At 7am on Sunday December 11 last year, Jane Guinn, managing director of Kodak, had a phone call from the facilities manager for the company’s office in Hemel Hempstead, Hertfordshire. There had been an explosion at the Buncefield oil depot, he told her, and the Kodak building, only 200m from the depot, was badly affected. Ms Guinn and her facilities manager immediately began to put Kodak’s business continuity plan into action by phoning all the members of the crisis management contact team.
By 9.30am, the team members, who represented all the key functions, were gathered in the company’s Harrow office for a meeting. The plan had always been that, in the event of the Hemel Hempstead building being unusable, the key staff would relocate to the Harrow office, and because the Hemel Hempstead office housed some of the customer call centres, it was essential to move as quickly as possible.
“The first thing we had to do was identify who were the critical people we needed to be answering the phone to customers on Monday morning,” says Ms Guinn. “We then had to identify what services they needed in terms of communication, in terms of IT, what was needed for hardware, and what systems they would need access to. The IT department had to build hardware, set up workstations for those people and make sure they had everything they required.”
Fortunately, says Ms Guinn, the company had a strict IT regime across the organisation that meant there was tight control over who has access to particular systems. Furthermore, no data had been lost in the explosion because the company used global applications, with data stored centrally, that could be accessed from any of their offices. Paper documents at the Hemel Hempstead site had been scanned in, and were easily retrieved.
The result? “By 8.30 on the Monday morning all those groups that receive customer calls were sitting waiting for the phones to ring and the customers had no idea that anything had happened,” says Guinn.
Like most disasters, Buncefield came out of the blue. Kodak coped because its business continuity plan had been based on the need to get key functions up and running as quickly as possible. The focus of business continuity planning, says Mike Sampogna, vice-president of business continuity at CA, should not be simply on backing up the data centre (though this is crucial) but on identifying the key business processes that need to continue after a disaster: “Who are the critical people in your business? What are the critical processes in the business? And how do you make sure you have both those secured in the event of a business disruption?”
Business continuity planning often gets put on the back burner, says Simon Mingay, vice president of research at analyst Gartner. The core components of good business continuity planning, he argues, are to have somebody at an executive level who sponsors the plan and asks questions about the capability of different parts of the organisation; a business continuity manager to act as champion and facilitator; a distributed approach to continuity planning throughout the organisation; and a simple traffic light reporting mechanism that shows business capability by site and by business unit.
At the beginning, explains Mr Sampogna, the business owners should carry out a business impact analysis: “The challenge of business continuity is to identifying the range of problems that may realistically occur and to put in place the contingency plans that mean your business can continue to function.” While most organisations will, quite rightly, plan for major disasters such as fires and floods, the most common disasters are more mundane, says Mr Mingay: “It’s often a small localised incident like the JCB digger cutting through a power cable or a series of hardware failures.” The important thing, he adds, is to be able to identify such an event as potentially significant when it happens.
Where do organisations go wrong? “The biggest issue people have on business continuity is that they spend a lot of time and effort in creating the perfect business continuity plan, but business continuity plans are only right in an instant in time,” says Guy Bunker, chief scientist at Symantec. “Companies change, people change, everything changes on a daily basis. So from an IT standpoint, ask: what new machines have been added, what new applications have been added, what new people have come in, and are they aware of the drill?”
Mr Mingay agrees, and argues that businesses should have a process in place, such as monthly review meetings, for noting changes.
Carrying out rehearsals for disasters is a good way of making sure whether the business continuity plan works or not. CA has a customer call centre in Tampa, Florida, an area often hit by hurricanes. Having identified the Tampa office as a critical site, the company made sure that its toll-free numbers were replicated to another switch in the company network, and began testing it twice a year by moving the phone numbers over and having people in a second location answer the customer calls. When Tampa was indeed hit by a hurricane in 2005, the business continuity plan rolled smoothly into operation, with customers calling in none the wiser, says Mr Sampogna. It is important, he argues, to duplicate as many functions as possible: “We decentralise as much as we can – we make sure we don’t have one person at one office doing a critical function that can’t be replicated at another location.”
Another advantage of rehearsing is that it enables you to pinpoint problems you may otherwise have missed. The complexity of modern IT systems makes this all too likely, says Mr Bunker: “There are a lot of inter-dependencies between various applications. So instead of having a single box running an application, you’ve probably got multiple boxes with data feeds coming in from multiple different places in order to run that applications.”
There may be external dependencies, too, argues Mr Mingay, such as the supply chain, and these need to be taken into account in the business continuity plan.
Kodak staff, now in temporary offices, will be back in their old building in December. Ms Guinn believes that the relative ease with which the company dealt with the disaster was down to good planning, good communication and standardisation of hardware and software: “It proved that all those years when I’ve moaned about rigidity of IT, I now understand why – we were in very good shape from an IT perspective.”