By Rebecca Thomson
27 July 2007
Business continuity is about expecting the unexpected and preparing for
a system failure.
Business continuity aims to prepare for natural disasters, accidents,
transport problems, security threats, hacking and other e-crime, as well
as problems such as avian flu.
A business continuity plan spells out how you restore normal service in
the event of one of these risks becoming a reality.
It differs from disaster recovery, which is about getting systems
up-and-running following a system failure. In contrast, business
continuity is about whether an organisation can carry out its core
business functions in any circumstances - this is about people,
processes and policies, as well as technology.
The business continuity committee must first identify which of a firm's
activities are the most critical. In the event of a disaster, some
services must be restored quickly (such as customer service and
payroll), while less critical services (like the staff canteen) could be
restored over a period of days or weeks.
Once the core business processes are identified and prioritised,
continuity experts advise a risk analysis, to assess how vulnerable the
company's processes are. There are lots of audit tools to help with this
Once the risks are identified, the business should consider whether to
eliminate or mitigate a risk, rather than planning to recover from a
Technology can improve business continuity with, for example,
data-mirroring, off-site back-up and "battle boxes", which ensure
companies always have access to a safe copy of critical manuals,
processes and software licences.
The key questions
The Business Continuity Institute recommends businesses answer the
following questions when creating their business continuity plan. What
* Our electricity supply failed?
* Our IT networks went down?
* Our telephones went down?
* Key documents were destroyed by fire?
* Our staff could not gain access to the building for days, weeks or
* There were casualties?
* Our customers could not contact us?
* Our suppliers could not supply us?
* Our customers could not pay us?
* We could not pay our suppliers?
Recipe for a sound plan
* Consult throughout the business.
* Use non-technical language that everyone can understand.
* Make it clear who needs to do what, and who takes responsibility for
what. You should always include deputies to cover key roles.
* Use checklists that are easy to follow.
* Include direct instructions for the crucial first hour after an
* Include a list of things that do not need to be thought about until
after the first hour.
* Agree how often, when and how you will check your plan. Update it to
reflect changes in your company's personnel and the risks it might
* You will never be able to plan in detail for every possible event.
Remember that people need to be able to react quickly in an emergency:
stopping to read lots of detail may make that more difficult.
* Plan for worst-case scenarios. If your plan covers how to get back in
business if a flood destroys your building, it will also work if one
floor is flooded.
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com