Fire, flood and vomit: Defeating the Great White Whale of Fail

Conclusion

The key thing to remember in business continuity is the word “business". It's seldom an IT-led activity because you're looking to protect the reputation of the entire business. Of course, IT's an enabler because effective, resilient IT systems with secure but flexible remote access not only reduce the risk of business impact but they also increase the business's options in the event of a problem. But it's just one part of the equation. The key points to remember are:

• Make sure that the IT systems are tested regularly, particularly the ones in any BC premises that are only used once in a blue moon
• When embarking on developing a BC strategy, list the things that can go wrong to affect your business and decide how you can mitigate the risks. Some, by the way, won't be related to BC (such as a supplier going bust)
• Be pragmatic about what's affordable and reasonable: evaluate the business impact of each type of risk, and the likelihood of it happening, and make a value judgment on the value of mitigating it.

  Spend the money on mitigating the critical stuff, and get the business to sign off on acceptance of the risk for anything for which you can't afford a top-end solution. This kind of evaluation should be part of your company's risk strategy anyway, so hook into the risk management people if you have them.

  Remember that when you're in a crisis you'll do things differently than during normal operations: you may particularly need to focus more than usual on communication to let people know you're operating below normal levels

• Have a core BC team that combined business-as-usual staff and pragmatic managers to deal with co-ordination and decision-making; don't be tempted to let detached, ego-driven senior managers and directors gatecrash at the expense of practicality and getting stuff done
• Have clearly documented processes for everything that can be written down in a structured way, and keep the docs up to date; you shouldn't be making decisions when in a crisis and under pressure when that decision could have been made weeks beforehand by someone nice and chilled with a cup of tea and a biccy on the go
• Test everything as often as you can afford, and if you can validate items without business impact then do so
• If you have non-trivial requirements don't be frightened to enlist a third party BC specialist to help you out. They're expensive but the principle is identical to that of an insurance policy, and you don't have to enter a complete end-to-end relationship – you can simply get help with some core parts and deal with others yourself

BC is a big, big subject: entire books, training courses and companies exist with business continuity as their raison d'etre. This doesn't mean it's not something that the average company can make a decent stab on its own: the usual 80:20 rule applies and just by doing something modest you can quickly mitigate many of your main vulnerabilities.

The bottom line? Be pragmatic. Do what you can. Implement the resilient systems that are justified by the risk and potential impact. Get what help you can afford. Document everything you can, and involve problem-solvers to deal on the hoof with the stuff you can't. Test everything regularly. You'll be surprised how well you've done. ®