WOULD YOUR BUSINESS

A guide to business continuity

Redcentric Would your business survive? Redcentric Would your business survive?2 3

POWER OUTAGES

EXTREME WEATHER

FIRE FRAUD, THEFT & TERRORISM

HARDWAREFAILURE

What are the main threats to the continuity of your business?

“IT WILL NEVER HAPPEN TO US...”

When stories crop up in the press about businesses that have been devastated by a freak flood or a power failure, many people take the view that “it will never happen to us”. However, with a growing number of issues threatening the continuity of UK-based small and medium-sized enterprises (SMEs), now is the time to question how your business would survive should a disaster strike.

The pending threats of power outages and increased energy bills –caused by the decommission of the majority

of nuclear power stations and the subsequent reliance on important energy from abroad, in addition to the rise in expected freak weather events, mean that if you didn’t feel at risk of being affected by such issues in the past, the likelihood is that over the coming decade one such issue could have a huge impact on the smooth running of your business.

This guide will help you take a proactive approach to business continuity, and aims to prevent the risk of loss of revenue, brand trust and much more should your phone and data systems be unavailable for a prolonged period of time.

BUT IT COULD HAPPEN TO ANY BUSINESS. ANYTIME.

Redcentric Would your business survive? Redcentric Would your business survive?4 5

According to EDF Energy, the combination of the closure of older power stations, the impetus to combat climate change and the depreciation of indigenous gas reserves in the North Sea means that the UK is facing the very real prospect of not having enough energy to satisfy demand from the 2010s onwards, a prediction echoed by the recent Ofgem Electricity Capacity Assessment.

Furthermore, questions remain over the reliability of supply from our energy sources. Traditionally, sources of energy production such as oil, coal, gas and nuclear all bring with them their own problems, and oil is to be phased out of the energy mix from 2015 due to environmental concerns. While there is obviously a tendency towards the use of electricity generated by wind, solar, hydro and

marine technologies due to the obvious environmental benefits, wind and sun remain inherently intermittent sources of power, and as such cannot be solely relied upon to power the nation. Hydro and marine are more reliable sources, but they are still in the early stages of implementation and will be cost-prohibitive in the short term.

While obviously efficient use of the energy we have can help to reduce the load, many services such as transport and heating are beginning to rely more heavily on electricity, and as such new power stations may have to be built to give everyone a constant and reliable service. Development of new production technologies and the increase of demand over supply inevitably lead to the driving up of prices, and with 30 to 40 per cent price hikes in energy bills already

common place for many business, the question of affordability also has to be answered.

A 2010 study by CA Technologies found that UK organisations lost in total 300,000 hours and £2 billion a year due to IT downtime caused by a number of issues, including power outages. For the average UK business, this equates to £208,000 a year in lost revenue due to the downtime of business-critical systems, reducing revenue generation by 22 per cent. Clearly then, the financial cost of any downtime to a business is huge.

Therefore, should the predicted energy gap become a reality, you need to think carefully about how your business would cope with intermittent energy blackouts. Could your business continue to function without internet,

In today’s increasingly technology-focused world of business, the effects of extended power outages can be catastrophic. While prolonged problems are currently few and far between, the expected ‘energy gap’ many providers are warning their customers about could have very real consequences for you.

£208,000A year in lost revenue due to the downtime of business-critical systems, reducing revenue generation by 22 per cent.

£2 billionA 2010 study by CA Technologies found that UK organisations lost in total 300,000 hours and £2 billion a year due to IT downtime caused by a number of issues, including power outages.

POWER OUTAGES

Redcentric Would your business survive? 6

Extreme weather is another danger that is producing much anxiety among business owners, and with good reason. 2012 was one of Britain’s wettest years on record, with unprecedented amounts of rainfall wreaking havoc on businesses all over the country, and analysts believe that this extreme weather will soon become the new norm. Much of the blame for such downpours is laid firmly at the door of climate change -if this is the case, the situation will only get worse as time goes on.

But how does weather affect you as a business owner? The fact that in 2012, over £1 billion was paid out by insurance companies for damage caused by flooding shows that for many, this isn’t a future concern, but an on-going one. News programmes over the past 12 months have been

dominated by stories of businesses having to close due to extensive water damage caused by flooding, while others lost huge amounts of income at peak trading times due to the lack of footfall on the high street as the heavens opened.

