Home | News & events | Legal updates | IT systems: Business continuity and disaster recovery planning

IT systems: Business continuity and disaster recovery planning

26 October 2009

Businesses rely on IT systems to conduct their day to day business. Failure of these systems can be disastrous, so it is critical organisations have coherent and resilient business continuity strategies in place.

The terms ‘business continuity’ and ‘disaster recovery’ are interchangeable, but their goal is the same – to enable an organisation to carry on business-critical activities during a crisis caused by an unforeseen event: from terrorist attack or tsunamis; to fires, floods, power cuts, viruses and other malicious attacks.

Why do you need a business continuity function?

IT analysis firm Faulkner Information Services reported 50% of organisations losing data through crisis will go out of business within two years. The US Bureau of Labor puts the figure at 93% after five years.

When a computer system at the London Stock Exchange crashed at 8.44am one Monday, it prevented trading for nearly seven hours on the first trading day since the US Government announced a rescue package for US mortgage businesses Freddie Mac and Fannie Mae.

Despite such crises, Info-Tech Research Group still found that as many as 60% of businesses do not have strategies in place to rescue day-to-day operations should one occur.

Implementing a business continuity function

When implementing a business continuity function, organisations should consider the following:

Planning

All resilient business continuity strategies are underpinned by a well written business continuity plan (BC plan) featuring a comprehensive set of policies and procedures to ensure critical resources and infrastructure can be restored or replaced during and post-crisis.

A BC plan is not a replacement for sound management and good judgement in the face of a crisis, or a panacea for all ills. It does provide a framework through which management and decision making become more lucid in difficult times.

A BC plan cannot guarantee a successful resumption of operations, but certainly aids the recovery and survival of an organisation.

A BC plan should address the following:

Prevention
Prevention is better than cure. Ensuring an organisation's critical IT systems have sufficient resilience is key. By having in place things like mirrored servers, a fully operational data processing facility – a ‘hot site’ – and appropriately trained business continuity personnel, the impact on an organisation's business can be minimised or avoided altogether.
Continuity
The BC plan should set out processes whereby critical systems and resource skeletons – the basic infrastructure required by an organisation to enable it to carry on key functions – are maintained, together with procedures for switching to back-up systems.
Recovery
To reduce the time it takes to return to normal, the steps required to move from crisis back to full operational status should be set out.

Testing

It is paramount that the BC plan evolves with changing IT systems. A BC plan not amended and tested will be of little use when crisis strikes.

Testing the BC plan should happen regularly. How frequently depends on the needs of the organisation and its reliance on IT systems. A full deployment test should be carried out annually at minimum.

Changes to IT systems that have a material impact on its BC plan, mean testing should be carried out as soon as possible following the change.

The objectives of business continuity testing are to:

run through the recovery processes
familiarise personnel with the recovery processes and documentation
confirm effectiveness of the recovery documentation
verify effectiveness of the recovery site
determine whether recovery objectives in each phase are achievable
identify improvements to the recovery strategy, processes and infrastructure

Self-provision or outsourced provision?

There are two options available when looking to implement a business continuity function – self-provision or outsourced provision.

Self-provision

Depending on the nature and extent of an organisation and its IT capabilities, it may be possible to put in place a business continuity strategy without recourse to a specialist external provider. Things to consider: is there sufficient resources, manpower and experience within your organisation to provide the business continuity function in-house? Self-provision is likely to be cheaper, but unless done properly is unlikely to be the most resilient.

Outsourced provision

In recent years a trend has developed for outsourcing business continuity functions to external providers, and is often seen as an attractive option, relieving an organisation from constant strategy updates.

The following issues are of particular concern when outsourcing:

The provider

A certain amount of due diligence on the provider is essential. Not all business continuity providers are capable of operating a 24/7 service. The location of the provider is also important – the IT facilities and office accommodation should be geographically distant from the customer location yet convenient for the customer’s personnel to access. Hot sites and mirrored servers should be located in specifically designed facilities.

The contract

It is critical that the contract with the provider is sufficiently robust. If the contract does not do what an organisation requires, it should go elsewhere.

Customers should be wary of accepting a ‘one size fits all’ service. The provider must fully identify the customer’s requirements before it can understand the required service and the level to which that service will be delivered.

The contract should address the following:

Definition of disaster
This is of fundamental importance as it is only when a set of circumstances arise that fall within this definition that the provider will be required to act. The definition should define the disaster according to its effect rather than cause. It is not necessarily important what caused the problem, only that a problem occurred.

Definition of services
It is critical to ensure the precise services to be delivered by the provider are adequately described. If the services are not defined in detail there is significant scope for confusion, with the potential that an important requirement of the customer may not form part of the service. In addition to a description of what the provider is to do and when it is to do it, the definition should include details of the facilities the provider is to provide.

Service levels
Service levels should be set at a level sufficient to enable the customer to carry on its day-to- day operations. It may be possible to negotiate service credits, depending on the nature of the services.

Testing
The provider should be obliged to conduct end-to-end testing of all systems relevant to the customer on a regular basis, and be obliged to share and review results with the customer.

Other customers
The customer should seek to cap the number of other provider customers requiring similar services, or who are in a similar location. This avoids the provider being unable to deliver services due to other customers making similar demands at the same time.

Exclusions and limitations
It is inevitable that the contract will contain exclusions and limitations on the provider’s obligations. A provider will invariably look to exclude liability for certain types of loss and cap its liability for the remaining types of loss.

Although failing to meet its obligations may have extreme consequences for a customer, the provider must undertake a risk/reward analysis. The reality is that if its potential liability is disproportionate to the reward then it will not enter into the contract. The level at which the liability cap is set is always subject to negotiation. A common way of calculating it is to equate it to a percentage of the fees paid to the provider over a specified period – 150% of fees paid during the previous 12 months.

Force majeure
A standard clause in agreements is a suspension of either or both parties’ obligations where a force majeure event occurs. Whether by design or through error in drafting, force majeure provisions in business continuity contracts sometimes relieve the provider of its obligation to provide services at the precise time the customer requires them. Care should be taken to ensure that events constituting force majeure and the clause itself do not cut across the provider’s obligations.

What does this mean?

Having no business continuity plan, or even an inadequate one, can expose your business to huge risks. So it is critical that you implement a coherent and robust business continuity strategy.
You can either implement the strategy in-house or go to an external provider. There are pros and cons to each approach, and no right answer. The size, nature and complexity of your IT systems are all important factors.

What should you do?

If you don’t have a BC plan – start the process of adopting one.
If you have a BC plan – is it up to date and adequate for the changing needs of your business?
Keep it under review. What are the likely risks to your organisation? What are your critical business functions? Does it address these?
Ensure that you (or your provider) regularly test all your business continuity processes and procedures.
If you are engaging an external provider – ensure you undertake appropriate due diligence and make sure the service contract is robust.
Ensure your staff are aware of your business continuity processes and procedures, and are appropriately trained.
Shoosmiths has experience of advising clients about business continuity strategies and arrangements with third party providers.

News & events

Latest news