The importance of holistic Business Continuity Management
ITSCM... Is it just the tip of the iceberg?
The importance of holistic Business Continuity Management
By Rinske Geerlings - Director of Business As Usual (www.businessasusual.net.au).
(former Disaster Recovery Manager at Rabobank)
download article as pdf
Business Continuity is relevant... right now!
Since the events of Y2K and September 11, there has been an increasing level of risk awareness - whether related to terror, pandemic, power outage, reputation, security, IT or other risks. The need for organisations to have proper Business Continuity (BC) planning and Disaster Recovery (DR) management processes in place is ever increasing, in order for them to continue their business in the event of a disruption, and maintain customer service levels, staff safety and job security.
Historically, IT has been the area of focus in terms of Disaster Recovery. However, a broader, whole-of-business approach is now becoming mandatory and regularly audited by government authorities, for example in the finance/insurance industry. But also in other industries, we see more and more awareness that the business - not IT - should be the key driver when optimising services, procedures and systems for Disaster Recovery.
The real issues
In many cases, IT provides recovery solutions like system backups and real-time replication, without business requirements having been determined properly. Management’s aim should be to prevent over/under spending on IT Service Continuity. But also ask questions like: “How important is systems recovery in the event of a bird flu outbreak or bomb threat?” and “How will our backups ensure that the business will survive, if key staff were to become unavailable?”
History has shown that, in real-life situations, IT systems do not tend to be the main headache for organisations when experiencing an outage or other crisis, during their attempt to achieve staff security and continue ‘business as usual’.
Instead, issues are more likely to evolve around discomfort of the Crisis Management team when trying to make informed and timely decisions during the course of a disruption – in particular if some of their key line managers are not around, when reporting is not in place as per normal operations, and in case the team has not rehearsed decision-making in a crisis situation. Other problems tend to relate to reputation management, handling the media, relying on notification plans, accuracy of key staff contact details and general staff awareness of the Business Continuity Plan – including IT’s own team recovery plan!
Help!
Although most of the Business Continuity process is not rocket science, it can take up a lot of time and effort if you approach it unequipped with templates, checklists and best-practice guidelines. Fortunately, certain tools are available on-line, for example via Standards Australia and the Disaster Recovery Institute International. However, like when implementing ITIL processes, great success is usually just achieved when adding a substantial amount of (external) experience to the books... as well as common sense!
Breaking it down into bite-sized chunks
The following ‘8-step cycle’ is Business As Usual’s BC health-check model based on best-practice. It has been developed in accordance with guidelines and standards, including DRII, AS HB221, BS25999 and APRA. For each step, some examples of relevant questions are provided below.
Step 1 - Business Continuity process objectives
• Have any recovery objectives/standards been defined by IT and/or the business? For example, does the organisation aspire to have only a basic level of Business Continuity in place, or does it want to be a forerunner? Does it require the process for compliance and audit purposes?
• How are recovery objectives kept up-to-date with business strategy?
Step 2 - Risk management
• How have the organisation’s risks been identified, analysed and addressed?
• What risk mitigations/controls are in place or are currently being implemented? For example, a diesel generator or back-up air conditioning in the data centre.
• How are risks and controls being kept up-to-date? How frequently is this being done?
Step 3 – Business Continuity teams & buy-in
• Which people are involved in recovery of business processes and systems?
• How is buy-in and commitment to Business Continuity achieved and maintained? For example, does an “It won’t happen to us” mentality prevail, and do managers and staff wonder why to invest money into a “dead site” (meaning, a recovery site)? Or do IT and business managers meet regularly to keep continuity provisions, requirements and expectations aligned? Is it possible to make BC fun in your organisation?
Step 4 - Key business process identification
• Have the organisation’s essential business processes been established and rated in terms of criticality, and have any dependencies between processes been determined?
• Have the activities and resources that are required for critical functions, been identified? For example, the customer service team may need Internet access, e-mail and the phone system to do their job.
