Keeping the business strong when it all goes wrong…

On December 11th, 2005, the sleepy town of Hemel

Hempstead in well-to-do Hertfordshire was rocked

(literally – it measured 2.4 on the Richter Scale) by a

series of explosions at a local oil depot. It’s

remembered as the Buncefield Disaster, 2000 people

were evacuated, and it cost many millions in repairs.

Watch the news coverage, and the

key reaction from local residents

is a thoroughly English “I don’t

believe it! I can’t believe it’s

happened here!” This is the

problem with unexpected events:

we don’t think they’ll ever

happen, and certainly not to us.

Even the name ‘Buncefield’ is

more ‘coffee mornings and

birdsong’ than ‘Apocalypse Now’.

And yet, local businesses were

decimated. This is no isolated

incident, either. Another great

example to hit the headlines is the House of Reeves

furniture store in Croydon, South London. The

historic, family-run store became a cause celebre

when it was razed to the ground by looters in the riots

of summer 2011. In mid-2013, the owners finally

threw in the towel and said they would not be re-

opening.

Clearly, anything can happen; what does happen will

probably be a surprise, and we’re hopelessly good at

putting our collective heads in the sand.

If it’s not mission critical, ignore it!

Rescue comes in the form of a discipline called

‘Business Continuity’ (BC) - the art of keeping going

when everything has gone wrong. An enormous

amount of the wisdom of BC is in working out what’s

worth your effort, and what isn’t. For example,

despite the attraction of ghoulish

examples like the ones above,

Andy Osborne, a director of BC

consultants Acumen BCP, blogger

and author of ‘Risk Management

Simplified’, says that trying to

work out what could go awry is

the wrong place to start. “There

are major issues inherent in that

way of thinking. Firstly, the ‘It'll

never happen to us’ syndrome can

result in doing nothing at all - in

which case you might as well

cancel all your insurance policies

too! Alternatively, you can spend too much time

thinking about all kinds of scenarios that may never

happen, ending up with a plan that's three inches

thick, that no-one ever reads. Plus the "disaster" that

hits you probably won't be one that you thought of,

rendering the process pointless.”

“To a large extent”, says Osborne, “it doesn't matter

what the cause of the disruption is. What is important

is being able to continue your key activities”. When

working out those key activities, Lyndon Bird,

Technical Director of the Business Continuity Institute,

“Staff don’t realise that

their data is the lifeblood

of the business, so help

them to appreciate the

value of information and

make sure everyone

knows what they should

do when trouble comes

knocking.”

says that one of the magic words in BC is ‘urgency’.

“People get confused between importance and

urgency”, he says. “Concentrate on urgency. Your new

marketing strategy might be important, but it isn’t

urgent. Whereas making deliveries or keeping the

website alive are urgencies.”

Osborne advises businesses to look in depth at the

trickledown of dependencies that make up the chain

of these urgent business activities. “By looking at the

dependencies within a process, we can determine

where failure could prevent our success and identify

appropriate contingencies.” Making those deliveries

will depend on transport, for example. The website

might depend on a third party supplier, or basics like

electricity. “Mapping our dependencies in this way

can help us to understand where our vulnerabilities

are and where mitigation measures should be

focused. If nothing else, focussing on the positives,

rather than the negatives, might make risk

management a slightly less depressing process!”

“Similarly, look at what you can control or mitigate,

and what you can’t”, adds Bird. You can’t control an

earthquake, for example. You can, however, mitigate

dramatically against fire (extinguishers), theft

(security systems), malware (antivirus), to the point

where you regain sufficient control of these

situations.

As we have said, though, it’s a false economy to try to

control everything, particularly for a small business

without funds sloshing about. Bird offers a simple risk

assessment model which has the added benefit of

being a very useful pointer to where you should spend

your managerial time and effort. He says there are

Andy Osborne

two fundamental elements to risk:

Impact: the effect of something happening. A

dripping tap will have a low impact; your

business partner absconding with the

contents of the bank account will have a high

impact.

Likelihood: the probability of something

happening at some stage. A gas explosion is

of fairly low likelihood, a hard drive giving up

the ghost is a high likelihood.

This gives us a very useful four-quarters model:

Low impact, high likelihood: e.g. staff

engaging in low-level pilfering from the

warehouse. Solving these issues is about

tightening up your management controls and

procedures, and worth a bit of your time.

