Keeping the business strong when it all goes wrong…
On December 11th, 2005, the sleepy town of Hemel
Hempstead in well-to-do Hertfordshire was rocked
(literally – it measured 2.4 on the Richter Scale) by a
series of explosions at a local oil depot. It’s
remembered as the Buncefield Disaster, 2000 people
were evacuated, and it cost many millions in repairs.
Watch the news coverage, and the
key reaction from local residents
is a thoroughly English “I don’t
believe it! I can’t believe it’s
happened here!” This is the
problem with unexpected events:
we don’t think they’ll ever
happen, and certainly not to us.
Even the name ‘Buncefield’ is
more ‘coffee mornings and
birdsong’ than ‘Apocalypse Now’.
And yet, local businesses were
decimated. This is no isolated
incident, either. Another great
example to hit the headlines is the House of Reeves
furniture store in Croydon, South London. The
historic, family-run store became a cause celebre
when it was razed to the ground by looters in the riots
of summer 2011. In mid-2013, the owners finally
threw in the towel and said they would not be re-
opening.
Clearly, anything can happen; what does happen will
probably be a surprise, and we’re hopelessly good at
putting our collective heads in the sand.
If it’s not mission critical, ignore it!
Rescue comes in the form of a discipline called
‘Business Continuity’ (BC) - the art of keeping going
when everything has gone wrong. An enormous
amount of the wisdom of BC is in working out what’s
worth your effort, and what isn’t. For example,
despite the attraction of ghoulish
examples like the ones above,
Andy Osborne, a director of BC
consultants Acumen BCP, blogger
and author of ‘Risk Management
Simplified’, says that trying to
work out what could go awry is
the wrong place to start. “There
are major issues inherent in that
way of thinking. Firstly, the ‘It'll
never happen to us’ syndrome can
result in doing nothing at all - in
which case you might as well
cancel all your insurance policies
too! Alternatively, you can spend too much time
thinking about all kinds of scenarios that may never
happen, ending up with a plan that's three inches
thick, that no-one ever reads. Plus the "disaster" that
hits you probably won't be one that you thought of,
rendering the process pointless.”
“To a large extent”, says Osborne, “it doesn't matter
what the cause of the disruption is. What is important
is being able to continue your key activities”. When
working out those key activities, Lyndon Bird,
Technical Director of the Business Continuity Institute,
“Staff don’t realise that
their data is the lifeblood
of the business, so help
them to appreciate the
value of information and
make sure everyone
knows what they should
do when trouble comes
knocking.”
says that one of the magic words in BC is ‘urgency’.
“People get confused between importance and
urgency”, he says. “Concentrate on urgency. Your new
marketing strategy might be important, but it isn’t
urgent. Whereas making deliveries or keeping the
website alive are urgencies.”
Osborne advises businesses to look in depth at the
trickledown of dependencies that make up the chain
of these urgent business activities. “By looking at the
dependencies within a process, we can determine
where failure could prevent our success and identify
appropriate contingencies.” Making those deliveries
will depend on transport, for example. The website
might depend on a third party supplier, or basics like
electricity. “Mapping our dependencies in this way
can help us to understand where our vulnerabilities
are and where mitigation measures should be
focused. If nothing else, focussing on the positives,
rather than the negatives, might make risk
management a slightly less depressing process!”
“Similarly, look at what you can control or mitigate,
and what you can’t”, adds Bird. You can’t control an
earthquake, for example. You can, however, mitigate
dramatically against fire (extinguishers), theft
(security systems), malware (antivirus), to the point
where you regain sufficient control of these
situations.
As we have said, though, it’s a false economy to try to
control everything, particularly for a small business
without funds sloshing about. Bird offers a simple risk
assessment model which has the added benefit of
being a very useful pointer to where you should spend
your managerial time and effort. He says there are
Andy Osborne
two fundamental elements to risk:
Impact: the effect of something happening. A
dripping tap will have a low impact; your
business partner absconding with the
contents of the bank account will have a high
impact.
Likelihood: the probability of something
happening at some stage. A gas explosion is
of fairly low likelihood, a hard drive giving up
the ghost is a high likelihood.
This gives us a very useful four-quarters model:
Low impact, high likelihood: e.g. staff
engaging in low-level pilfering from the
warehouse. Solving these issues is about
tightening up your management controls and
procedures, and worth a bit of your time.
