by Amanda Dahl, Director at AWIC

Quite often, business continuity planning is thought to be the domain of very large enterprises, like large financial institutions, who need to continue trading even in the event of major global disaster. But as we mentioned in our article on the impact of snow-related transport issues on businesses, “Small companies, especially ones without dedicated IT staff are the most vulnerable to loss of productivity due to weather-related staff shortages.  According to the Federation of Small Businesses, this could translate to an estimated 1.2 billion pounds lost in a day because of the disruption, with one-fifth of the UK workforce unable to make it into work.”

1. Maintain an accurate systems inventory

When disaster strikes, chances are that most of the staff normally required to support IT systems will be unable to make it to the office, and minor issues may have to be put on hold to concentrate on the most pressing problems. To help with prioritisation of issues, ensure that you have an up-to-date inventory of all IT systems and applications, including the level of business criticality, based on input from all key stakeholders, including members of the business, end users and even customers. Ensure that your inventory also includes the locations of servers and systems, key support contacts, and upstream/downstream dependencies. This inventory will help you in the heat of the moment when disaster strikes, allowing the IT team to focus efforts on what’s truly important.

2. Understand the risks of each company site

Use your systems inventory to determine potential areas of vulnerability. Ideally, by the end of this analysis, you will have a contingency plan for every high- and medium- priority IT system in your organisation.

How safe are each of your sites?

Do you have servers in various office or data centre locations? What are the risks associated with those locations? You may have a comms room located in a flood plain, or an office in a city centre which is vulnerable to terrorist attacks. Take the risks of each site into account in your plans by identifying any contingency systems you already have in place and, if possible, building new contingency systems in areas where it doesn’t already exist.

Or do you have a single point of failure?

On the other hand, if you don’t have servers in various locations, and have everything all in one place, you must plan for the loss of this single point of failure. For example, what would you do if there was a complete loss of power to your primary site? Or if BT accidentally cut the cable for your office internet connection?

3. Create a business case for disaster recovery planning

Consider the impact of your last major outage or loss of productivity, be it from a Tube strike, major snow storm or power cut. What was the impact in terms of tangible sales, loss of business opportunity or damage to the company reputation? Apart from the loss of tangible sales, these can be difficult to quantify, but a good estimate can provide a compelling arguments towards increasing the budget for disaster recovery planning.

4. Provide staff with remote working facilities

Technically feasible

Remote working is now more feasible than ever, especially with advances in technology such as VPN connectivity in larger organisations or cloud computing for small and medium businesses. Develop a remote working policy for your company that incorporates flexibility through modern technology (such as 3G wireless cards for laptops) and offers security and control (through token access or other security measures). Cloud computing services can offer an excellent all-in-one solution for anytime, anywhere access.

Morale boost

Providing staff with the means to work from home as part of a corporate Flexible Working Policy (for when transport causes chaos or unexpected child care duties get in the way) can be an invaluable way to increase morale and productivity. Besides forming a cornerstone of your flexible working policy, permitting staff to work from home on a regular basis allows remote-access technology to be regularly tested, increasing the chances that any issues with connectivity or technology infrastructure will be caught before there’s a real disaster.

5. Identify key roles and cross-train

It’s likely that only a skeleton crew will be available in the event of a real disaster. Rather than identifying just the key people required to keep the business going, build an inventory of the key roles needed to perform any recovery scenario. Take the time to cross-train a number of individuals to perform these duties, highlighting in particular any duties which absolutely must be performed on-site. Document all procedures, making sure they are updated in line with changes to the systems.

6. Conduct due diligence on your vendors

Even if your own company’s business continuity planning is comprehensive and thorough, it can all fall apart if your mission-critical systems have dependencies on vendors who haven’t planned adequately for disaster recovery. Ensure that you have the conversation with each of your vendors, requesting information on their business continuity plans in detail, along with any contractual provisions they may make for compensation should they breach their service levels.

7. Test your disaster recover plan at least once a year

Finally, once your systems are inventoried and prioritised with a recovery plan for each and a number of staff cross-trained for the recovery procedures, ensure that you actually perform a test of the entire process at least once a year. Although it’s resource-intensive and time-consuming, it will allow any issues to surface with remote connectivity, system interdependence and documentation. It will also give you an estimate of how long it will take your business to recover from a major disaster, providing valuable information to your customers, shareholders and, increasingly, external regulators.