Inability to recover would be the real disaster
1 April 2005 | 0
The issue of staying in business after a disruptive event, perhaps even one worthy of the title ‘disaster’, is occupying the minds of Irish company directors with increasing importance.
Although the events of two years ago in New York city provided a ‘wake up call’ as one observer put it, the issue had taken on renewed importance as far back as 1993 when a car bomb exploded in the basement car park of the World Trade Center complex. Although casualties were relatively light compared to the September 2001 attack, many companies eventually went out of business despite the fact they had put in place strategies for ensuring critical data was backed up, for the simple reason they could not gain access to those backups.
Closer to home, businesses in the Blanchardstown area of Dublin were affected earlier this year when a truck carrying drums of acid shed its load, creating traffic chaos as authorities closed roads. It is this type of incident, say many observers, that pose the greatest threat to a company. So are Irish companies ready to continue doing business in the face of such disruption?
‘There’s definitely renewed interest in business continuity,’ says David Murphy, managing director of General Systems, one of the country’s leading disaster recovery/business continuity companies. ‘Businesses are taking a more serious view of the issue. Among our customers, those who already had a business continuity plan are allocating more resources, giving it more time and investigating contingencies more thoroughly. They are looking at alternative premises in case of flood, fire and so on.’
Michael Conway, director of Renaissance Contingency Services concurs. ‘I think companies are taking business continuity more seriously,’ he says. ‘September 11th would have given some of them a wakeup call to dust down the old disaster-recovery plans and upgrade them to a full business-continuity plan. Business continuity is a culture, not a project. You have to maintain the plan, keep it current and relevant to business needs.’
Conway also emphasises the importance of testing a plan. As time goes by, even the best made plans degenerate. Key personnel may have left, contact telephone numbers may have changed, so it is vital to test plans on a regular basis to ensure that they are still relevant.
‘In the main areas that are regulated there is a very mature approach to business-continuity management,’ says Ian Byrne, business services manager of Synstar. ‘Most major players would have a very structured approach and would regularly test their plan. Outside the regulated areas, some companies are very good and others are very exposed. What we saw during the ‘Celtic Tiger’ phase was a focus on growth, but now the focus is on other things. We are seeing a growing interest in business continuity from the public sector which has not looked at this in the past at all.’
But why are companies now shaking off their complacency? The answer to that varies depending on whom you ask. Insurance companies, for instance, are now taking a close look at how companies manage their risk. ‘At the end of the day the insurer is saying, I want you to take all reasonable precautions,’ says James Dynan of PTS Consulting. Murphy agrees. ‘There’s more of a drive coming from insurance companies than from 9/11,’ he says. ‘As part of the insurance audit they will ask a client company for contingency plans.’
Another major driving force is corporate governance. The two most significant documents setting out best practice in this area are The Turnbull Report — a set of guidelines issued by The Institute of Chartered Accountants in England and Wales to enable UK companies to implement the internal controls required by the Combined Code on Corporate Governance — and the Cadbury Report on financial aspects of corporate governance drawn up in the wake of the Maxwell scandal a decade ago.
‘A lot of companies are putting a statement in their annual reports that they take risk seriously,’ says Dynan. ‘If you look at any annual report under Turnbull rules, the directors have to specify that they take risk seriously and have an internal control policy to address it.’
But the other reason companies are taking business continuity seriously is because it is good business. ‘Depending on the type of company you are, a business continuity plan can give you credibility with customers and you can use the plan as a selling point,’ says Gordon Nother, chairman of Survive Ireland, the Irish branch of a worldwide user group devoted to business continuity planning. ‘If you are part of a supply chain, a few years ago you would have had to have ISO 9000 certification. Now you have to have a business continuity plan if you want to be part of the supply chain. Your client companies will come in to carry out an audit and test your plan.’
Not everyone is convinced that Irish business is shaking off its complacency. ‘Increasingly we are seeing people turning a blind eye to the impact of Cadbury and Turnbull reports from a business continuity perspective. I think regulation has to lead. In the UK, the Institute of Directors is very pro-active and we are starting to see the Irish equivalent take a lead. But at the moment a lot of companies are content to have just the basic facilities in place.’
Like many business processes there are standards for business continuity plans. One of the relevant ones, according to Dynan, is the ISO 17799 Information Security Management standard. In addition, the UK-based Business Continuity Institute has its own standards.
Putting together a business-continuity plan means determining the recovery needs of the business in terms of timescales, or what needs to be up and running in two, four, six or eight hours. The next step is to determine who can provide those. The plan should cover making backups and how the backups are to be managed.
‘The minimum in any organisation is a nightly backup’ says Dynan. The plan should be tested and staff educated in its use. An ‘A’ team that will take part in any recovery should be designated as should a ‘B’ team who should be aware that in certain circumstances, they could become the ‘A’ team. Once the plan is in place and approved, it is then a question of finding a disaster recovery provider. Fortunately, the Irish market is well served.
