Home>Security>Integrated Systems>Business Continuity Planning: A Guide for SMEs

Business Continuity Planning: A Guide for SMEs

14 April 2020

IT'S NO secret that today’s fast-paced world is driving the demand for ‘always-on’ services among businesses and consumers alike. However, in addition to being ‘always-on’ and keeping things running in the present, businesses of all sizes must be prepared for unexpected future disruption. Mark Wass examines the importance of business continuity planning for SMEs.

From the technological to the economic or logistical, businesses face a variety of threats that may lead to disruption in one form or another, each of which must be incorporated into the business’ contingency planning (otherwise known as business continuity).

Business continuity planning is now high on the agenda for organisations. Last October, the NHS - which now finds itself on the front line in the battle against the COVID-19 pandemic - booked hotel rooms for patients as part of its “worst case scenario” contingency plans for Brexit, while in the same month Goldman Sachs set up a disaster recovery trading floor in a WeWork office in central London to enable the bank to continue operating in the event of a major incident.

These examples may give the impression that business continuity is strictly within the remit of large organisations only. However, in the era of digital business, it’s clear that, regardless of your size or who your customers are, it's now imperative to deliver uninterrupted service 24 hours a day, 365 days of the year.

Absorbing the shocks

As any company (large or small) which has suffered a service outage will contend, the ability to absorb the shocks of disruption and be resilient regardless of circumstance can make the difference between a business that flourishes and a business that flounders. However, small and medium-sized enterprises (SMEs) often deem disaster recovery solutions - such as Data Centre co-location or server and networking back-ups - too expensive to core operations to justify anything like a full investment in this area. Instead, they often settle for what's perceived to be a cheaper, 'DIY' cloud-based platform approach and then assign responsibility for its management to a single individual.

However, an organisation’s core IT infrastructure will be hugely complex regardless of its size. Even the smallest businesses will find the consequences of disruption become compounded when seemingly esoteric questions are left unanswered. Where are the independencies in the network map? Which applications are hosted in private and public cloud environments? Is the data stored in the cloud protected from corruption or from being blocked by a malicious third party?

With its central role in the basic functioning of all the operations of a modern organisation, from automating payroll through to ensuring security, the continuity of IT infrastructure is simply too fundamental to not adequately ensure. Formerly the remit of IT teams alone, knowing the answers to these complex technical questions is now a strategic business imperative. The responsibility for the continuity of core IT must therefore be readily available and proactively shared among a number of key stakeholders within the organisation, benefiting both the business and the teams that it comprises with a faster and more accessible route to recovery.

Common misconceptions

SMEs may think that, by sheer balance of probability, organisations with a larger IT footprint have a greater chance of one of their systems failing. In reality, an organisation’s scale should never be conflated with its vulnerability to disruption.

In fact, the scale of IT can actually be a boon to an organisation’s business continuity capabilities via the greater capacity to divert essential operational processes away from affected systems to subsidiary infrastructure. This goes right down to the operating capacity of individual tools, with a recent report finding that medium-sized Data Centres will experience upwards of three downtime episodes each year, with each lasting over 3.5 hours on average.

There's also the belief that, if the office and/or core IT is hit by disruption, workers can simply log on from home or other remote locations via the organisation’s cloud environment. However, this creates two problems. First of all, how can staff work remotely if laptops and/or other resources are left in an office which is no longer accessible? Second, if staff either have their work laptops or can work from their own personal computers, how can the security of data be effectively ensured when using devices or networks separate from core IT?

The most effective way in which to reduce the impact of a workplace office loss is to instantaneously pick up the whole thing - people, information, management and support structure, etc - and transplant it somewhere else that's equally easy to reach and has the same feel and culture as the original. By adopting an holistic stance and incorporating point business continuity solutions such as workplace and IT disaster recovery into a larger resilience strategy, organisations can ensure that the loss of a workplace becomes a minor operational blip as opposed to a full-blown disaster.

Combating disruption

Ultimately, SMEs need to be aware of the crossover between the resilience of IT systems and the resilience of the business overall. With the right combination of having the right disaster recovery tools, planning for a diverse set of contingencies and sharing the burden of knowledge relating to the ins and out of IT infrastructure, SMEs can take the first steps toward ensuring overall resilience and availability of their products, services and operations. 

A comprehensive business risk assessment conducted at regular intervals is key to gaining access to the information organisations need to reduce downtime during periods of disruption. Assessments help identify needle-in-a-haystack components which can quietly take down entire systems, calculate recovery time and outline the method and objectives of recovery efforts.

At the end of the day, regularly testing these small, but nevertheless vital aspects of business operations can be a far cheaper alternative to ad hoc recovery efforts which may not succeed in the first place.

Mark Wass is Director of Sungard Availability Services