountains in NSW just over a year ago. Hailstorms and floods too. But more often than not it is the little things that interrupt our businesses. Human error is one of the biggest causes of system outages, and interruptions in utilities like our electricity and telephone lines are another common cause... remember the gas crisis in Victoria or the New Zealand electricity crisis in 1998?
One business continuity vendor tells the story of a faulty printer causing business interruptions. A printer overheated one weekend, and while it didn't catch fire it did emit lots of smoke... enough smoke that it permeated the entire building and workers couldn't get access to the premises on the following Monday morning. An innocuous enough incident, but could your business stand to be down for one day? How much money would you lose in revenue? And what about the wasted cost of paying for staff to hang around and do nothing?
And the more important question: how many days could you afford to be down for before it started to really question your ability to stay in business?
Hewlett-Packard recently took a handful of journalists through its disaster recovery site. On the tour Steve Cartland, HP's South Pacific manager for business continuity and recovery services, referred to the New York World Trade Centre attack that doesn't get much of a mention these days--the 1993 bombing. The bomb was detonated in the underground garage, killing six people and injuring another thousand. It also caused smoke to infiltrate the building and workers were unable to access the premises for six weeks. According to Cartland, 43 percent of the organisations in that WTC building went out of business because of that interruption.
Wissam Raffoul, analyst at META Group, says there is a one in three chance that your disaster recover plan will need to be activated. Even more worrying, of those that are activated, 22 percent are found to be not working, usually because the plan hasn't been updated along with changes to the business.
Plan... Or else
But whether any of the currently unprepared business have taken these risks into consideration or not, Australian authorities and industry regulators are seeing to it that businesses must have at least a working risk management plan, if not a full-blown business continuity plan (BCP).
If you are wanting to obtain an Australian Financial Services licence you must first submit a business continuity plan to the Australian Securities and Investment Commission (ASIC). If your business is listed on the Australian Stock Exchange you will have to note whether your business has a risk management plan that can be audited and shown in its annual reports. And according to Commonwealth legislation, if you run a superannuation fund you will need to have a risk management plan in place towards the end of this year.
So it is no surprise that the Australian financial sector has been the early adopter of disaster recovery and continuity planning. But how long before legislation trickles down to other industry sectors?
META's Raffoul says of the businesses that do have a BCP, 33 percent have it for legal compliance, 34 percent for shareholder protection, 16 percent because they have experienced interruption before, seven percent for public relations reasons, and the remaining 10 percent are for various other reasons.
At KAZ Information Services, Peter Voysey who specialises in business continuity services, says there is a lot more interest and activity in this area than what he has experienced in the past, and he is surprised at the number of small businesses coming to KAZ for business continuity services.
The introduction of the information security standard 7799, originating in the UK and introduced locally by Standards Australia in 2000, has drummed up some business for KAZ, with organisations wanting to become certified to the standard which include business continuity processes, says Voysey.
"We are finding that at the moment it is a significant driving incentive for corporations and government to address the issue of business continuity more thoroughly and systematically," he says.
The NSW government is one such customer. According to Voysey it has an initiative underway to implement information security guidelines based on the 7799 standard, with a lot of departments moving to implement these guidelines requiring them to have a business continuity program.
But the business doesn't stop there.
"There is continuing activity in the larger and IT dependent organisations such as banks, financial organisations, stock exchanges, airlines, gambling organisations, TAB and so forth," explains Voysey. "All of those that are highly IT dependent."
Not an IT issue
Which brings us to an important point... business continuity is not an IT issue. (Gasp!)
It is a common misconception that disaster recovery and business continuity planning are the responsibilites of the IT department. Of course IT is involved heavily in keeping a company's systems up and running, ensuring continuous access to the network and applications, but what point is having the system accessible if the staff can't access it.
This is the main distinction between disaster recovery and business continuity. Disaster recovery refers to the technical side of the issue--keeping up the IT systems in the face of disaster, whereas business continuity refers to be able to continue to perform mission critical processes--this involves knowing which business processes and staff members to prioritise and ensuring they have means to continue working.
It is for this latter reason that business continuity is not really an IT issue. To prepare your company for disaster means having an in-depth understanding of what each department and person within the company does and how it fits in with the company's goals. One of the first steps in building a business continuity plan is to conduct a business impact analysis.
Stephen McCarthy of Travelex understands this well. Heading up the IT department, he was involved recently in preparing the business continuity plan for Travelex and he says "it was not an IT project".
For Travelex, the first step was conducting a business impact analysis managed by the business continuity project leader (not an IT staff member) where every single business process was documented and given a level of criticality. Then it was linked back to the IT systems. Only after all of the processes and systems were signed off could the IT department start its work in the planning.
McCarthy says it is important to understand that a business continuity plan is strategic for the enterprise, the disaster recovery side is a tactical piece of that strategic plan.
"If it is seen as an IT driven disaster recovery site then it is not strategic--business processes need to be mirrored," he says. "What IT considers important is probably different to the rest of the business--start with a business impact analysis."
Too hard, too long
Another misconception of business continuity planning is that it is a long and difficult process. Angus Graham boils it down to being just a series of business management decisions.
"There is still a bit of mystery around business continuity planning... BCP is not hard, in reality it is a simple, logical process," he says. "The people elements make it difficult but the process is not hard... people seem to get off track."
Graham is currently the only Australian representative of the US-based Disaster Recovery Institute (DRI) and he also runs a business continuity consultancy business, Future Risk, with partner David Crossley. For one week every month Graham conducts DRI certification courses.
He says there is a trend right now for organisations to gain the skills and knowledge involved in business continuity planning. Attending the courses are usually the people who have to deal with it in some way at work. During the last 12 months a lot more IT people have been attending, however the courses are not "techie" says Graham, instead it is more an education of business processes.
He also believes BCPs don't have to take a long time to organise either. In his experience he says it is possible to organise a BCP in less than 20 working days. He says most of the disasters a company would face are very predictable, and you always plan for the worst case scenario--which is some form of denial of access to the premises.
What is the solution?
The range of continuity solutions is extensive and unfortunately there is no one best method. You can't look at what one company does and then emulate that plan in your business... all businesses are different and will have a different definition of its most important functions.
Another differentiator is money. Continuity planning is not cheap, if you decide to completely mirror your data centre which involves buying and maintaining two of everything, then it can be a major cost to your business. Also it is probably unlikely that you would choose to backup your entire business, obtaining more real estate to house your "hot site"--a space full of empty desks loaded with telephones, computers, and printers to resume full business activities when disaster strikes. While it would be handy it would probably be unnecessary and very expensive. The trick is balancing the level of risk with your budget.
Your business impact analysis will outline all of the business processes and identify how long you can operate without them. This will tell you what the most important functions are and should indicate what level of recovery and continuity is called for.
If you are still confused, or perhaps unsure how to carry out a business impact analysis, there are many consultancies available to help. Most outsourcing providers include business continuity in their services and a lot of hardware vendors have continuity services as well. For example Hewlett-Packard operates continuity centres throughout the world which act as hot sites. Customers take a subscription service to have the centre available to them including testing time, and pay extra for actual use of the site.
Its Sydney recovery site cost $3 million to build and contains 150 desks ready for use with PCs, two telephones (one for call centre use and one for normal use), and printers. Its server room contains products from a variety of hardware vendors.
According to HP's Cartland the site hasn't been used for a disaster yet, but its 120 subscribing customers use it often for testing.
If it all sounds too hard and too expensive, perhaps this statement from META's Raffoul will provide some incentive: "Disaster recovery is not meant to be cheap, but can you afford to not do anything?"
Subscribe now to Australian Technology & Business magazine.
