STRATEGIC THINKING FOR YOUR BUSINESS
SPRING 2015
THE COST OF DOWNTIME
Nigel Brooks, Dean Foreman & Carl Chapman
4 WELCOME... ...TO YOUR QUARTERLY MAGAZINE BUSINESS TALK Welcome to the spring issue of Business Talk from Capital Support. Too many business executives are prone to neglecting disaster recovery planning because disaster for their business seems such an unlikely event. But in a world where customers expect high levels of reliability and service from their suppliers, and where disaster could be just around the corner, this is a risky approach to take. Seventy percent of businesses suffering a major data loss go out of business within a year, and experiencing any amount of downtime can play havoc for most businesses. Few actually assess the bottom line impact of any significant disruption – do you know the cost to your business for each hour of downtime?
PAGE 2
7
In this issue we look at the cost of downtime to a business, how to assess your state of readiness to deal with a disaster when (rather than if) it happens, and the importance of business continuity planning. If you are uncertain as to how your business would cope if it suffered a major disruption, then we would be pleased to help you assess your state of readiness.
10
Best wishes Nigel Brooks Managing Partner Dean Foreman Managing Partner Carl Chapman Chief Operating Officer
Call 020 7458 1250 or go online at www.capitalsupport.com
THE COST OF DOWNTIME
It’s not a matter of if, but when
page 4
Protecting your business
page 7
How prepared are you?
page 10
Meet the expert
page 13
Call 020 7458 1250 or go online at www.capitalsupport.com
PAGE 3
IT’S NOT A MATTER OF IF, BUT WHEN
As markets move further into the age of 24/7 availability and consumers demand instant gratification, there are growing pressures on businesses to adapt their practices to ensure they can cope with whatever is thrown at them – including the unexpected. ANY BUSINESS can suffer an unplanned disruption to their normal routine at any time and from virtually any source. These range from impacts on individuals within an organisation, such as hard drive failures or laptop theft, to those which have a much wider impact on the business as a whole: system crashes, human error, power outages, flooding, fire, cyber-attacks, rogue employees, and even riots and terrorism. However, human tendency is to look on the bright side and, as a result, too many businesses fail to pay sufficient attention to the need for adequate business continuity planning to prevent business downtime. That is, until the day disaster strikes.
The impact of downtime Downtime is real, and it’s costly. Across all businesses, the average is a staggering £101,210 per hour according to research by leading business analysts, Aberdeen Group. Of course, the exact cost depends on company size: the research found that smaller companies of up to 250 employees lose on average £5,300 per hour while medium-sized companies lose £133,000 per hour of downtime. For a large enterprise it is estimated to be a whopping £424,000 for every hour of downtime. The numbers speak for themselves: you need to plan and prepare to prevent or at least minimise downtime. What are the main causes of downtime? As it turns out, businesses should be more wary of their own infrastructure and employees than of external factors. Although flooding, fire and the like do their fair share of damage, research shows that natural disasters account for just 10
PAGE 4
Call 020 7458 1250 or go online at www.capitalsupport.com
Call 020 7458 1250 or go online at www.capitalsupport.com
percent of downtime. Of the remaining 90% of downtime causes, the top culprits are network outages at 50% and human error at 45%. And what is the potential impact of downtime? To help evaluate this, key questions that any organisation should be asking itself include: 1. What exactly are our business-critical activities? 2. What specific risks are they exposed to? 3. Can these risks be quantified and assessed? 4. How can the risks best be managed and mitigated? 5. How will our business cope when a major disruption occurs?
Data – the biggest risk For most organisations their prime asset is its data. So, with technology at the forefront of the modern world, it’s essential to make sure that all of your data is backed up, protected and – importantly – readily accessible. Organisations should properly value their data assets and build a plan to keep them secure, no matter what happens. Identifying the different types of risk for your IT infrastructure will assist in suggesting ways intelligent business continuity can help mitigate that risk. But before exploring the risks in data protection, it is important to understand what risk is, and how it pertains to business practices used today. Risk, when used in the IT space, refers to the chances we take with data that is used in business practice. In a recent report, a monetary value was given to recreating lost data by the National Computer Security
PAGE 5
>>
7
CONCERNING FACTS ABOUT BUSINESS CONTINUITY Only 51% of UK and RoI small businesses have a business continuity plan compared to 74% of large businesses.
Downtime is real and costly, costing businesses, on average, a staggering £101,210 per hour >>
Association in the US; 20 megabytes of sales data lost cost over £10,500 to recreate, £11,800 for accounting data and up to £60,000 for engineering data. The NCSA couldn’t place a value on recreating medical data because it usually isn’t possible. Assigning a monetary value to data makes it easier to understand why small measures to preserve it can hold a great deal of value. Risk for data loss is not limited to traditional disasters such as hardware failure or natural disasters. IT infrastructures are constantly being attacked by external cyber-threats and can always be at risk of a malignant employee. So your business continuity solution should protect against all significant risk factors, whilst building a comprehensive solution requires the right technologies, procedures and organisational cultural attitudes.
