Large companies have made preparing to survive a disaster – natural or man-made – a priority since catastrophes such as the terrorist attacks of 9/11, the Sars health scare and Hurricane Katrina.
But no matter how well prepared the big players are, nearly all rely to varying degrees on smaller companies – and evidence suggests that these companies remain ill-prepared either for a large-scale disaster or even the failure of their own IT systems.
For SMEs, the problem is less a question of will, and more a lack of knowledge, time and resources. “Many small businesses run [their systems] on a shoestring. They have few resources and few people for business continuity planning,” says Roberta Witty, a research vice president at industry analysts Gartner.
Yet these are the very companies that are likely to be more exposed than their larger counterparts if disaster strikes. “It is harder for them to get back into business after a major threat, or even a localised problem such as a fire,” says Ms Witty. “They do not have the resources to recover.”
Small companies do not have large, dedicated IT teams, they might not have multiple locations or premises, and they are likely not to have remote data centres with stand-by power, duplicate network connections or high levels of physical security.
Nor can they make use of many of the latest business continuity technologies – such as automatic back-ups of data to a remote site – because these are too complicated and too expensive.
And most commercial business continuity services, such as those that provide temporary office space and IT facilities, do not target the small and medium business sector.
“It would cost suppliers more to do so than the revenues they would make, because there are not the economies of scale,” says Phil Carter, senior manager for enterprise risk services at Deloitte, the professional services firm.
But according to Mr Carter, business continuity does not only mean signing up for costly services or investing heavily in technology. There is much that companies can do themselves quickly and cheaply.
“The process of business continuity planning is the same for both large and small companies,” he says. “You need to understand the risks to the business, alleviate some of those risks and where you can’t, understand the impact of a disaster on the business.”
Some steps smaller companies can take, he suggests, include keeping copies of critical information on laptops: in an emergency, staff can work from home.
Smaller businesses can stretch limited resources by making a realistic assessment of which business processes and infrastructure really are mission-critical, and which parts could be brought back on line at a later stage.
The former will need a continuity plan; the latter is a question of disaster recovery and restoring data.
Companies might be able to function for a few days or even weeks without a human resources computer system, for example, but would lose revenues – and credibility – within hours of their website going offline.
“Smaller companies will have to do what is practical,” says Martin Byrne, at Accenture’s technology practice.
Often, that means the emphasis will be more on disaster recovery, and bringing the business back to full capacity in an orderly manner, than on keeping all systems running at all times. “Backups have to be key for any small company that depends on IT. They should, at the least, be backing up their data and storing it offsite,” he advises.
In some cases, companies will need to adopt more robust business continuity measures, either because an industry regulator demands it, or because customers require it.
As larger businesses put more emphasis on business continuity, they, in turn, will accept less downtime from their suppliers.
But smaller companies could use adherence to standards such as ISO 17799, based on the British Standard 7799, the British Standards Institute’s PAS56, or the US NFPA 1600 as a differentiating factor in a competitive marketplace. Much, though, will depend on industry-specific requirements.
“We put in place a disaster recovery plan for a trucking company in Portland, Oregon, which needed to back up 8 terabytes of data,” says Hu Yoshida, chief technology officer of storage vendor Hitachi Data Systems.
“It was a company supplying the aerospace industry, and that industry demands disaster recovery plans from its suppliers. In order for their businesses to be recoverable, their suppliers need to be recoverable too.”
Fortunately, advances in storage and networking technology are driving down the price, so building a data centre with constant access and remote replication is within reach of at least the upper end of the mid-sized business market.
Vendors such as BT and Atos Origin are also offering lower-cost, hosted data services that will enable SMEs to access their data, even if disaster strikes their premises.
But no amount of technology will help a company survive if it has not planned for a disaster, rehearsed that plan, and established an emergency chain of command.
DSS International, a reseller for Sage ERP software with offices in Miami, Orlando and New Orleans has built up significant expertise in business continuity, both through advising customers and through its own experience. After Katrina, the company’s New Orleans office was unusable for 10 weeks, forcing
staff to relocate to Orlando.
“It is vital staff know the CEO has embraced the continuity plan,” says Peter Kaufmann DSS president. “And it is vital to have somebody in charge, so everyone knows who to communicate with in a disaster.”