Low impact, low likelihood: e.g. a paper jam
in the photocopier. These are the things to
ignore - you can waste buckets of time and
effort designing systems for them, and they’re
not worth it.
High impact, high likelihood: e.g. our delivery
van is making a nasty clunking sound. There’s
no time for thinking or planning here – get it
fixed now! You want to avoid anything in this
quarter.
High impact, low likelihood: e.g. the office
being flooded. This is where BC happens.
By now, you can see that the genius of BC is to
concern yourself only with important problems which
could dramatically affect the business, only the ones
you can’t do without for a few days, and only the ones
you can usefully mitigate in some way. You should
come out of this process forewarned, forearmed, and
feeling a little more confident that a crisis need not
become a drama.
Beating Fate on a shoestring
The good news is that those mitigations also need not
cost a fortune; particularly in terms of technology.
Osborne says, “It’s a misconception that BC is
complicated, expensive or difficult. Stick to four
simple questions which we have hinted at above:
1. What's important?
2. Why is it important? (in terms of the impacts
if it stops);
3. When do we need it to be available again in
order to avoid those impacts?; and
4. How can we ensure that it's there when we
need it?
This business impact assessment will ensure that your
BC plan is sensible, pragmatic and cost effective.”
Bird agrees that simplicity is key: “Your IT needn’t be
in triplicate across three different datacentres, but do
observe the basic housekeeping. Back everything up,
secure your systems, all with ordinary, practical tools.
Mirror your essential information offsite to the Cloud,
and test that everything works – including the
restoration of backed up data. Keep your solutions
simple.” Incidentally, Osborne cautions that Cloud
providers are not all one and the same: “Validate the
common assumption that your provider securely Lyndon Bird
replicates the data you store with them. Find out
where it is hosted, and who has access to it. And
understand clearly what’s in the Service Level
Agreement as regards its availability.”
There’s one more subtlety to consider when it comes
specifically to the resilience of your information
(rather than, say, your premises). As well as the
availability of information, you must also consider its
integrity after corruption and/or loss. You may
remember that last year, the bank, RBS, was heavily
criticised because customers could not access their
accounts for several days. That’s painful, but not
terminal. Imagine, however, if they simply could not
retrieve any account information at all. The business
would not survive. The key question is: how far would
you have to go back in the records to be sure that
your data was correct and uncorrupted? This can be
painfully time consuming, so make sure your backups
offer you a credible version of the truth.
None of the technology is hard; but changing your
work style or operational processes can be more
challenging. “It’s keeping up the good work that takes
effort”, says Bird. “Have a practice run every few
months, and make testing realistic: don’t restore your
data to the same computer you always use; try
restoring it to a completely new machine. Staff don’t
realise that their data is the lifeblood of the business,
so train your team, help them to appreciate the value
of information and make sure everyone knows what
they should do when trouble comes knocking.”
The other value of regular training sessions is
improved recovery time. Remember we discussed
‘urgency’, earlier? It is key in responding to a crisis not
to waste time on panic and confusion. Says Osborne,
“The point is that business continuity management
isn’t just about IT, although it will almost certainly
play a crucial part. That’s why it’s important to come
at the business continuity programme from a business
rather than just an IT perspective.” Bird agrees:
“Testing, practice, training and raising awareness will
all mean you’re back up and running faster, more
smoothly, and with less trouble for your customer
base”.
Find out more:
Backup and Restore in Windows 7
Online storage with SkyDrive
Backups with Office 365
A crisis plan you can live with
Small businesses don’t need lengthy documents to
trawl through. They need to get back on their feet –
fast. Our disaster recovery plan cuts the paperwork,
whilst helping you think through the issues which
could threaten your business and then solve them.
Do a quick search online for disaster recovery or
business continuity, and you’ll find hundreds of
example plans. They’re very
useful, but most of them come
in the shape of lengthy forms
for you to fill in; much of which
may not be entirely relevant to
your business.
It’s probably more useful for
you to understand the concepts
behind these forms, and then pick the best bits of the
many on offer as they apply to your operation.
There are fundamentally two parts to a crisis plan:
The business: Identifying the important parts
of your business –which activities you can’t do
without for any length of time. These are
often the customer-facing aspects of the
business; perhaps phone lines or a website.
The dangers: Identifying the things which can
go dramatically wrong, how they would affect
those key functions, and how you might
mitigate the damage with a little forethought.