43% of businesses state lack of budget and resource as the biggest challenge to adopting a business continuity plan, followed by 16% citing lack of senior management support. In the past two years, over 50% of businesses experienced an unforeseen interruption and 81% of these interruptions caused the business to be closed for one or more days.
70% of businesses suffering a major data loss go out of business within a year.
93% of companies that lost their data for 10 days or more due to a disaster filed for bankruptcy within one year of the disaster. Between 60% and 70% of all problems that disrupt business are due to human error or internal malfunctions of hardware or software.
34% of companies fail to test their backups, and of those that do,
We can help you identify and mitigate risks to your business. Call to arrange a free initial assessment.
PAGE 6
77% have found backup failures.
Source: reports by PriceWaterHouseCooper, Gartner and Forrester
Call 020 7458 1250 or go online at www.capitalsupport.com
PROTECTING YOUR BUSINESS While the impact on a business of loss of data and communications infrastructure are widely understood, smaller businesses have been slower to develop business continuity plans compared to larger organisations.
Call 020 7458 1250 or go online at www.capitalsupport.com
There also remains a general lack of understanding over the key difference of data backup as opposed to business continuity. Although overlapping, these terms represent uniquely different mind sets when it comes to data protection. >>
PAGE 7
>>
Data backup answers the questions: is my data safe? Can I get it back in case of a failure? Business continuity, on the other hand, involves thinking about the business at a higher level, and asks: how quickly can I get my business operating again in case of system failure? Thinking about data backup is a good first step. But in case of failure, you have to get that data back and restore it quickly enough so your business doesn’t suffer. For example, if your server dies – and remember, hardware failure is the number one cause of lost data – you wouldn’t be able to quickly get back to work if you only had your data backed up. For you to start working again your server would need to be replaced, all software reinstalled, data re-installed and then the whole system would need to be configured with your settings and preferences. This process could take hours or even days—and in the meantime, your employees can’t get their jobs done.
By calculating your desired RTO, you have determined the maximum time that you can be without your data before your business gets into serious trouble. Additionally, by specifying the RPO, you know how often you need to perform backups because you know how much data you can afford to lose without damaging your business. For example, you may have an RTO of a day and an RPO of one hour. Or your RTO might be measured in hours and your RPO in minutes. It’s all up to you and what your business requires. But calculating these numbers will help you understand what type of data backup solution you need. R PO
RTO
Disaster strikes
Given that funding and budget constraints can be the top challenge (43 percent) for a business to implement a business continuity solution, calculating your RTO will give you the financial validation needed to justify its purchase and maintenance. In addition, calculating the real costs associated with data loss (RPO) gives a clearer understanding of the risks relating to business failure and thinking about your business in these terms puts your backup solution into perspective. The ‘it-won’t-happen-to me’ mindset simply doesn’t wash.
There are a number of important factors to consider when choosing a backup system that delivers your required RPO and RTO.
Planning for business continuity
Cost of disruption
If you’ve planned for business continuity, however, you’ve thought of all these things. You will have thought in terms of two key metrics that underpin effective business continuity: Recovery Point Objective (RPO) and Recovery Time Objective (RTO). These sound technical but are in fact quite straightforward to understand:
Once you determine your RPO and RTO, you can then calculate how much any downtime and lost data will actually cost you. To get an approximate value, answer the following questions:
Offsite backup provides added security although can impact on your RPO and RTO times depending on the frequency of the backup and the speed at which you can access the data.
RPO (Recovery Point Objective) is the maximum tolerable period of time in which an organisation can afford to lose data due to a disaster. RTO (Recovery Time Objective) is the duration of time within which a business must be restored after a disaster to avoid unacceptable consequences associated with a break in business continuity.
PAGE 8
DOW NTI M E
1. How many employees would be affected if critical data were unavailable? 2. What is the average wage of the affected employee (per hour)? 3. What is the per-hour overhead cost of the affected employees? 4. How much revenue would be lost per hour as a result of the unavailability of data? Simply add up the average per-hour wage, the per-hour overhead, and the per-hour revenue numbers and you have how much a data loss will cost you.
Call 020 7458 1250 or go online at www.capitalsupport.com
▲
Achieving your desired RPO and RTO
Using local backup for business continuity works well for quick restores. Because the data is right there, it’s fast and easy to restore back to its original location. But what happens if the backup device is damaged, for instance by fire, flood or theft, or if the device fails?
