Do not overlook this!

There's a Dilbert cartoon doing the rounds: “Our disaster recovery plan goes something like this,” says Alice, cueing up a video; it shows a man running in and out of the frame, waving his arms in the air and screaming hysterically. “Some day, we hope to have a budget.”

And there, exactly, lies the problem. Everyone knows disasters can kill companies, but they're also rare, and preparing for them is expensive. Faced with the first multimillion-rand quotation, many companies opt to carry on doing what they've always done: nothing.

Business continuity should be part of your culture. It's a programme, not a project.

Ansophie Strydom, GM for marketing, ContinuitySA

The traditional ostrich approach has a limited future, though. “In the past, only large corporates took business continuity seriously,” says Continuity SA's GM for marketing Ansophie Strydom. “But in the past couple of years, we've seen smaller companies also starting to pay attention.”

Part of the reason lies in the updated IT governance requirements of King III, but that's not the only factor at work. “We've had years of major construction work and infrastructure development, which means lots of dug-up cables and roads,” says Strydom. “We know that's resulted in business outages, because we've had business continuity invocations by clients who've been affected.”

Power cuts and damaged telecommunications cables - these are the stuff of everyday life, not the once-in-a-lifetime disaster. Which is one of the reasons why a business continuity plan is not the same thing as a disaster recovery plan, and why companies need both.

“A disaster recovery plan should cater for catastrophes that involve multiple failures, events like fires or natural disasters that take out your systems, facilities and possibly even your people,” says Dimension Data's GM for security solutions and services Samresh Ramjith. A business continuity plan, he says, needs to cater for the more common situation where one or more critical systems are not available.

What is a critical system? Every business must decide for itself - and then protect those systems first.

“The heart of any business continuity plan is the business impact analysis,” says Ramjith. “You need to determine your maximum tolerable downtime in every particular process or system - then decide how to cater for continuing or recreating those if the need arises. But don't get caught up in technical solutions; you could spend lots of time and effort going after something not that important. If you don't tie the plan to business requirements, you'll miss the mark.”

And how. Everybody in the business has stories of disaster recovery or business continuity plans gone badly awry. “We often find that people are planning Nasa-level solutions, but they don't have the basics in place,” says Bryan Balfe, business development director of CommVault Systems. “Someone comes into their server room hung over on a Monday morning and accidentally deletes their e-mail archive, and whoops, they don't have a backup. That kind of thing is a genuine disaster, and it happens all the time.”

“Your business impact analysis is super-critical,” agrees Strydom. “We've consulted to one major company that had already spent millions on a disaster recovery facility. But when we did the analysis, it turned out their single point of failure was a server they hadn't actually accounted for.”

Ramjith says the business impact analysis must be undertaken by a team that understands every area of the business, not by IT or external consultants alone. “You need to identify what is absolutely necessary for your business to continue so that it doesn't come into disrepute, attract lawsuits or lose money. Then you have to balance that against the cost - what bill are you comfortable footing?”

“There's no shame in a staggered approach,” stresses Strydom. “A cardinal mistake that many companies make is to fall into the rabbit hole of endless what-if scenarios. But you don't have to plan for everything. Instead of a multitude of potential disasters, stick to the basics. The worst case involves loss of IT, loss of infrastructure, or loss of staff. Start with protecting what is critical, then plan a roadmap for how you will put the rest in place. Business continuity is a journey, not a project with a definite start and end date.”

This is a strategy-led rather than a technology-led approach, says Commvault's Balfe. “Don't buy it all on day one; rather see what you can do to start with, then plan how you'll progress to stage two and three.”

One obvious starting point is the simple backup, but even here, many companies can improve. “I see people who are taking full backups of everything, every night,” says Balfe. “It can cost a fortune. What people need to do is stop the bus and think. Bring the finance, IT and business people together and you'll quickly spot areas of wastage. If you change your backup policy to do incremental backups, for example, you could fund a project with the money you'll save on tapes alone.”

Once the plan is in place, the next critical step is to test it - an obvious move but one that many seem to overlook.

“If you have plans but haven't tested them, you have no business continuity practice,” says ContinuitySA's Strydom. “Most organisations fail the first time they test; there are always things you don't think about. The test gives you an opportunity to find the flaws in your plan and improve it. You need to test at least once a year, and ideally twice or more, especially if you've made any major changes to your IT environment.”

“Any plan is only as good as the testing you do around it,” agrees Comztek channel manager Adrian Hollier. “Unless you set aside a budget to ensure you actually test your plan, there's very little point. A business continuity plan is supposed to be a living document, but I'm constantly amazed by how old some of the plans I see are.”

If you get sidetracked by the technology and cool features, you'll burn all your money but not solve the whole problem.

Bryan Balfe, business development director, CommVault Systems

DiData's Ramjith stresses that testing needs to be practical. “This is one of the most down-to-earth and practical things you'll ever do in your business. When disaster strikes, people need to know what to do. It starts with the most basic questions: What has to happen for you to invoke your business continuity plan? How will people know? It all needs to be tested. Your plan can't be a document that just sits on a shelf.”

Finally, who is responsible for implementing your business continuity plan, not just at board level, but in each department? “Few companies can afford the luxury of dedicated business continuity staff, but that just means they have to be extra careful,” says Strydom. “It's fine to double up on roles - any employee can also be the BC co-ordinator for their division - but you need to keep to track. If you've downsized recently, did you also lose a BC co-ordinator when you retrenched your debtors' clerks? If you've lost staff that may have had critical knowledge and experience, you absolutely have to go back to the drawing board and update your plans.”