Business continuity planning, encompassing disaster recovery, minimises the impact of an incident on an organisation by ensuring alternate processes are in place for key operational functions. Business continuity planning looks to preserve assets as well as an organisation’s ability to achieve its mission, retain acceptable levels of productivity, customer service, and ultimately to stay in business.
Can an organisation be too small for business continuity planning? Business continuity planning is not consigned to large organisations; any provider of a service or product, whether it is financial, manufacturing, distribution or sales, is equally exposed to the effects of a disaster. Are you prepared if something goes wrong?
Surely a business continuity plan is not needed if adequate insurance is in place?
Quite simply insurance does not buy back lost business, it only provides money. If this is not received immediately it could adversely affect cash flow, subsequent profits and client goodwill. Studies suggest that typically only 60% of actual losses are covered. Could your organisation survive the loss? Disaster does not just occur following an incident on a grand scale. A small incident, over a short period, impacting a key process, could severely disrupt an organisation; for example, an incident in the local area that requires evacuation of the premises for hours or even days. Computers still run, phones still work and infrastructure is unharmed but there is no access to any of it until the incident is resolved. Interruption threats come from multiple sources; some more likely than others. Premises may be substantially flooded, destroying servers, or an organisation may be the victim of theft. A business continuity plan examines the likelihood of this happening and considers a response relative to the risk.
It is vital to determine what would be addressed first following an incident. Who would be contacted first? How would staff be notified? To do this you need to examine your organisation, its people, its critical processes and how these are dependent upon considerations such as IT and infrastructure support, internal dependencies and suppliers.
Incident containment and recovery solutions are numerous and varied. If a flood for example, prevented access to your premises, could client service levels continue uninterrupted? The chance of this happening would be greatly increased by your staff logging in from home until full recovery is achieved. Without plans such as this in place how can you convey a level of operational confidence to your clients?
There are many factors and aspects of business continuity. It is important to be realistic and think sensibly about how your organisation would cope with a disruptive incident. Business continuity is about mitigating the impact of this incident by minimising financial losses and protecting your organisation’s reputation.
The solutions are not just quick fixes but long-term considerations. It is possible to survive an incident, but not necessarily possible to recover from the long term impact.
Where do I start?
Business continuity concerns each and every organisation. Business systems must be resilient. If business continuity planning fails, so does that of an organisations clients. Not being able to access data, emails, and premises, or even make a phone call all have the potential to damage a business – and that is only the start. A second reason why business continuity is vital is that organisations expect IT support on demand. A business should commit to investment in failover systems in multiple locations, home working and standby power generation on-site, this way directors can be confident that a robust set of business continuity contingencies will be there.
The following pages highlight some key areas of IT business continuity that an organisation should consider. Business continuity is a huge area and this is by no means a definitive guide. What this section will hopefully do is stimulate thoughts and further questions about how you can implement cost-effective IT business continuity plans.
What options are there?
IT business continuity planning needs to address both the hardware and data contained within the system. This section highlights some of the ways you can build protection around your system. It is essential to ensure comprehensive planning is in place by using highly resilient servers, secondary power supplies, dual Internet connections, redundant storage and uninterruptable power supplies. As well as this it is recommended that companies use thin client technologies, such as Citrix and Microsoft® Terminal Services, for remote access, and virtual servers to provide both flexibility and resilience.
You can build a lot of resilience into your IT system hardware. The aim when creating a resilient system is to remove any single point of failure. Hard disks used to store your applications and data are a likely point of failure, making them an area of risk and a key place in which to build resilience. You can build storage resilience by using a Redundant Array of Inexpensive Disks (RAID). By using RAID your system can lose a hard disk and still function without interruption, giving you time to replace the failed disk.
Another way to build resilience is to address the potential failure of power supplies. IT systems prefer clean power supplies; power outages or even dirty power can cause serious problems. You can build resilience into your servers by having hotspare power supplies receiving power from different sources. This way, if one source fails the other continues whilst the failed supply is fixed. As a minimum you should have all your servers on Uninterruptable Power Supplies or UPSs as they are more commonly referred to. UPSs continually clean and smooth the spikes out of power that is provided. In the event of a power outage UPSs keep servers running long enough to safely close them down or switch to an alternative power supply. If you cannot afford to have servers down, then you need to consider alternative power supplies like standby generators that kick in automatically if they detect a power outage.
Using more than one Internet Service Provider (ISP) builds added resilience into your communications infrastructure. If one communication link fails, the other can take over. However, just having different ISPs providing broadband connections is not always enough. A further consideration should be to ensure your links to the Internet do not use the same means of connection. ISPs often use the same cable and exchange, meaning that should there be a problem between your office and the exchange, it is likely you will lose both connections. To avoid this it is recommended implementing an alternative method of connecting to the Internet such as a radio link.
Up until recently servers were built and optimised for the hardware and operating system they were running on. Now with the availability of more powerful hardware these physical servers can host multiple operating systems. Each hosted operating system is known as a virtual server. These virtual servers run their own operating systems independently of the host and the other virtual servers. Because they are no longer dependent on the hardware they are running on, it is now very easy to transfer or replicate a virtual server from one physical host to another dissimilar physical host. For business continuity purposes, restoring a server onto dissimilar hardware is a long and complicated process, but with virtual servers the process is far easier and takes a lot less time due to their hardware independence.
Another advantage of virtual servers is that it is possible to run more than one virtual server on a physical host server, thus taking advantage of any spare processing capacity on the server. Also, in a business continuity scenario it is possible to have a few powerful physical servers hosting a number of virtual servers at a remote location, be it a branch office or a hosting centre. Virtual servers can be easily replicated or restored onto these hosts at the other location ready to be enabled in the case of a business continuity scenario.