Technology: when disaster strikes

Hiding is not an option when it comes to getting your clients through a disaster

Written by Catherine Everett

Best Practice, 22 May 2008

Even though businesses rely heavily on their corporate data to operate, a high number are still failing to put adequate disaster recovery (DR) and business continuity management (BCM) plans in place.

Part of the problem lies in the fact that, although advisory bodies say organisations need to make adequate recovery plans, there isn’t a consensus as to what it involves.

Ian Sumbler, IT partner at accountancy firm Morris Owen, explains: ‘Five years ago, I would have said it meant back-up, but once you start talking to people, you realise that DR and BCM are big topics and back-up and recovery are only a small part of it.’

Smaller firms are less likely to have adequate procedures in place than big businesses. But that’s not to say all bigger organisations are covered.

According to a recent survey among 200 UK companies by security consultancy Activity, only 25% of organisations with between 250 and 499 staff were covered in DR and BCM terms. This fell to 13% for firms with 50 to 250 staff. Neil O’Connor, principal consultant at Activity, says that is likely to be proportionately lower among firms with fewer than 50 employees.

Another worrying finding was that, even among those companies that already have provision in place, as few as 15% believed that their plans would work in the face of a real-world disaster because of insufficient testing.

‘It’s a time and cost issue. Everyone’s conscious that they should do it, but a lot of companies don’t get round to it. But it’s also about maturity. The more mature a company becomes in terms of internal processes, the more they worry about the business being able to continue if things go wrong,’ says O’Connor. The principal motivation seems to be ‘when something happens to them’ or when major incidents occur such as last summer’s flooding.

A generally increasing awareness of the need to improve corporate governance and risk management procedures is also starting to emerge, and this is only set to grow following the further introduction of the Companies Act at the end of this year.

Learn through experience

In Morris Owen’s case, the impetus for action was generated by the firm’s Microsoft Exchange email server breaking in 2003. This caused ‘grief for a week-and-a-half’ before it was possible to get a replacement working. This experience brought home how ad hoc previous back-up and recovery procedures had been.

It also made him consider the potential impact should lightening strike the company headquarters in Swindon, as it had done a decade earlier, leading to the computer and phone system being wiped out. ‘If that happened now, we wouldn’t be able to recover properly. Given our reliance on technology, no one could work and client needs don’t wait for your disaster to resolve itself,’ says Sumbler.

This is particularly true in the case of the firm’s Virtual Accounts Office service, through which it provides about 40 customers with a menu of outsourced financial services ranging from invoicing and debt collection to handling client queries. ‘So if anything were to happen to our organisation, it would impact not just on our product delivery to customers but also on their ability to do business,’ says Sumbler.

As a result, he started work on developing DR and BCM plans to cover not just IT, but the entire business in the event of generic rather than any specific disaster. But he also required that the plans be signed by all partners and departmental managers with responsibility for implementation to confirm that they had read and understood them.

‘It’s too much for one person to do alone so you need to get buy-in and ensure everyone understands what they need to do to protect the business. The business owners can plan for recovery based on their idea of what happens on the ground, but that may be different to the reality. And you need to recover the reality,’ Sumbler advises.

The first things he explored were data and data flows ‘because it’s about what you do’. He looked at where and how data is used and how critical it is. Next on the list was telecoms provision, as you need to be able to communicate throughout.

Secure the supply chain

Another crucial element is the supply chain, which includes the supply of personnel. ‘You need to keep a contact list of all your suppliers, whether they provide stationery or IT. This means you can contact them and get them to deliver to the remote location where you’re doing the restore,’ he explains.

In Morris Owen’s case, that’s limited space in a remote office in Bristol provided by a third party, which, in the event of an emergency, would be used to house key personnel. Some staff would also be required to work from the firm’s site in Cirencester, while others would work from home.

As to who such designated key personnel are varies based on timing. ‘If a disaster happens in mid-January, the focus is on tax returns so it’s more important to get those staff and systems up-and-running first. But in the last week in April, the focus is on processing payroll so staff in this area get shuffled up the priority list,’ says Sumbler.

To test the ongoing validity of the plans, meanwhile, a small representational team is assembled once a year to undertake a full test simulation.
But there has also been another unexpected benefit. ‘It puts out a powerful message to the client base that you’re not only protecting your business, but theirs too and that’s a powerful sales and marketing message,’ he says.

Worth the cost

Moreover, introducing DR and BCM cover no longer has to break the bank. In fact, says Aiden Curran, head of ICT at law firm McVey & Murricane, the secret to keeping costs down is simply a matter of ‘always looking for smarter ways to do something’.

His organisation runs all of its business applications on central servers and uses Citrix thin client technology to enable the entire workforce of 60 to access them remotely over the internet using SSL virtual private networks for security purposes.

