Choosing A Business Continuity Provider

CHOOSING A BUSINESS CONTINUITY PROVIDER – POINTS TO CONSIDER Looking at using the services of a third party BC supplier? This twenty point checklist will help. The advice is offered by Survive, the Business Continuity Group. When seeking to contract services for business continuity/disaster recovery you should always address the following issues: 1. Supplier dedication - is the supplier dedicated to disaster recovery? At invocation time you will wish your supplier to fully understand the extent to which your business survival depends upon him. If the supplier is distracted by other business priorities, will you still retain the level of dedicated support you require? 2. Quality - is the supplier, and in particular its disaster recovery business, quality registered (eg IS09000)? Does the supplier take steps to keep abreast of developments in the industry? Does the supplier subscribe to the information security management guidance detailed within ISO/IEC 17799? 3. Experience - is the supplier experienced in disaster recovery? How many years have they traded? How many recovery tests do they perform annually? How many disasters have they successfully managed? Can they provide satisfactory reference sites? Pay special attention to salvage services providers - do they genuinely understand the technology involved ie maintaining and restoring vital documents and equipment? Many businesses have lost critical capacity and data through the naïve efforts of officecleaning companies masquerading as salvage services! 4. Stability - will the service provider be around when needed? Who owns the company – are they people you can trust and work with? If part of a group, is disaster recovery a business which appears relevant to their overall group objectives? Can you see recent accounts? The simplest document that doesn't lie is a bank statement! 5. Growth - can your supplier grow with you? Will they be able to support changing technologies alongside your own development? What is their record on investment in the technology (computers, communications office systems etc.) upon which you will depend? What about their continuing ability to support older systems, software etc. which may be critical to your operations? 6. Breadth of service - can your supplier meet the full range of your critical service eg different computer operating platforms, communications services etc. 7. Geographical coverage - is the supplier's coverage adequate/appropriate to your needs? 8. Provision of testing - an untested recovery plan is valueless! Will your supplier permit testing of their resources under conditions which meet your recovery planning requirements.

9. Facilities/equipment - is your standby equipment totally dedicated to disaster recovery? Shared service (ie DR and software support) cannot work. The statement often used by a software supplier or by computer/office equipment maintenance companies that "we will find sufficient kit to help you in an emergency" is an empty promise and cannot form the basis of a recovery plan for systems critical to the ongoing business operation. Is there adequate provision of power and of all the peripheral services required to keep you in business - eg catering, photocopying, toilets etc. 10. People - does your supplier maintain a dedicated support team who understand their role in the recovery process? Do their skills profiles suit you? Have key staff been certified by the Business Continuity Institute? Can you get quick and easy access to decision makers? 11. Premises - are they suitable? Are they secure? Are they clean and accessible? Do you have access to good catering, transport and car parking? 12. Contingency plan - does the supplier have its own back up generators and contingency plan? What arrangements will the supplier make for loss of their own facilities? Do they have reciprocal arrangements with other suppliers? Do they inform other clients in the event that the facility is full? 13. Insurance - does your supplier carry insurance? For example, a supplier may insure against the risk of over-invocation - whilst not offering a particular benefit to the purchaser such a policy would often require external policy of ratios of service provision. 14. Ratios - what is the level of subscribers for your chosen service? Is this ratio auditable - can the supplier provide data to validate this ratio? Are you comfortable with this? Does the supplier support other companies in the same building or locally as you are they equipped to support you all in the event of major disaster in the locality? 15. Priority - what happens if the planned recovery facilities are occupied by another customer who invoked at an earlier time? 16. Exclusion zones – ensure that the supplier isn't likely to be exposed to the same risk as you. A supplier in the same building will be of little use if the premises are destroyed by fire! Major incidents (ie gas leaks, terrorist incidents, chemical spills etc.) can often lead to exclusion zones of up to 400 yards (more in certain cases!) A supplier in a building adjacent to yours will, in such circumstances, be barred from access for the same time as you, rendering their support worthless. 17. References - a sensible but often altruistic test. A supplier will not give you bad customer references! Therefore try to identify organisations with whom you have a relationship so that you can obtain an objective response. Does the supplier operate a user group? Can you attend a meeting prior to contract? Does the supplier issue an annual report to their subscribers? 18. The service - test the services contracted as early as practical and to realistic objectives. Few tests work exactly the way you had planned - this applies equally to tests of your own internal resources and those of third party suppliers. How many tests are you permitted under your contract? What can you learn form the testing process to

improve the response next time around? Involve the senior management of your supplier to ensure you get the required response. If it becomes apparent that the supplier was "overselling" then seek redress under the contract - if necessary suspend the contract and seek refund of monies paid and relevant legal opinion. 19. The contract - read the contract carefully. Is the service you require available under the contract (and in reality) whenever it might be needed? (Most reputable DR service providers operate 365 days a year, 24 hours a day.) Should you invoke, for how long may you remain in occupation prior to being required to move to alternative accommodation? Does the contract reflect, to your satisfaction, all of your needs under the preceding paragraphs? A "money back" guarantee may be worthless if you fail to recover the business! Does the contract clearly specify those services to be subcontracted? Are you able to examine the supplier's contracts with third parties? 20. Price - do not buy on price - seek value for money! Disaster recovery services are not cheap - consider what the cost would be if you were providing the service in-house. Look realistically at the cost of people, equipment, environment, maintenance, power, software licenses, communications. An assessment of the ratio of users for the service you require plus a profit element for the service provider will help you estimate a realistic expectation price. If the supplier offers you a "bargain basement" fee be sceptical - it is likely that the service isn't all it’s made out to be or the supplier is not in business for the long term. If you choose on price, then ensure that you understand the areas in which your recovery will be compromised!