Today, Business Continuity and Disaster Recovery are recognised as highly important issues by a high percentage of businesses of all sizes. This has been particularly triggered following the exposure of businesses to recent disasters such as Sept 11th, July 7th, etc.

Disaster Recovery – The Facts:
However, whilst large enterprises are more aware of the risks, SME's lag behind. Statistics are still alarming:

• According to research from AXA, 46 percent of UK SME's do not have a business continuity plan. Given that SME's account for 99.8% of the total number of UK firms, representing more than half of the UK's private sector turnover and employ 56 percent of private sector work-force, these findings expose an alarming risk for the British economy.

AXA's report goes on to suggest that for many smaller companies risks are either considered "too big" to worry about, or small enough that managers consider they can deal with them as they happen.SME's should alsoconsider a few more statistics:

• 90% of businesses that lose data from a disaster are forced to shut within 2 years of the disaster

• 80% of businesses without a well structured recovery plan are forced to shut within 12 months of a flood or fire

• 43% of companies experiencing disasters never recover

• Companies experiencing a computer outage lasting longer that 10 days will never recover their full financial capacity

• 58% of UK organisations were disrupted by September 11th with one in eight severely affected.

Larger organisations can afford dedicated business continuity staff. Very often responsibility in smaller companies lies at MD level. The AXA report uncovered four key assumptions made by SME managers with regards to business continuity:

• Insufficient resources – the assumption that the business cannot afford the costs or management time to make continuity plans

• Lack of impact estimation – the assumption that the business will be able to survive the period of interruption, both financially and in terms of customer tolerance

• Inefficient scenario planning – the assumption that many problems are either too small to matter or too large to deal with, and that those within a conceptual 'comfort zone' will be manageable as they happen

• Inability to prioritise – the assumption that if a crisis hasn't happened yet, it's not urgent enough to plan for.

However, larger organisations that have business continuity plans in place, rarely involve themselves in helping their suppliers develop a business continuity plan. This leaves them vulnerable to a failure in their supply chain (many of which are SME's).

Research conducted by the Chartered Management Institute (CMI) in 2004 found that 48% of all business outages are caused by IT and telecoms system failures. Yet telecoms protection is often overlooked in disaster recovery planning.

A survey carried out by the BCI (Business Continuity Institutes) describes telecoms protection as a blind spot in the business continuity planning of many businesses. When asked to think of something adverse happening to their business, few respondents spontaneously thought of telecoms failure. But when directly asked, nearly all acknowledge that it's one of the gravest threats of all, and would have the greatest impact on their company's reputation.

• 60% of companies, which experiences a loss of normal Telecoms for a period of 10 days, ceased trading within a year (Source: Henley Management Institute)

Disaster Recovery – Focus On Telecommunications:
A resilient telephony system is key for any SME's business continuity plan. The majority of SME's employ some form of technology to manage their telephony within their business. Most common is the PBX, a Private Branch Exchange, which is a solution that provides voicemail and may allow calls to be transferred to colleagues. However, for a small cost, SME's could choose to implement a network based call routing solution. This would compliment the PBX and would not cause any disruption to service. It is also flexible enough to adapt to the changing needs of a SME business. By using a network based solution SME's also benefit from resilience and inbuilt disaster recovery. For example, if there is a problem with the site where SME's are based the calls could be instantly diverted to another department or location. This is available for a small fee and provides piece of mind in case the unknown happens. It can be easily implemented in-house anytime, anywhere providing there is an internet connection. If SME's had problems with hardware they would need to wait for an engineer to come out to visit plus there is the ongoing costly maintenance charge. Network based solutions can be implemented within days as opposed to weeks with a hardware solution which translates into a rapid return on investment.

Recommendations To SME's For Resilient Telecommunications Services:

Understand Your Resilience Needs And Why They Should Be Addressed

Recommendation 1: Understand the types of resilience-based risks associated with your services.

Recommendation 2: Identify those communications systems that are deemed mission critical and which carry a high risk to the business if they are disrupted.

Recommendation 3: Wherever possible separate out the high risk services from those that only carry a medium or low risk to the business if disrupted.

Recommendation 4:Analyse the threats and vulnerabilities to the mission critical high risk services – eg natural disaster, malicious attack, single point of failure, commercial dependency, lack of transparency.

Recommendation 5: Conduct a self-assessment to understand your risk exposure.

Recommendation 6:Challenge the Provider to explain the marketing statements made on resilience and availability and ensure that you are talking to the right Provider representative.

Understand What You Need To Do To Satisfy These Needs (for low/medium risk services)

Recommendation 7: Understand what your provider(s) do to meet the OFCOM essential requirements, described in Section 4, and form a judgement as to whether these satisfy your requirements.  If not, then adjust the risk assessment as appropriate.

For mission critical and high risk services:

Recommendation 8:  If the risk exposure for a single point of failure is not acceptable, then consider:

• The use of end to end separation on all components, including separate building entry points, risers, ducts, exchanges and core network routes
• Using components with inherent resilience, for example use an SDH (Synchronous Digital Hierarchy)
  ring rather than point-to-point SDH or PDH (Plesiochronous Digital Hierarchy)

Recommendation 9: If the risk exposure stemming from the lack of transparency is not acceptable, then consider:

• The use of a single provider for any single end to end sepracy and diversity service - do not rely on dual providers to guarantee separation;
• The investment of more time and effort into building relationships with this single supplier, to share testing and assurance activities;
• Making allowance in the contract or SLA for transparency of the service provision, including separacy and diversity, both at the time of provision and through the life of the contract.

Recommendation 10:  If the risk exposure because of a dependency on a single provider is not acceptable, then consider the use of more than one single provider for each separacy and diversity service.

Recommendation 11:  Apply rigorous due diligence in selecting the provider, including assurance that they have visibility and control over the services they deploy to ensure that separacy and diversity is provided and maintained.  Also ensure they have adequate contingency plans in place to recover from a disaster.

Understanding How To Engage Your Provider To Deliver These Needs

Recommendation 12:  Understand the architectural options for separacy and diversity based services e.g. what does 'end to end separacy' actually mean.

Recommendation 13:  When using the Border Gateway Protocol (BGP) for peering, consider using the NISCC BGP Filtering Guidelines10 as a common baseline.

Recommendation 14:  When peering, consider using 2 or more geographically diverse sites.

Recommendation 15: Understand the inherent resilient characteristics of the components used.

Recommendation 16: Use the twenty 'Questions to Ask Your Provider' as a way of agreeing the right solutions for your needs.

Recommendation 17: Recognise that high availability and high resilience services will cost more than standard services, and do not use cost as the main criterion when procuring these services.