Planning for disaster

Your business could be struck by floods, burglaries or even terrorist attacks. Are you prepared?

Trevor Clawson

Free guides

Editor's Choice

The fire was started by a faulty air conditioning unit in an attic above the offices of Onesearch. Undetected by the smoke sensors below, it burned for some time before the sprinklers kicked in and the alarm was sounded. By then a huge amount of damage had been done and the managers of the property search firm were facing a genuine crisis. “Data is fundamental to our business,” says technology director Stuart McWhinnie. “We simply couldn’t afford to lose it.”

Onesearch’s managers faced a double challenge. In addition to salvaging the equipment, they also had to get their systems up and running as quickly as possible. As McWhinnie explains, the company’s customers – mainly solicitors – were unlikely to remain patient for long. Without search information, property transactions can’t be completed and there was a real danger that if Onesearch was out of action for more than a few days, frustrated clients would hand their business to rival operators.

“The first 24 to 48 hours were critical,” says McWhinnie. Fortunately, the company had a business continuity plan in place, and once its servers had been rescued, it was able to transfer operations to alternative office space, a move that had been pre-arranged with a specialist facilities provider.

New PCs were delivered on the next working day and IT staff prioritised the recovery of search data. Customers were kept informed, and within days Onesearch was delivering search results again.

The company’s experience highlights the importance of planning ahead. Onesearch had formulated its recovery plan just weeks before the fire. Without it, McWhinnie feels that the business could have gone under. Sadly, in similar situations, a lot of businesses do.

The cover

But what does a disaster recovery plan entail? Well, fi rst and foremost, it’s vital to ensure that you have the right level of insurance cover in place. Your policy should have two main components: material damage insurance and business disruption cover. The first of these pays out on damage to office equipment and the building, while the second component covers you against any shortfall in profit. The vast majority of policies will contain both forms of cover, but you get what you pay for.

For instance, Tagish, an internet site development and content management company, was hit by a fire in 2006. As managing director Andrew Fisk recalls: “We didn’t have enough business interruption cover. In retrospect, we should have paid for more.”

Assessing the risks

Insurers often undertake a physical inspection of the premises before granting cover. As a result, they may insist that you tighten policies, procedures and safety precautions. “A risk assessment may result in us making it a requirement that certain things are done,” confirms Alan Gairns, technical director, property underwriting at RSA (formerly Royal Sun Alliance) group.

However, you should also carry out your own risk assessment. There’s no standard template for this. For instance, while fire remains at the top of the business property claims chart, in certain areas flooding could be an equally clear and present danger. “It’s important to look at the local risks,” says Marina Arthur, a business continuity expert and founder of Key BCM consultancy.

“For instance, if you’re on a flood plain close to a river, you have to consider flooding as a major risk. By the same token, a company based in the City of London might consider terrorist action or hacker attack to be key dangers requiring preventative measures.

The action points will depend on circumstance. You can’t stop floodwater from rising, but you can make sure servers and key electrical equipment are kept high. If fire or terrorist attack are seen as major dangers, invest in precautions, such as CCTV, sprinklers and smoke alarms. Local authorities will supply information on local risk factors.

Information technology

Protecting your IT systems and data should be at the heart of your plan. At the very least that means backing up your information, but it would be wrong to assume that religiously transferring data onto discs or servers located outside your building will keep you safe. “I’ve seen cases where businesses think information is being backed up, but it isn’t,” says Rick Cudworth, head of business continuity at accountancy firm Deloitte. “You should carry out regular tests to ensure that your backup is working.”

Equally, it’s important to remember that recovering backed-up information takes time. You have to understand the timescales and build that into your recovery plan. Companies that outsource elements of their IT may have an advantage here.

For instance, if a transactional website or customer database is hosted in a secure location, then a local fire or flood will be easier to cope with. If you can, choose an IT provider that gives guarantees on systems recovery.

After the disaster

Let’s assume for a moment that your data has been successfully stored and can be recovered quickly. It isn’t going to be much use to you if you’re looking at a collection of useless PCs and servers, and an office cordoned off by the emergency services. Should the worst happen, you also need to have a plan to get all your operations up and running. And this strategy should encompass the who, where and what.

Then there is the question of where you’re going to work if the office is off limits. The choices include key staff working from home or moving into emergency office space. Ideally, you should pre-arrange emergency accommodation with a specialist provider, or at least have a list of local landlords you can ring round. Equally, you should know exactly who to call to get replacement PCs and/or have phone lines diverted. List all your key contacts well in advance.

Finally, you’ll need to think about what you need to do should disaster strike, and inevitably this means setting priorities. For instance, all data isn’t equally valuable and your first objective should be the recovery of systems that allow you to trade. The truth is, the quicker you can get services or products out to your customers, the greater your chance of staying in business in the long term.

PUSHED TO THE LIMIT

When Tagish, a business supplying internet site development and content management services, was hit by a fire in 2006, its disaster recovery plans were tested to the limit. “We had a plan in place,” says Andrew Fisk, “but weren’t fully prepared for the scale of the disaster.”

The company appreciated the importance of communicating with customers, members of staff and the press to keep everyone informed about the progress of the recovery plan. What’s more, Fisk and his team were aware of the importance of assigning tasks. Some staff focused on communications, while others concentrated on recovering data and hardware. “We got our systems up and running within a few days,” says Fisk.

He stresses that data recovery is not something that should be taken for granted. “It can be difficult to retrieve backed-up data,” he says. “It’s something you have to practise. You should also test your backed-up data. If the files get corrupted, you are stuck.”

CHECKLIST FOR DISASTER

Make sure you’re insured and that you have enough business interruption cover
Assess the main risks that threaten your company
Formulate a plan. Who will do what in the event of a flood or a fire?
Draw up a list of key contacts. Who can you talk to about recovering data, diverting phone lines, or providing office space?
Back up all data and make sure the systems work
Prioritise customers when restoring systems