How you deal with downtime caused by what are legally referred to as “acts of God” could also have an effect on your brand.

For example, if clients are aware of your business location and hear on the news that your area has been hit by a severe flood, and you manage to get back up and running quickly maintaining a good level of service despite the problems, it will add the quality of resilience to your brand’s

offer. On the flip side, if you take a long time to recover from such an issue due to bad contingency planning, your brand could be damaged irretrievably as clients may now view you as being unreliable.

Clearly, this means that adapting to the situation now by taking a proactive approach to weather issues is the way to go.

Extreme weather is another danger that is producing much anxiety among business owners, and with good reason 2012 was one of Britain’s wettest years on record, with unprecedented amounts of rainfall wreaking havoc on businesses all over the country.

£1billionOver £1 billion was paid out in the UK by insurance companies for damage caused by flooding.

2012Was one of Britains wettest years on record with unprecedented amounts of rainfall wreaking havoc on businesses all over the country.

EXTREME WEATHER

Redcentric Would your business survive? 9

While obviously you are legally obliged to take many precautions with regards to fire safety within your work environment as a matter of course, external fires can also cause much disruption to a business. The North Hertfordshire District Council website highlights the effect of the Buncefield oil storage depot explosion in Hemel Hempstead that had a huge effect on business all over the region:

370 out of 630 businesses were evacuated

Six buildings needed to be demolished and 30 more necessitated major repairs before they could be reoccupied

A further 290 businesses were disrupted for up to three days due to a combination of emergency response and minor damage

88 companies - with a total of 4,000 employees - still did not have a place to work five weeks after the eventIn the short term, business recovery costs were estimated at £2.2 million, rising to £100 million of the following ten years

Clearly this is an extreme example, but it highlights how an incident beyond your control can cause huge levels of disruption to the working day.

With regards to a fire within the workplace, the effects are often even harsher. Whether the fire was caused by an electrical fault or an arson attack, if it gets out of a hand it can

completely decimate your building, taking all of your computers, paper documents and workspaces with it. If such a fate should befall your building, how would you go about turning it around and getting business up and going again as quickly as possible?

Fire - either inside your premises or in the vicinity - is also clearly a major threat to the continuity of your business.

FIRE

88 companieswith a total of 4,000 employees - still did not have a place to work five weeks after the Bruncefield oil storage depot explosion.

6 buildingsneeded to be demolished and 30 more necessitated major repairs before they could be reoccupied after Bruncefield.

Redcentric Would your business survive? Redcentric Would your business survive?10 11

As with every other part of society, the world of business is far from immune to attacks from other people. Be it an opportunist theft of a laptop through a window carelessly left open, or something much more devastating such as a highly-organised cyber-attack, the issue of security is a pertinent one.

Of course, acts of fraud do not have to come from the outside. A study by KPMG found that in the period between January and June 2012, 136 cases of fraud were committed from within by employees of a company at a total value of £374 million, with 55 per cent of perpetrators doing so from a managerial capacity.

This shows that caution needs to be applied everywhere in a business from the recruitment process right through

to installing suitable locks on windows and doors. Hitesh Patel, UK forensic partner at KPMG commented: “The value lost through management fraud shows graphically that businesses need to ensure controls are more than simply trust where senior members of staff are concerned; an effective anti-fraud regime applies to all, not just to more junior staff.”

Other than the possible economic loss due to fraud and theft, these issues can affect your company in other ways too, some of which are beyond your usual control. For example, the theft of copper wires from train lines can result in delayed or even cancelled commutes for staff members, leading to many lost working hours and a marked reduction in productivity.

Terrorist attacks are another man-made threat to your business over which you have next to no control. Although the chances of a terrorist attack being plotted and fulfilled against your firm are very slim, incidents such as the 7/7 bombings in London can have a ripple effect on the community as a whole, be it through short term loss of business or delays in receiving goods from suppliers.

While you cannot control the theft of the wires or terrorist attacks yourself, your continuity plan should make some allowances for reducing the effect of outside influences on the working day.

As with every other part of society, the world of business is far from immune to attacks from other people.

FRAUD, THEFT & TERRORISM

136 cases136 cases of fraud were committed from within by employees of a company at a total value of £374 million.

