Business Continuity & Disaster Recovery Management
Quality of the management team and of the people on site is rarely tested more painfully than in an organisation‘s response to a serious crisis. Stakeholder value either recovers quickly and is enhanced, or does not recover at all. The quality of response to any serious negative event is key. How good will your organisation‘s business continuity plan be?
BUSINESS CONTINUITY MANAGEMENT
How do you protect and enhance your stakeholder value today? It won’t happen to my organisation. You believe there is very little probability that such a disaster could occur within your organisation. In fact, there are many events that can disrupt your business operations today. Power surge, fire, water damage, evacuation, sabotage, human failure, internet outage are examples of those that could occur at any time. You answer 'We are protected' because you have an off-site back up and you are protected against fire and water damage and you have an alternative power supply. But do these measures cover your other business risks? An evacuation of your building - because of some event in the neighbourhood – will interrupt your business. Will you be able to resume your critical business operations with limited resources and infrastructure? Are you prepared? Or will it be chaos and improvisation? Are you sure that when something unexpected occurs, you will be able to continue to serve your customers in an acceptable way?
Is my business protected? It is not enough to restore all your databases, and more generally your information systems. You have to think about your entire business. Where are you going to service your clients if there is a fire in your building? What will happen if some of your key employees are not available? In addition to the information systems there are many elements that allow your organisation to work as it does now, and which have made your competitive advantage over the years. You must be able to resume your key business processes.
What does it cost? Isn’t the first strategic business objective to stay in the market? Then why make it depend on luck? The real cost is the risk of not being properly protected, not the business continuity plan in itself. Recovering from a disaster may be costly, and income revenue will stop flowing for some time. Eventually, the insurance company will compensate but you may face a cash flow problem first. In today’s highly competitive 24x7 marketplace, you will loose customers. Will you be able to win them back? What about erosion of industry image? What about loss of stakeholder confidence? Could it be that you make wrong decisions because you do not have the required information available?
Business continuity management can be an answer. There was a time when companies thought that business continuity planning was only to do with information technology(IT). No more. Systems reliability and recovery is a big part but often business continuity plans fail elsewhere. Without effective business continuity plans that stretch across your organisation stakeholder value is at risk. The best organisations extend their business continuity planning to outside the organisation – to their suppliers, customers and others. Does your organisation extend to outside stakeholders? Can your organisations recover within a reasonable timeframe without losing too many customers?
An effective approach to developing the business response is vital today.
The goal of your business continuity plan must be to focus on your critical issues. What these are will depend on the relative competitive position of your company, the way it is structured and managed and its existing branding and reputation. YOur business continuity plan therefore must address all areas of risk; these could range from adverse publicity that may affect your brand and market position, customer dissatisfaction resulting from limited service, through to health and safety issues arising from failures of third party providers.
My approach to business continuity planning provides an analysis of your critical aspects through to the development of your business continuity plan itself, and:
• considers not merely the impact of technology failure, but also identifies the dependencies and vulnerabilities of your existing business processes and their continuity provisions;
• determines an appropriate business continuity strategy capable of dealing with the multiple impacts as well as single points of failure;
• ascertains the effectiveness of your communications programme developed to complement an effective business continuity plan in the event of it being invoked;
• simulates and tests your crisis management in operation, assessing its level of efficiency; and
• develops a mechanism within your organisation that ensures your business continuity plan is enhanced and maintained going forward.
My approach is a business approach. I start with an objective and business-centric approach to assessing business continuity risks and measuring the impacts those risks have on critical business processes and on your organization as a whole, thus from the business processes in your company that are essential to serve your customers and keep you financially healthy.. By taking on a consultative role, I work closely with you to help you understand and identify your business continuity risks, evaluate your tolerance for disruptions and develop business continuity solutions tailored to your specific needs. In this way, together we establish business partnerships with the process owners in your company so that uncovering and managing the business impact becomes a collaborative effort. An evaluation of the costs and benefits of mitigating these continuity risks will allow you to select the right set of measures addressing your objectives of business continuity. This defines the business continuity strategy. The execution of the business continuity strategy consists of the implementation of technical solutions, the development of the business continuity plan and the organisation of the business resumption. I have learned that the best way to evaluate business processes and related continuity risks is through organized, fact-based interviews and facilitated self-assessment sessions. In these sessions, together we meet with your company's process owners and facilitate discussion designed to identify continuity risks associated with business process only they can completely understand the processes they perform every day. This process also helps establish consensus on your organization's overall priorities and tolerance for continuity risks.