• How, and how often, are the criticality ratings and essential resources being reviewed? For example, if online customer feedback forms are becoming critical to certain parts of the business, how will IT know about this function becoming critical, and how will it be able to provide the key resources needed to keep this function operational?
Step 5 - Operational & financial impacts
• Not all organisations are impacted in the same way by possible disruptions. As opposed to what many assume, not everyone’s in the same boat when it comes to disasters like Pandemics and Terrorism. Have likely scenarios been discussed by all relevant managers in terms of operational and financial impact on their particular line of business?
• Is documentation available in regards to acceptable outage times and data loss based on disruption scenarios?
• By what mechanisms (if they exist) is the business impact information regularly being reviewed?
Step 6 – Implementing & testing Continuity provisions
• How have the organisation’s Continuity provisions been determined/implemented, how have any work-arounds been chosen and how are Continuity treatments being reviewed? For example, for critical IT systems, have data and system recovery provisions been implemented and related procedures been documented? Has initial testing been performed after installation?
Step 7 – Business Continuity Plan documentation
• Have suitable procedures for Crisis Management, emergency response and damage assessment been documented and how are they maintained? How is people safety being assured? Have evacuation and First Aid procedures been documented?
• Will acceptable continuity levels be ensured by the plan, in line with business expectations for recovery of key business processes? What if key staff are traumatised – is there a plan to involve counsellors?
• Have people/team and technical recovery procedures been established? How are they kept up-to-date? Are they appropriately ensuring continuity and recovery capability? A simple – but often relevant – example is, whether a procedure has been actioned to keep back-up tapes from being stored on top of the server?
• How are crisis notification/communication plans (to inform internal and external parties) maintained? How is the calling tree being kept updated?
Step 8 – Exercises, training & awareness
• To what extent are recovery tests being conducted, post-exercise reports created, and resolution of issues being tracked? Are external suppliers (for example telco and tape delivery providers) included in the tests?
• How is process awareness amongst key recovery team members guaranteed? What training programs are in place, for example induction training? How frequently and to what extent is education of IT and business team members being conducted? Often, BC procedures are published on the organisation’s Intranet, but nobody seems to know them as everyone is too busy with ‘high priority’ (production) issues!
Maintaining all related documentation, keeping the BC Plan in line with changes in IT and the business, and regular reviews and audits are ongoing activities, as depicted in the centre of the wheel.
Even when the process has been implemented from steps 1 through to 8, new changes to any of the parts are likely to occur. After step 8, step 1 and following activities should be regularly reviewed. The overall improvement of the process by regularly reviewing and optimising all relevant steps is highlighted in the model.
So... yes! ITSCM is just the tip of the iceberg
Not just systems are critical to organisations, and not just IT should carry the weight of making the organisation aware of Business Continuity.
But it’s not the end of the world...
Specialised knowledge of how to best initiate a holistic Business Continuity Management process, analyse the organisation’s needs and limitations, implement continuity treatments, communicate agreed procedures to management and staff and regularly perform exercises, is needed in order to prevent a waste of substantial time and energy. Experienced Business Continuity Planners do exist! Whether within or outside your organisation.
Rinske has been specialising in Business Continuity, DR and Business Process Improvements for more than 14 years, and is often sourced as a panel expert or speaker on topics like “How to perform successful DR exercises”, “Creating buy-in for BC across your organisation” and Pandemic planning. She gained most of her experience in permanent roles in Finance as well as management consulting/training.
Her company Business As Usual (www.businessasusual.net.au) assists organisations with Business Continuity health-checks, Disaster Recovery rehearsals, Board preparation, desktop BC Plan walk-throughs, Business Continuity training and integration between BC/DR and ITIL.
Rinske is certified Business Continuity Planner (DRII – Disaster Recovery Institute International), Business Continuity Institute (BCI) member, and she has been ITIL Master since 1998.
For more information, e-mail rinske@businessasusual.net.au