With that basic structure in mind, here is a simple
bullet-point plan which will see you right.
1. Administration of the disaster recovery plan
1.1.1. Distribution list: who gets the plan
1.1.2. Update: when you are going to revisit it
1.1.3. Storage: locations where the plan can
be found. Keep it in your office but also
duplicated off-site, perhaps at home
2. The business
2.1. Contact list: the people who you will need to
contact in a disaster. Not just your
employees’ mobile numbers, but
perhaps their home or family
details, your suppliers, utility and
service providers like electricity or
gas emergency contacts, and key
providers in an emergency e.g.
insurers.
2.2. Critical functions: Answers
the simple question: what can the business
live without for a few hours, days or weeks;
and which elements of delivering your
service are ‘mission critical’? Define your own
timescale (a coach company, for example,
may have minutes to resolve a crisis;
whereas a freelance illustrator might have
several days to get back on track), and work
out the priorities. It might look something
like this:
2.2.1. 24 hours: website; phones
2.2.2. 48 hours: delivery van; stock
information
2.2.3. One week: office or suitable staff
locations; sales data; supplier contacts
2.2.4. One month: finance records
“Ignore anything which
has been shown to be low
priority – you won’t have
time for it.”
2.3. Recovery resources: Now, for each of the
critical functions you have identified, you
need to work out exactly what is required to
keep the business going. Ignore anything
which has been shown to be low priority –
you won’t have time for it. Work in the order
of the timescale you have created, and for
each function establish the:
2.3.1. Who: people needed, including non-
employees
2.3.2. What: resources; whether that’s capital
equipment, stock, tools etc.
2.3.3. Where: locations
2.3.4. Money: either costs of provision or costs
of replacement/cover
2.3.5. Information: data and financials,
industry knowledge, contacts etc.
2.4. Checklists: You will now have a matrix of
critical activities and the requirements to
keep the lights on for each one. Revisit the
matrix again and prioritise them. It’s
impossible to predict everything which can
possibly go wrong, but remember, at this
stage, we are just looking from the point of
view of the business. Many consultants now
advise that you create action plans; but we
think a series of business activity checklists is
the way to go – they should be short, precise
and clear. For example, to keep phones alive:
2.4.1. Get the contact list – if it’s not part of
the recovery document, it should be
easily available both on and off-site
2.4.2. Call key staff and explain that they will
need their mobiles until further notice
2.4.3. Establish diverts on incoming calls,
where possible to the correct person
2.4.4. Call the phone company to work out
what can be done etc.
3. The dangers. It’s now time to look from the other
angle: the things which can go wrong.
3.1. Threats and hazards. Not surprisingly, this
begins with a list of threats. Consider this
carefully as it is a potentially endless list. As
well as fire, theft and flood, how about also
considering data loss, reputational damage,
legal suit and loss of key staff – and that’s
just for starters.
3.2. Threat scores. For each one, we now identify
a threat score. Professional advisers like to
base this in some part on likelihood of
occurrence, along with the criticality to the
business and your ability to mitigate the
damage; and you should identify the
following factors:
3.2.1. Likelihood: an idea of the chance of the
event – or something like it - occurring
3.2.2. Any existing mitigations in place: for
example, fire extinguishers (fire), being
on the second floor (flood), and offsite
backups of data (just about everything).
3.2.3. Economical mitigations you could
deploy: for example, giving staff access
to documents at home, or job sharing to
spread knowledge across staff.
3.2.4. Prioritisation: You are now in a position
to give each threat a prioritisation;
perhaps a red, amber or green rating,
based on not only the threat’s effect,
but your ability to mitigate it.
3.3. Checklists, part 2: You already have some
business activity checklists. Now it’s time for
some crisis/event checklists for each
eventuality. Something like this (for theft),
fleshed out for relevance, is a good example:
3.3.1. Liaise with police
3.3.2. Locate management documents
3.3.3. Identify damage or loss
3.3.4. Arrange for repair to any premises
damage or security systems
3.3.5. Speak with insurers
3.3.6. Communicate with staff
3.3.7. Communicate with customers
3.3.8. Debrief and reassess after 7 days
4. Putting it all together: You now have a list of
threats, prioritised; and a list of company
activities, prioritised. You have checklists for
company activities, and checklists for crises or
events. It is now a simple case of matching
business activities and their checklists to potential
crises and their checklists. This is a crucial
moment in your planning: if, for any reason, once
you put them together, you don’t feel that they
match up or successfully resolve potential
problems, go back and revisit them; don’t wait for
a crisis to find out that you weren’t quite ready!