Low impact, low likelihood: e.g. a paper jam

in the photocopier. These are the things to

ignore - you can waste buckets of time and

effort designing systems for them, and they’re

not worth it.

High impact, high likelihood: e.g. our delivery

van is making a nasty clunking sound. There’s

no time for thinking or planning here – get it

fixed now! You want to avoid anything in this

quarter.

High impact, low likelihood: e.g. the office

being flooded. This is where BC happens.

By now, you can see that the genius of BC is to

concern yourself only with important problems which

could dramatically affect the business, only the ones

you can’t do without for a few days, and only the ones

you can usefully mitigate in some way. You should

come out of this process forewarned, forearmed, and

feeling a little more confident that a crisis need not

become a drama.

Beating Fate on a shoestring

The good news is that those mitigations also need not

cost a fortune; particularly in terms of technology.

Osborne says, “It’s a misconception that BC is

complicated, expensive or difficult. Stick to four

simple questions which we have hinted at above:

1. What's important?

2. Why is it important? (in terms of the impacts

if it stops);

3. When do we need it to be available again in

order to avoid those impacts?; and

4. How can we ensure that it's there when we

need it?

This business impact assessment will ensure that your

BC plan is sensible, pragmatic and cost effective.”

Bird agrees that simplicity is key: “Your IT needn’t be

in triplicate across three different datacentres, but do

observe the basic housekeeping. Back everything up,

secure your systems, all with ordinary, practical tools.

Mirror your essential information offsite to the Cloud,

and test that everything works – including the

restoration of backed up data. Keep your solutions

simple.” Incidentally, Osborne cautions that Cloud

providers are not all one and the same: “Validate the

common assumption that your provider securely Lyndon Bird

replicates the data you store with them. Find out

where it is hosted, and who has access to it. And

understand clearly what’s in the Service Level

Agreement as regards its availability.”

There’s one more subtlety to consider when it comes

specifically to the resilience of your information

(rather than, say, your premises). As well as the

availability of information, you must also consider its

integrity after corruption and/or loss. You may

remember that last year, the bank, RBS, was heavily

criticised because customers could not access their

accounts for several days. That’s painful, but not

terminal. Imagine, however, if they simply could not

retrieve any account information at all. The business

would not survive. The key question is: how far would

you have to go back in the records to be sure that

your data was correct and uncorrupted? This can be

painfully time consuming, so make sure your backups

offer you a credible version of the truth.

None of the technology is hard; but changing your

work style or operational processes can be more

challenging. “It’s keeping up the good work that takes

effort”, says Bird. “Have a practice run every few

months, and make testing realistic: don’t restore your

data to the same computer you always use; try

restoring it to a completely new machine. Staff don’t

realise that their data is the lifeblood of the business,

so train your team, help them to appreciate the value

of information and make sure everyone knows what

they should do when trouble comes knocking.”

The other value of regular training sessions is

improved recovery time. Remember we discussed

‘urgency’, earlier? It is key in responding to a crisis not

to waste time on panic and confusion. Says Osborne,

“The point is that business continuity management

isn’t just about IT, although it will almost certainly

play a crucial part. That’s why it’s important to come

at the business continuity programme from a business

rather than just an IT perspective.” Bird agrees:

“Testing, practice, training and raising awareness will

all mean you’re back up and running faster, more

smoothly, and with less trouble for your customer

base”.

Find out more:

Backup and Restore in Windows 7

Online storage with SkyDrive

Backups with Office 365

A crisis plan you can live with

Small businesses don’t need lengthy documents to

trawl through. They need to get back on their feet –

fast. Our disaster recovery plan cuts the paperwork,

whilst helping you think through the issues which

could threaten your business and then solve them.

Do a quick search online for disaster recovery or

business continuity, and you’ll find hundreds of

example plans. They’re very

useful, but most of them come

in the shape of lengthy forms

for you to fill in; much of which

may not be entirely relevant to

your business.

It’s probably more useful for

you to understand the concepts

behind these forms, and then pick the best bits of the

many on offer as they apply to your operation.

There are fundamentally two parts to a crisis plan:

The business: Identifying the important parts

of your business –which activities you can’t do

without for any length of time. These are

often the customer-facing aspects of the

business; perhaps phone lines or a website.

The dangers: Identifying the things which can

go dramatically wrong, how they would affect

those key functions, and how you might

mitigate the damage with a little forethought.

