business continuity planning

Last updated 12/04/2023 Slide 1©2012 Managed Networks. The MN logo, circles device and DesktopLive logo are registered trademarks.

Business Continuity PlanningWhat it isWhy you need itHow to do it


Agenda• View from 30,000 feet

• Scary facts

• This is not a technology problem

• How to go about it

• Why backup isn’t enough

• Technologies and approaches


The view from 30,000 feet

Business Continuity Planning...is about keeping your business running...by anticipating and preventing problems...by having planned responses to the incidents you can’t avoid

...is not just about technology

...is an ongoing process, not a one-off exercise

...needn’t be onerous, or expensive

...is required by FSA regulation

...features on public sector PQQs

...is increasingly part of your customers’ due-diligence


Scary facts90% of business that lose data from a disaster are forced to shut within 2 years

80% of business without a well structured recovery plan are forced to shut within 12 months of a flood or fire

43% of companies experiencing disasters never recover

a company experiencing a computer outage lasting longer than 10 days will never recover its full financial capacity

less than 50% of all organisations in the UK have a business continuity plan

43% of companies who have a business continuity plan do not test itannually to ensure that it works

one out of 500 data centres experience a severe disaster every year

58% of UK organisations were disrupted by September 11th withone in eight severely affected

83% of [London] SMEs have no written contingency plan

(sources: LCC, Gartner, BIS)


This is not just an IT issueThis is a management problem – get board support first!

BCP is about protecting your business

Most businesses are about people: staff, customers, suppliers

IT is an enabling technology; for most businesses, no staff = no business, even if the

technology is working

You must consider the business as a whole,

and integrate IT continuity as part of a larger plan

Think about travel restrictions, pandemics, strike risks…

Think about physical accommodation, paper records, contact info…

Think about private knowledge and skills dependencies…


BCP lifecycle

Policy

Business impact analysis

Select preventio

n measures

Select recovery strategies

Plan and implemen

t

Test

Maintain


Policy• Get management support

• Define roles, responsibilities, scope and goals

• Understand the business context:• Regulation

• Market

• Scale

• Priorities

• Write a continuity policy• Integrate continuity into every

business decision, don’t retrofit

• Communicate the policy


Business impact analysisUnderstand what you are protecting

– Analyse business areas and prioritise them

– Work out the MTD – do this collaboratively

– Work through RTO and RPO with the business

Correlate people, activities and resources– Map your processes

– Understand interdependencies

Look for single points of failure

Desirable 3wd + 8wh

Material 8wh + 8wh

Important 4h + 4h

Critical 2h + 15m

Salesforce.com

internal and admin PSTN telephony

Sage accounting

DBManager

internet browsing

email

MS Office (general use)

file storage

Delphi

Visual Studio

SQL Server

remote access

intranet

Blackberry

Marketo

StoryManager

Subversion

VOIP (Skype)

Newswire feed

YouManage (HR)

IM (Skype)

Customer service telephony

MS Office (data processing)

OnTime

Newsdesk

the CMS

Knowledgebase (Google Sites)

TaskManager

Client FAQ tool

Compatibility testing

Shared whiteboard

Card payment system

Cloud filestore

Cloud financial mgmt

Automated testing

Monitoring tools

Interoffice comms

what’s your weakest link?


Business impact analysisAnalyse the risks and threats

Specific (IT, staff, supply chain...)What if Bob is run over?

What if the accounts system is unavailable?

What if our main supplier goes bust?

Organisational (fire, flood, burglary, loss of access...)What if the pipes burst in the office ceiling?

What if our computers are stolen?

What if they find asbestos in the building?

General (terrorism, pandemic, weather...)What if the transport network is shut down by a bomb or a threat of one?

What if half our staff are off sick?

What if the M62 is impassable for a week?