5. Preparation: Don’t forget that the other element
which should have come out of this process is a
list of economically viable potential mitigations:
for example secure document storage, online
backups, home access and all the other elements
which can minimise a crisis. Create a mitigation
action plan, and be proactive about getting these
protections in place within three months. Then,
revisit your disaster recovery plan and reduce the
threat scores accordingly.
6. Dry run: We have all experienced the general
grouching around fire alarm tests, but they’re
there for a reason: they save lives. Every six
months, perform a dry run for a specific crisis; it
will stand you in good stead.
7. Revisit the plan: A disaster recovery plan is a
living document. Allocate one day (that’s all it will
take) to reassess your plan annually.
Find out more:
Backup and Restore in Windows 7
Online storage with SkyDrive
Backups with Office 365
Jack be nimble, Jack be quick: BC is easier when you’re small Graham Price, Lecturer in Business Continuity Management, University of Coventry
Many issues in a large business are just like those of a
small business, but on a larger scale. Big businesses
have to make a thousand widgets instead of 10, or
pay 100 wage bills instead of four. Business continuity
(BC) – planning to keep the lights on – is,
unfortunately, not like that
at all.
Large businesses often have
a whole team of dedicated
professionals who spend
their waking hours creating
continuity plans and
embedding a culture of
continuity in employees and
the work they do. The BC
team’s work is factored into
the running costs of the
operation.
A small business, however,
won’t have a person on BC
full time: there’s not enough
work to do, and it would be
too costly. It’s also a
consideration which is
usually over and above the
ordinary activity of running
the business, so any
overhead in money or management time feels like a
particularly onerous extra burden.
And yet, it’s an important consideration, because
small businesses have what the specialists call ‘a
single point of failure’. They rely on individuals. If one
person is the ‘face of the business’, has specialist
skills, or keeps customer details in their head, then a
bout of illness (or the urge to drop everything and
disappear to Rio) could force the business to fold. In a
big company, by contrast, a
deputy with almost the
same skills can fill the gap
without ever breaking into a
sweat.
However, it’s not all bad
news for the little guy.
The BC team in a large
business can be unpopular.
They make new rules which
are sometimes perceived on
the shop floor as intrusive
and complicated. When I
said above that they ‘embed
a culture of continuity’, that
often dissolves into
‘enforcing a regime of
continuity’; rules which are
defined by those faceless
people on the management
floor.
As a small business owner,
the overall responsibility may indeed come down to
you, but you have the ability to gather the whole
team in a room, perhaps for half a day, and explain
why continuity issues are important. You can
encourage employees to share their knowledge
without accidentally creating attitudes of
protectionism or making staff worry that they are
sharing their knowledge because their jobs are at risk.
In a small business, everyone can pull together in a
united fashion, taking shared responsibility for the
ideal outcome of a secure business – and that’s a true
culture of continuity.
Big businesses also take time to make decisions.
Getting a BC plan off the ground in a large financial
institution, for example, will require the team’s
salaries to be approved, along with a whole raft of
technologies. That will need top level approval from
the board and no doubt a complicated process of
procurement from several companies. It can take
months to get everyone on board. In a small venture,
it comes down to you and your team; and you can
make all the big decisions today.
The news is full of extraordinary and unforeseen
disasters. Real life is full of even more unpredictable
circumstances which can send businesses off kilter. As
a small business, you have the inherent vulnerability
of many single points of failure. But you also have the
ability to turn on a sixpence, make fast decisions,
gather your staff together and unite them in a
common goal. That should make both planning for a
crisis and recovering from one much easier, and it’s
the sort of flexibility which larger businesses can only
dream of.
HOW MICROSOFT CAN HELP
Microsoft Office 365 brings together online versions of
the best communications and collaboration tools from
Microsoft. Subscribe to web-enabled tools that let you
access your email, documents, contacts, and calendars
from virtually anywhere, on almost on any device.
Windows 8 is reimagined to support different working
styles. It’s more intuitive so you can find what you need
faster and easier. The new look of Windows and the new
app model make it easier for businesses to create their
own line-of-business apps to help improve productivity.