With that basic structure in mind, here is a simple

bullet-point plan which will see you right.

1. Administration of the disaster recovery plan

1.1.1. Distribution list: who gets the plan

1.1.2. Update: when you are going to revisit it

1.1.3. Storage: locations where the plan can

be found. Keep it in your office but also

duplicated off-site, perhaps at home

2. The business

2.1. Contact list: the people who you will need to

contact in a disaster. Not just your

employees’ mobile numbers, but

perhaps their home or family

details, your suppliers, utility and

service providers like electricity or

gas emergency contacts, and key

providers in an emergency e.g.

insurers.

2.2. Critical functions: Answers

the simple question: what can the business

live without for a few hours, days or weeks;

and which elements of delivering your

service are ‘mission critical’? Define your own

timescale (a coach company, for example,

may have minutes to resolve a crisis;

whereas a freelance illustrator might have

several days to get back on track), and work

out the priorities. It might look something

like this:

2.2.1. 24 hours: website; phones

2.2.2. 48 hours: delivery van; stock

information

2.2.3. One week: office or suitable staff

locations; sales data; supplier contacts

2.2.4. One month: finance records

“Ignore anything which

has been shown to be low

priority – you won’t have

time for it.”

2.3. Recovery resources: Now, for each of the

critical functions you have identified, you

need to work out exactly what is required to

keep the business going. Ignore anything

which has been shown to be low priority –

you won’t have time for it. Work in the order

of the timescale you have created, and for

each function establish the:

2.3.1. Who: people needed, including non-

employees

2.3.2. What: resources; whether that’s capital

equipment, stock, tools etc.

2.3.3. Where: locations

2.3.4. Money: either costs of provision or costs

of replacement/cover

2.3.5. Information: data and financials,

industry knowledge, contacts etc.

2.4. Checklists: You will now have a matrix of

critical activities and the requirements to

keep the lights on for each one. Revisit the

matrix again and prioritise them. It’s

impossible to predict everything which can

possibly go wrong, but remember, at this

stage, we are just looking from the point of

view of the business. Many consultants now

advise that you create action plans; but we

think a series of business activity checklists is

the way to go – they should be short, precise

and clear. For example, to keep phones alive:

2.4.1. Get the contact list – if it’s not part of

the recovery document, it should be

easily available both on and off-site

2.4.2. Call key staff and explain that they will

need their mobiles until further notice

2.4.3. Establish diverts on incoming calls,

where possible to the correct person

2.4.4. Call the phone company to work out

what can be done etc.

3. The dangers. It’s now time to look from the other

angle: the things which can go wrong.

3.1. Threats and hazards. Not surprisingly, this

begins with a list of threats. Consider this

carefully as it is a potentially endless list. As

well as fire, theft and flood, how about also

considering data loss, reputational damage,

legal suit and loss of key staff – and that’s

just for starters.

3.2. Threat scores. For each one, we now identify

a threat score. Professional advisers like to

base this in some part on likelihood of

occurrence, along with the criticality to the

business and your ability to mitigate the

damage; and you should identify the

following factors:

3.2.1. Likelihood: an idea of the chance of the

event – or something like it - occurring

3.2.2. Any existing mitigations in place: for

example, fire extinguishers (fire), being

on the second floor (flood), and offsite

backups of data (just about everything).

3.2.3. Economical mitigations you could

deploy: for example, giving staff access

to documents at home, or job sharing to

spread knowledge across staff.

3.2.4. Prioritisation: You are now in a position

to give each threat a prioritisation;

perhaps a red, amber or green rating,

based on not only the threat’s effect,

but your ability to mitigate it.

3.3. Checklists, part 2: You already have some

business activity checklists. Now it’s time for

some crisis/event checklists for each

eventuality. Something like this (for theft),

fleshed out for relevance, is a good example:

3.3.1. Liaise with police

3.3.2. Locate management documents

3.3.3. Identify damage or loss

3.3.4. Arrange for repair to any premises

damage or security systems

3.3.5. Speak with insurers

3.3.6. Communicate with staff

3.3.7. Communicate with customers

3.3.8. Debrief and reassess after 7 days

4. Putting it all together: You now have a list of

threats, prioritised; and a list of company

activities, prioritised. You have checklists for

company activities, and checklists for crises or

events. It is now a simple case of matching

business activities and their checklists to potential

crises and their checklists. This is a crucial

moment in your planning: if, for any reason, once

you put them together, you don’t feel that they

match up or successfully resolve potential

problems, go back and revisit them; don’t wait for

a crisis to find out that you weren’t quite ready!