Try to quantify risks where possibleAV x EF = SLE; SLE x ARO = ALE should exceed annual cost of BCP


Prevention measuresPrevention is better than cure

– It’s usually cheaper to avoid disaster than cope with it

Build in resilience where it’s cost-effective– IT – multiple servers, RAID, redundant connections

– staff – have an understudy programme, document procedures

– data – keep key operational information on paper as well

– facilities – enable home working, trade-off with neighbours

Look for synergies and business gains to justify cost– multiple servers improve performance

– understudying drives career growth and develops staff

– well-designed operational reports provide KPI measurement

– home working saves office costs and improves morale

Outsource risk– service providers will spend more than you can on resilience

– their contract will give you financial compensation in the event of failure

– they aren’t tied to your location

– you can have more than one, if it’s affordable and makes sense

Physical

TechnicalAdministrative


Sidenote: cost curveCost increases exponentially as RTO and RPO get shorter

BCP is a cost centre – expenditure must be cost-justified

∞/∞ 3d/1d 1d/1d 4wh/4h 2wh/15m 0/0

Cost £


Recovery strategies• Work out what you’ll do if prevention fails• Have different plans for different incidents• Break recovery down into discrete areas

Understand priorities within areas (e.g. RTO vs RPO)Stay focused on cost/benefit

• Separate interim, recovery and normal operations• Work outwards from the people,

not inwards from the systemsLook for workaroundsBe prepared to compromiseBe clear on responsibilities


Plan and implementStart with the basics

no money, no businessno logistics, no businessno staff, no business

Paper, paper, paperpaper is instant-on, needs no power, works without installation and configuration, costs pretty well nothing per Mb, can be edited with a pencil – don’t underestimate it

Don’t be daunted90% of BCP is common-sensekeep it simplestick to your identified priorities

Delegate responsibilityspreading responsibility for planning improves executionplanners and leaders aren’t always the same people

Communicate and traina plan no-one has seen before can’t be executed


TestChecklist test

What did we forget?

Structured walk-through test

Representative workshop

Simulation test

Let’s pretend

Parallel test

Now do it for real

Full-interruption test

If you dare…

easily achieved

assured

Check and test your assumptions“We changed the tape every day”“But only Bob knows the password”“Where can I get one of these...NOW?”

Surprise peopleAnticipated tests only test the plan, not the peopleChange the scenarioWhat if it’s you that’s unavailable?

Document everything you learnIf your results aren’t written back into the plan, they will be forgottenNext time you might not be there

If you can afford a full test, there is no substituteReal-world test = better dataPublicise your test – involve customers and suppliers

But don’t create a disaster in trying to avoid one


MaintainNow do it all again

Don’t take your plan for grantedYour business will changeBuild updating of the BCP into your change control processReview the whole thing once a yearReinforce the training


Backup is not enoughBCP depends on data backup, but data backup is not BCP.BCP is about preventing interruption; since not all interruption can be prevented, it also requires disaster recovery.DR also depends on data backup,but data backup is not DR either.

…why?


DR scenario: tapeFrida

y

• Fire at 5pm• How much data loss?

Saturday

• No Ultrium drives in PC World• Download software at home

Sunday

• No progress

Monday

• Order tape drive• Buy PC, install OS

Tuesday

• Install tape drive• Install software

Wednesday

• Restore completes• Restart applications

Thursday

• Business back on-line

6 days to recover2 days of data lost

Is the tape drive available?Will the tape restore?Will the applications work?

Can you survive the downtime and data loss?

Use removable disk?• Have you got the hardware?• Will the apps restart?

Use on-line backup?• How long will it take to download?• At 2Mb/s, 100Gb of data takes 142

hours to download• Will it be usable?


Where backup fits in

Operations

Item restore

Local Backup

Time travel / storage

management

Archiving

BCP

Prevention

Resilience Security

Recovery

Local backup Off-site Backup

Off-site Replication


Technologies

Operational backup• Local live device• Continuous or overnight• Snapshots / VSS

Archiving• HSM• Archive tools• Media management

Resilience• Clustering (physical, virtual)• Redundancy (physical,

logical)

Security• Physical and logical• Layered defence

Recovery• Local backup – single system• Off-site backup (media,

stream)• Replication / geo-clustering


Recovery approaches

Cold standby•Tested kit with appropriate drives

•Wasted resource/low operating cost

•What RTO can you achieve?

Warm standby•Remote data replication•Ready to go, but offline•How will users connect?•Test and reversion

Hot standby•Live replication, running loads

•Expensive•Close to zero RTO/RPO•Blended functioning to reduce resource waste

“Cloud”•Delegates the IT challenge

•BCP is people and processes first

•Audit the provider•How do you test their BCP?


Managed Networks

0800 783 [email protected]

Call, email or visit our website for a free, no-obligation consultation.

business continuity planning

Business

mn logo

desktoplive logo

circles device

managed networks

registered trademarks

business areas

business context

business running