Redcentric Would your business survive? Redcentric Would your business survive?12 13

For instance, customer’s records dating back many years could be lost forever, in turn impacting heavily on your levels of customer service and support. It is feasible that many companies also only store supplier contact details on a database stored on their internal server. Again, should the server go down without an adequate backup existing, restocking could become an incredibly problematic process.

Customer’s records dating back many years could be lost forever, in turn impacting heavily on your levels of customer service and support

However, hardware failure in the workplace is not merely linked to data loss. If your phone system goes down

for any period of time - due to either internal or external issues - do you have a contingency plan for contacting clients and suppliers? Hardware failure is incorrectly viewed as an inevitable problem within businesses, when effective planning would ensure that this does not have to be the case at all.

Hopefully, your business will be known for its high quality of service and customer support, so there should be a contingency plan in place to reduce the effects of any system downtime on this. Ultimately, any service is judged on how it copes in times of crisis, so if your clients can see that you have a workable backup plan in place to keep support levels as high as you can, there shouldn’t be any negative impact on your brand.

When it comes to the backing up of data, it is safe to say many companies take an “I’ll do it later” approach. However, should your physical server fail unexpectedly, the lack of backup could cause you a huge array of problems.

HARDWARE FAILURE

Redcentric Would your business survive? Redcentric Would your business survive?14 15

If you do not have a Business Continuity Plan (BCP) in place already, or in light of reading the section above feel you are especially vulnerable to certain threats, now is the time to act.

The first step when creating a BCP is to identify the elements of your business that are critical to its continued success.

These may include:

The most profitable products and services from your range

The processes required to deliver the above products and services

Vital roles and individuals for fulfilling key business operations

Suppliers and other agencies key to completing primary goals

Infrastructure such as IT and transport needed to maintain operations

Key customers

Once the points above and any other critical elements of your business have been identified, your BCP needs to set out how each will be carried out should an incident occur. Process mapping around each point is a good way to work out who and what is involved in the successful completion of each process. Such maps are usually very graphical, and make it easy to find flaws and possible failure points in a process.

STEP ONEUnderstand your business

1

2

3

4

5

6

Now you know the most important elements of your business, work through each threat listed in the first section of this guide and consider how it will affect the continuity of your service. This risk analysis should consider the likelihood of failure, the business impact it will have and the projected period of failure the business could sustain.

Within this, you also need to classify the worst case scenario point (something that will suspend your business completely) and what the causal factors for this would be. From this, you can then create a list ranging from services that are high in impact and risk right down to low risk, low impact, and then begin to construct your BCP using a cost/benefit system.

STEP TWOMeasure the Risk

Once risks have been defined and assessed, you need to consider your continuity strategy. Obviously this may differ depending on the nature of the incident and your business type, but in general will include the following as a starting point:

Immediate response

Factors relating to evacuation process

Clearing of roles and responsibilities of those in charge of managing the immediate response

How first aid will be administered

Support for those with disabilities or other needs

How crowds will be marshalled to meeting points and internal and external communications conducted

STEP THREEStrategy

Long-term response When and how the move to alternative facilities will be implemented

How access to key documents and IT systems will be achieved - potentially through a backup on a cloud service

Arrangements for the completion of orders, delivery receipts, financial transactions and production commitments

How staff will be able to access any contingency sites

A set of agreed procedures for the re-introduction of standard operations

How exactly you deal with each of these points is up to you, but consultation with other departmental heads is advised.

1 2 3HOW DO I CREATE A BUSINESS CONTINUITY PLAN?

The wider business community appears to be latching onto this too, with a recent survey from CMI showing that the number of businesses surveyed that have an up-to-date plan has increased from 49 per cent in 2010 to 61 per cent in 2012. Around 80 per cent of those companies also stated that the implementation of such a plan effectively reduced the impact of any disruption, meaning they could return to normal quickly after an incident and that the cost of execution was therefore was more than justified.

Clearly the argument for a BCP is overwhelming, but how do you go about putting it together?

Once each of the above points has been satisfied, you can now put together your BCP. Once complete, conducting exercises for different scenarios in the plan is highly recommended. These dry runs will highlight any potential pitfalls in your planning so that should an incident occur, the pre-defined procedures should be hole free. Another advantage is that participants will become more familiar with the procedures, making response far more effective. Such practice runs should be completed frequently in order to further improve familiarity with all the possible scenarios listed.

STEP FOURConstruct your Business Continuity Plan4