5. Preparation: Don’t forget that the other element

which should have come out of this process is a

list of economically viable potential mitigations:

for example secure document storage, online

backups, home access and all the other elements

which can minimise a crisis. Create a mitigation

action plan, and be proactive about getting these

protections in place within three months. Then,

revisit your disaster recovery plan and reduce the

threat scores accordingly.

6. Dry run: We have all experienced the general

grouching around fire alarm tests, but they’re

there for a reason: they save lives. Every six

months, perform a dry run for a specific crisis; it

will stand you in good stead.

7. Revisit the plan: A disaster recovery plan is a

living document. Allocate one day (that’s all it will

take) to reassess your plan annually.

Find out more:

Backup and Restore in Windows 7

Online storage with SkyDrive

Backups with Office 365

Jack be nimble, Jack be quick: BC is easier when you’re small Graham Price, Lecturer in Business Continuity Management, University of Coventry

Many issues in a large business are just like those of a

small business, but on a larger scale. Big businesses

have to make a thousand widgets instead of 10, or

pay 100 wage bills instead of four. Business continuity

(BC) – planning to keep the lights on – is,

unfortunately, not like that

at all.

Large businesses often have

a whole team of dedicated

professionals who spend

their waking hours creating

continuity plans and

embedding a culture of

continuity in employees and

the work they do. The BC

team’s work is factored into

the running costs of the

operation.

A small business, however,

won’t have a person on BC

full time: there’s not enough

work to do, and it would be

too costly. It’s also a

consideration which is

usually over and above the

ordinary activity of running

the business, so any

overhead in money or management time feels like a

particularly onerous extra burden.

And yet, it’s an important consideration, because

small businesses have what the specialists call ‘a

single point of failure’. They rely on individuals. If one

person is the ‘face of the business’, has specialist

skills, or keeps customer details in their head, then a

bout of illness (or the urge to drop everything and

disappear to Rio) could force the business to fold. In a

big company, by contrast, a

deputy with almost the

same skills can fill the gap

without ever breaking into a

sweat.

However, it’s not all bad

news for the little guy.

The BC team in a large

business can be unpopular.

They make new rules which

are sometimes perceived on

the shop floor as intrusive

and complicated. When I

said above that they ‘embed

a culture of continuity’, that

often dissolves into

‘enforcing a regime of

continuity’; rules which are

defined by those faceless

people on the management

floor.

As a small business owner,

the overall responsibility may indeed come down to

you, but you have the ability to gather the whole

team in a room, perhaps for half a day, and explain

why continuity issues are important. You can

encourage employees to share their knowledge

without accidentally creating attitudes of

protectionism or making staff worry that they are

sharing their knowledge because their jobs are at risk.

In a small business, everyone can pull together in a

united fashion, taking shared responsibility for the

ideal outcome of a secure business – and that’s a true

culture of continuity.

Big businesses also take time to make decisions.

Getting a BC plan off the ground in a large financial

institution, for example, will require the team’s

salaries to be approved, along with a whole raft of

technologies. That will need top level approval from

the board and no doubt a complicated process of

procurement from several companies. It can take

months to get everyone on board. In a small venture,

it comes down to you and your team; and you can

make all the big decisions today.

The news is full of extraordinary and unforeseen

disasters. Real life is full of even more unpredictable

circumstances which can send businesses off kilter. As

a small business, you have the inherent vulnerability

of many single points of failure. But you also have the

ability to turn on a sixpence, make fast decisions,

gather your staff together and unite them in a

common goal. That should make both planning for a

crisis and recovering from one much easier, and it’s

the sort of flexibility which larger businesses can only

dream of.

HOW MICROSOFT CAN HELP

Microsoft Office 365 brings together online versions of

the best communications and collaboration tools from

Microsoft. Subscribe to web-enabled tools that let you

access your email, documents, contacts, and calendars

from virtually anywhere, on almost on any device.

Windows 8 is reimagined to support different working

styles. It’s more intuitive so you can find what you need

faster and easier. The new look of Windows and the new

app model make it easier for businesses to create their

own line-of-business apps to help improve productivity.