Terrorism gave an impetus to DR planning, says Ron Condon, but other factors have kept its importance alive
Disaster recovery suddenly took on a new importance in England when in the early 1990s, the troubles of Northern Ireland arrived on the British mainland. A series of bombs planted by the Irish Republican Army at the heart of London's financial district, and later in the London Docklands area and in Manchester, caused major damage and disruption.
Up that point, disaster recovery had never been a real issue. Unlike the U.S., which has always had to plan against severe weather events, the U.K. has a moderate climate; most companies did not even have back-up power supplies.
The terrorist attacks changed that attitude for good. Companies realized that, even if their own buildings and IT systems were unaffected by a bomb, they could still be shut out of their offices for days or weeks while police combed through the rubble for evidence.
"What made it worse was the constant streams of hoax calls following these events," says Dave Dignam, service development director at Synstar, a business continuity specialist company. Every time a hoaxer made a call, police would have to take it seriously and force workers to clear whole districts.
British companies have therefore had more than 10 years to develop their approaches to both disaster recovery and business continuity, and the industry has matured to cater for new needs as IT usage has developed and increased. As a result, the auditing profession has begun to take a greater interest in business continuity plans, and the recent Turnbull Report from the U.K. Government on corporate governance (www.cabinet-office.gov.uk/risk) established that security is now the collective responsibility of a company's board of directors. In other words, if you go bust because you failed to take reasonable precautions, the bosses are personally liable.
A maturing industry
In the early 90s, the U.K. was playing catch-up to the U.S., according to Dave Austin, a senior consultant with Insight Consulting. "In the 1980s and 90s, the U.S. led the field in its handling of natural disasters," he says. "They could handle the evacuation of large numbers of people when there were hurricanes, and they had strong regulation to back it up." But the IRA bombs in London were a catalyst for action, because they had such a huge effect on hundreds of businesses at once. "Companies realized that even if the buildings and the IT systems were OK, it was no good if they couldn't get near them."
The industry matured fast during that period, he says. "It used to be just IT contingency planning, now it took on things like staff safety and welfare."
Business continuity has continued to take a high priority in many industries, even though the IRA threat, at least, has gone away for the time being. As Synstar's Dave Dignam says, greater reliance on IT systems makes it essential to do business continuity planning.
"Many of our customers are medium-sized manufacturers," he says. "They are all using ERP and electronic ordering, and they work to a just-in-time model. They don't keep huge inventories, they expect the parts to arrive just as they are needed. There is no room for flexibility in the system."
In cases like this, he says, a malfunctioning server can disrupt the whole business if it stops orders being taken or processed. "Although we all plan for the big disasters, 90 percent of our invocations are for small things, a prolonged hardware problem or possibly a localized fire," he says. "We can deliver new equipment, or a complete working mobile office to the premises to help them continue their business. That is what the majority of business continuity is about."
Those companies need no persuading of the value of a working business continuity plan, but according to Insight's Austin, there are still a lot of organizations that would not survive a sustained loss of their systems. Small and medium enterprises (SMEs) are probably the worst culprits, although the British Government is trying hard to encourage companies to take security more seriously. A recently launched web site from the Department of Trade and Industry provides a particularly good and clear introduction to the subject (www.ukonlineforbusiness.gov.uk/infosec) and even contains a self-check questionnaire for companies to see how well they are protected.
The need for tough questions
This is ironic. Austin says that most U.K. government departments are themselves poorly prepared for any kind of disaster, and are currently the subject of a concerted campaign from the Cabinet Office (which oversees other departments) to polish up their act.
Despite these initiatives and some new legislation, Austin still thinks the auditing profession and investors could do more to apply pressure on companies. "Auditors don't seem well equipped to ask really penetrating questions - at least not at a level that would give me a lot of confidence," he says. "And I'm surprised that corporate shareholders don't take more of an interest in security. After all, reputational damage can hit the share price hard. They really need to ask a lot tougher questions."
Ron Condon is editor-in-chief of SC Magazine