LOST DATA
▲
▲
▲
You might then think the cloud looks more attractive for all these reasons. But cloud-only backup is risky because you can’t control the bandwidth. Restores tend to be difficult and time-consuming. The answer? A hybrid solution. The way this works is that your data is first copied and stored on a local device. That way, if something happens, you can do a fast and easy restore from that device. But then your data is also replicated in the cloud. So if anything happens to that device, you’ve got offsite cloud copies of your data—without having to worry about moving copies of your data physically off-site.
Call 020 7458 1250 or go online at www.capitalsupport.com
Speak to us today to ensure your business doesn’t fail because of an event you hadn’t planned for.
PAGE 9
HOW PREPARED ARE YOU?
Y
&
T
p le m
OG
e nt at i
on
R AM ME M
EN
Im PR
D e s ig n
Embedding Business Continuity
EM
dation Vali
LI C
However, over recent years there has been a growing recognition that they needed to become a business-led process that encompasses preparations for many forms of disruption. As a result, business continuity management (BCM) has become a recognised discipline which, at its core, is based on the lifecycle shown right.
PO
Contingency planning and disaster recovery have traditionally been IT-led responses to major disruptions that affected businesses.
Analysis
AG N A
SCORE YOUR ORGANISATION To help you assess your state of readiness, the Business Continuity Institute has prepared a short selfassessment questionnaire that covers seven key business areas. Check how ready you are by scoring your organisation. Customers Businesses need to prove that they can operate in all circumstances and BCM provides an opportunity to promote a well-managed business. Some organisations have gone further with independent audits of their BCM system. 1. Have you got a plan to reduce the level of risk to your customers to a level they would be happy with? 2. Have you quantified the impact to your business of losing customers due to a major disruption?
PAGE 10
Call 020 7458 1250 or go online at www.capitalsupport.com
Call 020 7458 1250 or go online at www.capitalsupport.com
>>
PAGE 11
>>
Staff People play a key role in recovering from a major disruption. Aside from a duty of care to your staff, if you cater for their needs then they can concentrate on keeping you in business when you need them most. 3. Do staff contracts give you the flexibility in terms of working hours, location and role to deal with a major disruption? 4. Have you ensured that staff contact details are up-to-date? Do all staff know what to do if the office becomes inaccessible? 5. When staff leave, what is the impact of any loss of skills and experience? Cost savings Cutting costs through reducing headcount, selling sites or cutting investment can reduce business resiliency. BCM can help you understand this change. Companies can also use BCM to achieve savings on insurance premiums. 6. If you have had to make changes, have you considered the underlying vulnerability of the business to unexpected disruptions? 7. Have you asked your insurance company whether they would offer a reduction in premium for having an audited business continuity plan? Supply chain Reliance on a single critical provider can be a risk. Understanding how they would recover from disruption, where you feature in their priorities, and the potential impact on you is important. 8. Are you reliant on a supplier providing you with a key service or product? Have you quantified the impact to your business of losing a critical supplier and how long it would take to find an alternative source? 9. Do you know the current financial and general health of your important suppliers? IT and telecoms The failure of IT and telecommunication systems is one of the most frequent disruptions experienced by companies. 10. Have you ensured that all critical data
PAGE 12
is appropriately backed up and accessible to enable timely recovery? 11. Have you considered moving away from a dedicated IT infrastructure to hosted capacity and applications delivered over the Internet? 12. Do you know how robust the technologies are that your business relies on?
MEET THE EXPERT
Sites and facilities Many disruptions can lead to a loss of site access and some companies have arrangements in place to move to a temporary location during this disruption. 13. Have you identified alternative office options to use in case of a major disruption? 14. Do you have in place the ability for staff to continue to work remotely or from home? 15. Have you considered the impact of loss of facilities such as processing plant and other physical assets? Reputation Your company and brand reputation is valuable so handling a crisis competently and with confidence is important. 16. Have you considered all scenarios where negative stories could emerge? 17. Have you prepared your messages to reflect these scenarios and the need to communicate with all your stakeholders? 18. Are your senior spokespeople trained to communicate effectively?
Business Talk questions business continuity expert Andrew Stewart, managing director of data protection specialists Datto, on how businesses need to do more to safeguard themselves from major disruption.
How did you score? Score 1 to 6: You probably need to develop a business continuity plan as a priority. Score 7 to 12: You are on the road to being prepared although more needs to be done. Score 13 to 18: Well done! You appear to be well prepared although review any areas you may still be vulnerable in.