Every business continuity plan will vary. However, what will be common is the focus. This will have narrowed from a broad view of the strategic imperatives to a focus that may include dealing with specific risks. For example, checking the consequences in terms of regulatory, financial, relational, environmental and operational areas. The completion of your business continuity plan is the first step. The ability of your management will be tested when a serious negative event takes place. Their natural agility will help them to respond to this event, but it will also be important to achieve a level of awareness of your business continuity plan and a confidence in its ability to deal with this event, in terms of processes, activities and responsibilities that are a fundamental part of your business continuity plan.
Recent disasters such as the March 2011 tsunami and the February 2011 earthquake in New Zealand has led management to focus more on the narrower aspects of business continuity. Some companies have adopted a smarter approach and have widened their focus. Not only that, they will attempt to use their own business continuity planning for competitive advantage in the event of industry wide events. Without effective business continuity your organisation is relying fully on the improvisation talent of the people on site during a disaster. Is this a chance your stakeholders would expect management to take?
IT DISASTER RECOVERY PLANNING
Imagine that the information systems within your company are interrupted for 24 hours. Could you still take orders? Could you still track goods movements? Could you still execute the distribution activities? The information you need to support the business operations is no longer available. Will you still be able to service your customers? Could you still plan and control your production? How would you communicate with your suppliers and customers? Worse, all transactions entered into the information system within the last 24 hours are lost. Could you retrieve those lost transactions from elsewhere and still guarantee integrity and completeness?
And now imagine that this situation lasts for more than one day: one week or more. .... How long will you stay in business? IT Disaster Recovery Planning is about not being blind to risks but to assess the IT-related vulnerabilities and dependencies of your critical business processes, and be prepared and organized to smoothly resume the critical IT systems whenever any unexpected event occurs.
My practical approach to an IT disaster risk assessment:
- Project set-up: help set up the structure of the project team. And then help define the project organisation and planning.
- Business Criticality Assessment: gain an understanding of your business and help identify your key business drivers. From there, identify the key business processess based on an analysis of each process.
- IT Dependency Assessment: identify the key interruption risks from an IT point of view. This involves a study of the key IT dependencies and vulnerabilities of each critical business process.
- Current Status Assessment: assess the status of current measures in place with regards to preventive coverage, impact minimising measures, detective tools, corrective procedures, and alternative infrastructure solutions.
- Gap Analysis: perform a SWOT analysis in terms of the coverage of key IT dependencies and vulnerabilities, effectiveness of current measures, and best practices.
- Decision on Critical IT Systems: provide a list of what is considered to be IT systems which are critical to the business. Management will make a decision on the extend of DRP strategies to build for each risk identified and on what priority.
What are the benefits of such an approach?
- Peace of mind: With merely the knowledge that your IT systems are protected to the best of one’s abilities will give you the peace of mind to focus on other improvements and developments.
- Improved risk management: You will minimize the risk of failures or delays by identifying and preventing problems before they occur. New policies and processes will help you manage risks and other aspects of your IT department more consistently and effectively.
I look at business impact analysis & risk assessment, disaster recovery & business resumption strategies, testing & auditing, trainings inspired amongst others on the following standards and frameworks:
- BSI BS25999 BCM (previously known as PAS56)
- BSI BS25777 IT continuity
- ISO 22301 on preparedness and business continuity
- DRII standards
- ASIS standards
- ISO IWA 5 emergency preparedness
- NIST SP-800 34 on IT DRP
- IIA GTAG series
- ISACA CobIT audit guidelines