‘We have a mixed offering depending on client requirements,’ says Murphy. ‘The most immediate product we offer is Rapid Roll Out. If the customer has a system or network that is kaput or inaccessible, we will ship replacement equipment to a predesignated site from where he can run IT operations. We commit to having the replacement material in place within six hours.’ According to Murphy, this is General Systems’ most popular product.
If a client cannot, or does not want, to specify a backup location, it can make use of General Systems’ Hotsite product. This is a business-continuity centre capable of accommodating up to 450 people and fitted with the necessary equipment to run a company’s critical applications.
The company also has a number of mobile recovery facilities. These are self contained units on the back of a truck that can be driven to any location in the country within six hours and parked, say, in the client’s car park. The units have their own electricity generators and all the necessary IT equipment to enable a company to continue operations. ‘It gives the company a breather and gives people time to find an alternative location,’ explains Murphy.
General Systems also looks after managing its clients’ backups. ‘We offer mirroring and tape backup,’ says Murphy. ‘There is a greater demand for mirroring. Companies of any description will use either local or remote mirroring.’ Remote mirroring, he points out, can be expensive so many companies opt for local.
‘Synstar’s business continuity site at Swords is, I believe, the largest in the country, says Byrne. ‘We recently upgraded to 620 positions in one location and all of these would be a proper corporate environment.’ According to Byrne, the Swords facility includes meeting rooms, canteen facilities, ample parking and the latest available technology. ‘Our current refresh is the latest HP 2.8GHz workstations. We have a 280sq m computer room, we can supply services on any equipment and our technicians are able to support all products.’
Backup services are also included in Synstar’s service. ‘We offer everything from mirrored images to near online or online backups as required,’ says Byrne. Although Byrne agrees with Murphy that mirroring can be expensive, he points out that it is the last few minutes of a mirrored system that cost money. ‘Most people are content with near online backups that are only a few minutes out of date.’
Focus on continuity
IBM’s Business Continuity Services Department operates centres in Dublin and Cork. ‘If we look back, what was called disaster recovery in the late 80s and early 90s was focused on mainframe and midrange computer systems and the service that was needed was to allow a business to keep on processing invoices and so on,’ says IBM’s Tom Byrne. ‘Today, the emphasis is on continuity and IT forms only one leg of that. Business is the other leg and across both of those is personnel.
What IBM provides, says Byrne, is a complete service that takes clients to the point where they can operate effectively out of one of the company’s centres. ‘Our Business Recovery facility includes a full business environment,’ he says. ‘We can swing in whatever communications are required and provide a work area as well. The client’s normal telephone numbers are diverted to the recovery centre, to which the staff have been moved so business is conducted as usual.’
The locations of IBM’s facilities reflect the reality of industrial investment patterns, explains Byrne. ‘Investments have largely been made in Dublin. If you look at the European view of business continuity, people don’t think anything of travelling to an acceptable continuity facility. When looking at the midlands or the west, a couple of hours travel is an acceptable risk. The alternative is providing the facilities they need themselves on a dedicated basis closer to where they operate from and that comes at a very high cost.’
With talk of facilities capable of accommodating 400 to 600 people, one could be forgiven for thinking business continuity is the preserve of the larger companies. Far from it. Dublin-based Continuity Systems aims to provide a corporate-class service to small and medium-sized businesses. ‘We concentrate on those companies with one to five servers or between five and 50 people’ explains Neil Stone-Wigg, managing director. ‘Any more than that and the project balloons. With smaller companies you can get all of the applications ready in a disaster environment.’
Continuity Systems provides a full off-site IT infrastructure ready to be turned on in case of a disaster, says Stone-Wigg. ‘That entails three components: the server environment, a copy of the master PC (with all of the applications we can think of) and communications links.’
An interesting development that Stone-Wigg is observing is the use of disaster recovery as a day-to-day business tool. ‘Normally we do a test restore every quarter. But we have some clients for whom we do a restore every Monday morning so they know they will have at least one server that will be in the precise configuration it was in on Friday night when the backup was taken. Their IT infrastructure is so critical that they want that extra level of comfort.’
Survive Ireland is a user group devoted to business continuity planning. Membership is drawn from people in IT, facilities management and human resources and they come from the insurance, pharmaceutical and banking industries. ‘We have four meetings per year,’ explains Chairman Gordon Nother. ‘They take the form of half-day seminars and we invite guests to speak on topics. We have a membership of about 200 in Ireland but we aren’t as formal as the UK organisation. We see it as a form of networking and an opportunity to chat offline.’
According to Nother, most of the members come from mid- to large-sized companies, however, he says, there is no reason why smaller companies shouldn’t attend. Survive!: www.survive.com