Should an organisation have no business continuity plan in place, there will undoubtedly be chaos and confusion in the event of an incident, as there has been no pre-planning to guide actions and roles and responsibilities.
So says Tracey Linnell, general manager for advisory services at ContinuitySA, commenting on the results of the ITWeb/ContinuitySA Business Resilience Survey, which ran online for 14 days in November 2014.
A small percentage of survey respondents (12%) said their organisation does not have either a disaster recovery or business continuity plan in place. However, just over half of respondents reported their organisation does indeed have both mechanisms in place.
According to Linnell, not having a disaster recovery plan in place may result in limited understanding of business priority with regard to frustration between business and IT and restoring IT systems, as well as an inability to recover IT systems as processes and procedures are not documented, and roles and responsibilities are not defined.
"There may also be the consequence of significant financial and operational impact to the business as a result of ICT downtime," she adds.
In an effort to best overcome the downfalls of not having a disaster recovery or business continuity plan in place, Linnell advises, there is a significant drive in the industry to ensure good corporate governance principles are being followed by South African organisations, although business continuity management (BCM) is not legislated yet in SA.
As such, local organisations are taking it upon themselves to implement BCM programmes and incorporate statements of their BCM capabilities in annual reporting.
Linnell adds: "Resourcing a BCM programme can be a challenge, as with all specialist disciplines, skilled resources can be hard to find and expensive to employ over the short term.
"Companies can consider the use of external consultants, which will speed up the implementation greatly, but ownership and accountability still needs to reside with the executive management team of the organisation. An alternate solution is to nominate an existing staff member who has a broad understanding of the company, and send this person on specialised BCM training so he or she can commence the programme within the company."
Power predicaments
The majority of survey respondents (71%) said power outages/failure/issues were heighted contributors to downtime within the past two years, the next-highest contributor was software/network failure at 42%.
Linnell points out solving the current power challenges in SA is a case-by-case approach, as it is largely dependent on the size of the company, its risk appetite and its budget.
"Avoiding power outages may include some of the following options, but will need to be weighed against cost versus return," she adds. "Ensuring dual power feeds into the companies premises from two separate power grids; UPS solutions will provide a short-term solution to ensuring the IT systems stay on; diesel generators will be a fall-back and support to the UPS solution, allowing ongoing power; keeping an eye on new technological developments such as solar power, bio-fuel, hydro and wind to name a few options."
Results of the survey show reasons for organisations not having disaster recover or business continuity plans were evenly split, with a third of respondents each choosing one of three options, ? not applicable in our sector, cost, and no skills or resources ? as reasons why. Only 7% chose connectivity.
It also emerged that 29% of respondents indicated their organisation carries out a full testing of their disaster recovery plan every six months, only 5% cited this is done monthly; surprisingly, 11% never carry out a full testing of their disaster recovery plan.
Linnell notes a number of leading standards on BCM and disaster recovery recommend annual testing, at a minimum. However, she believes a core principle of BCM and IT DR is maintenance.
"Consequently, whenever there is a significant change in the business/IT environment, the change should be integrated throughout each stage in the life cycle, ultimately resulting in additional testing being performed to ensure this change is incorporated into the recovery capability," Linnell concludes.
Share