This means staff can work from home in the event of a crisis as data is backed up nightly to a remote site using Double-Take Software’s data replication product, thus negating the need to pay for third-party premises.

‘You don’t need to spend a fortune if you plan correctly and communicate with the right people. But planning is key. If you don’t, you can end up buying a licence for this and other resources for that, and the cost can really rack up,’ says Curran.

Even renting back-up premises can be cost-effective if requirements are thought through carefully. Morris Owen’s facility, which includes relevant telecoms and IT infrastructure to run the firm’s Iris business applications and provision for annual testing, costs less than £5,000 per year.

‘Most firms would not consider this a huge expense, but it might also be worth looking at the situation with your professional indemnity insurance. After all, you’re mitigating business risk so the insurance company might be able to do something on your premiums,’ says Sumbler.

Recovery position

Disaster recovery

  • Disaster recovery is IT-specific and covers the procedures involved in restoring the data centre to full operational capacity.
  • This involves regaining access to the IT and telecommunications infrastructure and includes building resilience into it from the outset.
  • It also entails putting procedures in place to recover data from a previously defined point in time, within a previously defined timeframe and within a previously defined budget.

Business continuity management

  • According to market researcher, Gartner business continuity management comprises five elements, one of which is DR.
  • Second is work area recovery, which entails providing staff with the facilities they require to keep on working in the event of an incident.
  • Business resumption covers the time from a problem occurring to the business determining whether or not it constitutes a full-blown incident.
  • Contingency planning involves exploring possible repercussions if a problem occur with external agencies such as partners and suppliers and its impact on the business.
  • Crisis management encompasses all the activities involved in handling the disaster itself and involves setting up a crisis management centre, not least to communicate with all parties.

Catherine Everett is a freelance IT journalist

www.accountancyage.com/technology

Tags:

reader comments

related articles

 
Security

Virtual backup launched in the UK

Plan B DR is aiming its low-cost recovery service at SMEs 29 Oct 2008

ANS Group arms school with FalconStor CDP

Integrator installs data protection system to ensure safety of students’ coursework 17 Apr 2008

Management

London School of Economics outsources disaster recovery

University signs third-party deal with SunGard to ensure data security 18 Nov 2008

related whitepapers

today's top stories

Communications

CIOs must embrace collaboration tools

Author Don Tapscott gives Angelica Mari his reasons for promoting social networking tools and says transparency is the key to security 04 Dec 2008

Communications

On a quest to build a connected society

BT Design’s JP Rangaswami talks to Gareth Morgan about his pivotal role in the telecoms giant’s efforts to deliver universal broadband and his plans to tap into the creativity of the open source community 04 Dec 2008

Management

IT leaders must stand by India

A sense of perspective is the most important response from IT leaders to the attacks in Mumbai 04 Dec 2008

Hardware

Case study: Clifford Chance

Law firm implements Sun platform and reduces datacentres to gain efficiency and cost synergies 03 Dec 2008

Communications

Should CRM be more sociable?

As vendors rush to add more social networking bells and whistles to their CRM products, some experts warn that users must tread carefully when venturing into online communities 03 Dec 2008

> More news

Advertisement

Newsletter signup

Sign up for our range of FREE newsletters:

Existing User

Newsletter user login:

Advertisement

Jobs

Related jobs

Job of the week

> More IT vacancies

Job alerts

  • Latest jobs to your inbox
Sign up here

Find your next job

IT Salary Checker

  • Are you being paid what you are worth?
Check salary here

Advertisement

White papers

Search white papers

Top categories

VPN, Extranet and Intranet Solutions

WAN/ LAN Solutions

Network Security

Interoperability-Connectivity

Grid/ Utility Computing

Latest poll

Will the terrorist attacks in Mumbai affect your offshoring plans?

Will the terrorist attacks in Mumbai affect your offshoring plans?

Is India becoming a risky destination?

Previous poll results

> More polls

Latest audio and video articles

Padlocked CDVideo

Technology and privacy

Watch the final video in a two-part Computing roundtable debate on the importance of putting data privacy issues at the heart of your IT plans 02 Dec 2008

Podcast imageAudio

Computing podcast - Standard Life's offshoring plans; and the prospects for government IT

The insurance giant outlines its new outsourcing strategy; and we ask if the government's economic bailout will affect its IT plans 28 Nov 2008

> More audio and video

Latest in-depth articles

Doctors looking at a computerAnalysis

Watchdog wants IT to cure privacy woes

Information Commissioner Richard Thomas is urging organisations to put privacy protection at the top of their procurement and development criteria 04 Dec 2008

Colin McDonaldComment

Web 2.0 has potential to transform staff training

Employees can sharpen their IT skills through using the latest interactive training tools, writes Colin McDonald 04 Dec 2008

> More in depth articles

Advertisement

Primary Navigation