The above questions are not new – they have been asked as long as the topic of disaster recovery / business continuity has been an issue. In today’s economy with the push for reductions of costs across all types and lines of business the above questions are more relevant and are being asked more often. Those questions should not be answered in a vacuum. Answered and solutions implemented incorrectly could be fatal to the organization. The solutions put in place to address acceptable downtime must be effective, AND cost sufficient – putting your real dollars where they really NEED to be spent. I’m talking the full-meal-deal here – data backup strategies, technology strategies, and work area solutions.
In order to determine acceptable downtime those needing to address the issue should consult the entire enterprise and involve the executives in the decision making process. This can be accomplished by conducting a formal business impact analysis. Impacts to stakeholders across the organization must be considered should the organization experience a major disruptive event that affects its business operations. When assessing impacts, the organization should consider those that relate to its business goals and those of its stakeholders. You should consider (per best practices) the seven impact types and emphasizes the importance of documenting all that affect – people, assets, regulation, reputation, financial stability, quality, and the environment.
Once the acceptable downtime is determined and approved only then can you assess and / or implement the proper and cost sufficient solution that will ensure your organizations ability to resume its critical business functions and recovery the business over time. You need to spend only what needs to be spent for your recovery solution – overkill means over spending. Under spending or not spending at all could be fatal to the organization from a business resumption perspective.
Are you prepared to deal with an emergency in your home, your business or your community? September is National Preparedness Month http://www.ready.gov/america/npm10/index.html . If are not prepared now is the time to prepare. If you are prepared, now is the time to ensure your plan is up to date and viable.
From a business planning perspective September would be a great time to review or conduct your risk assessment, examine or conduct your business impact analysis, review or put your recovery solutions in place. In addition, you will want to examine or develop your documentation and conduct an exercise to ensure your plan is viable and would indeed hold up if your organizations activities were to be interrupted by a disruptive event.
Businesses should ensure their plans are based on professional best practices and that the plan addresses life / safety (emergency preparedness), crisis management (responding to the event), business continuity (resumption / recovery of critical and essential functions), and disaster recovery (recovery of the technology assets). Here is a link to more information on professional best practices https://www.drii.org/professionalprac/index.php
Every business should have a plan – Plan to Stay in Business!
I am often asked about SAS70 conformity in relationship to the need for business continuity planning. Technically speaking business continuity planning or any variation thereof is NOT a requirement of SAS70. When reviewing a client’s vendor management process from a business continuity perspective, I often will hear that the client is not concerned about their third party provider’s business continuity plan “because they have provided proof of a SAS70 Type II audit”.
If you are truly interested (and you should be) in your critical third party provider’s business continuity planning process you really need to dig deeper. Specifically, you will need to do further inquiry. First off – determine if your vendor’s SAS70 Type II has an existing control specifically written for their Business Continuity Plan. Most don’t and therefore it is not being audited as part of the SAS70 Type II audit process. You should determine if there plan meets profession best practices and guidelines. To include, process management, risk assessment and mitigation, business impact analysis, solutions planning and implementation, plan documentation, testing and exercising and plan audit in certification.
Until you get more specific, you will NOT know whether your critical third party provider’s have a viable business continuity plan that will allow them to respond to a major business disruption, resume their critical business functions and recover their business over time.
It is paramount that your critical service provider’s have a working and documented business continuity management plan in place. It just makes good business sense – for them and you.
There seems to be a common thread of late in industries that are regulated in regards to business continuity and disaster recovery planning. That common thread is complacency. I have had the opportunity to work with several clients that are regulated, and they have done an excellent job in developing BC / DR plans that not only meet their industries regulatory expectations and they have also developed plans that would indeed work should the need arise. I know many of you that read this blog have either developed such a plan or have worked with those that have.
BC / DR plans are typically put in place to ensure recoverability in order to protect the organizations shareholders – at least that’s the intent. Regulators charged with overseeing BC / DR expectations and ensuring plans are in place give little consideration to the components or elements that they themselves have “suggested” or “mandated”. Thus the reason for complacency! Many organizations have put significant time, effort, and real dollars into ensuring that not only the regulatory expectations are met, but that the plan is executable and viable as well. I’m all about protecting the client or customer, but I can certainly see the point of those being instructed to put BC / DR plans in place – doing just enough to get by.
The regulatory world, if they are truly concerned about BC / DR being done and being done the right way, in an effort to protect the consumer, needs to step it up and audit to the level of their expectations. They must ensure accountability. It is one thing to suggest or mandate BC / DR expectations, but it’s another thing to measure the planning effort to those expectations. Until that happens, the various regulated industries (healthcare, government, finance and utility sectors) will continue to be complacent about their planning efforts and when the time comes – their plans (if they have one) won’t work — thus defeating the purpose for regulatory oversight and the protection of each and every one of us.