Q: From your experience, do most SMEs take disaster recovery/ business continuity seriously enough? A: Data is growing in size and importance along with IT applications being absolutely critical to all companies’ productivity. Many companies are still using traditional backup methods such as tape and disk, or even cloud-only solutions, unaware that these are insufficient and ineffective when faced with
Questionnaire courtesy of the Business Continuity Institute
Call 020 7458 1250 or go online at www.capitalsupport.com
Call 020 7458 1250 or go online at www.capitalsupport.com
PAGE 13
>>
>>
downtime and the potential crippling costly effects. Growth rates of business continuity platforms are far exceeding the traditional backup and disaster recovery technologies as companies recognise the benefits. But still many organisations are yet to take advantage. Q: Is it very different in the US? A: From our experience the US market is ahead of the UK and RoI in adoption of business continuity. Big weather-related disasters are more common in the US and this drives a culture of companies planning for when disaster strikes, be that from storms, power outages, equipment failure, employee error or cyber-attacks. Although the UK and Ireland are less prone to natural disasters, any business not taking business continuity seriously is potentially asking for trouble. Q: Do SMEs understand the difference between disaster recovery and business continuity? A: Many businesses have backup, whether tape, software, or out in the cloud. Although this lets a business retrieve its data – which is vital – it will still not get a disasterhit company back on its feet quickly. It’s important that companies consider both their recovery time objective (RTO) and the cost of the time they are down, as well as the recovery point objective (RPO), the frequency they want to back up their data or, in the event of a disaster, what they would be happy to lose! Datto has an RTO tool on our website (www. datto.co.uk) to assist in calculating the cost of downtime. Q: Do you think SMEs appreciate the risks they take if they don’t have adequate business continuity in place? A: Three research papers we use from PriceWaterHouseCooper, Gartner and Forrester state that 70% of small businesses that experience a major data loss go out of business within one year, 25% of PCs will fail this year, and 24% of companies say they have
PAGE 14
experienced a full data disaster. Most business owners understand some of the risks but can think they are protected by legacy systems or can’t put a value on the cost of downtime. We’d encourage any business to first look at the RTO calculator and assess the cost to their business if they can’t function and, secondly, to test their current process to see how quickly can they get up and running again.
Any business not taking business continuity seriously is potentially asking for trouble
Q: Which top three aspects of business continuity do companies often overlook? A: Firstly, putting in a business continuity solution for your IT systems in place is only part of the process. You must tie other elements of business continuity planning in to ensure successful continuity in the event of a disaster. Secondly, they push ownership of the business continuity plan to their IT provider and expect seamless execution in the event of a disaster. But often their IT provider doesn’t understand their business end-to-end so they need to take ownership and drive the process internally. Thirdly, they don’t see value in having or testing a business continuity plan and can be blind to the potential of disaster with significant consequences to the business. To ensure successful continuity they need to ensure all stakeholders have bought into the development and testing of their business continuity plan. Q: Are there any types of businesses that don’t need to plan for business continuity? A: No. Business continuity is about keeping your business running and being the most productive it possibly can be. Every business needs that. We have all experienced the frustration running businesses when systems and outside influences stop us from doing our jobs, affect service levels and cost the company money in lost time and revenue. Depending on the type and size of your organisation, the solution you put in place will be different and your IT provider is best placed to advise on the appropriate solution.
Call 020 7458 1250 or go online at www.capitalsupport.com
specific needs and recommend the optimum solutions. They can also arrange a demonstration of relevant products available. Q: What needs to be considered if you have mobile and home workers? A: It’s important to ensure that all data, which is of business value, is stored on protected systems. There are a number of strategies in this area from ensuring roaming users store their documents on central file servers or have file-sync technology to replicate their local documents to a central cloud. Too often mobile users’ data has no off-site copy and is lost when the laptop is lost, stolen or damaged. Q: Who is best to take responsibility for a company-wide ‘business continuity’ plan? A: This often depends on the size and structure of the company in question. However, it’s vital that a director or other senior executive within the company takes overall responsibility and has a full understanding of the plan and its stakeholders. They must also champion the plan internally as often it is seen as an unimportant process. Q: What tools and support is available to help an SME put business continuity in place? A: The first step is to speak with your IT provider who is best placed to understand your
Call 020 7458 1250 or go online at www.capitalsupport.com
Q: How best should business continuity be tested and then assessed going forward? A: There are multiple elements to a business continuity plan of which continuity for your IT systems is a significant part. It is vital that all stakeholders in the business participate in business continuity planning along with any external organisations when elements of the infrastructure management have been outsourced, such as IT. The business should then work with all stakeholders to schedule regular testing to ensure all elements work in harmony during execution. Lessons learned can then be used to adjust the plan accordingly.
PAGE 15
Finance sector firms are amongst the most prized targets for cyber criminals. Are you confident that your IT systems are protected from attack?
INTEGRATED CYBERSECURITY Capital Support has launched a suite of IT security services that will prevent unauthorised access whilst protecting clients against attacks such as CrytoLocker, phishing emails, and other threats that were highlighted during the recent US SEC Cybersecurity Risk Alert.
PROTECT YOUR BUSINESS 020 7458 1250 info@capitalsupport.com www.capitalsupport.com