The above questions are not new – they have been asked as long as the topic of disaster recovery / business continuity has been an issue. In today’s economy with the push for reductions of costs across all types and lines of business the above questions are more relevant and are being asked more often. Those questions should not be answered in a vacuum. Answered and solutions implemented incorrectly could be fatal to the organization. The solutions put in place to address acceptable downtime must be effective, AND cost sufficient – putting your real dollars where they really NEED to be spent. I’m talking the full-meal-deal here – data backup strategies, technology strategies, and work area solutions.
In order to determine acceptable downtime those needing to address the issue should consult the entire enterprise and involve the executives in the decision making process. This can be accomplished by conducting a formal business impact analysis. Impacts to stakeholders across the organization must be considered should the organization experience a major disruptive event that affects its business operations. When assessing impacts, the organization should consider those that relate to its business goals and those of its stakeholders. You should consider (per best practices) the seven impact types and emphasizes the importance of documenting all that affect – people, assets, regulation, reputation, financial stability, quality, and the environment.
Once the acceptable downtime is determined and approved only then can you assess and / or implement the proper and cost sufficient solution that will ensure your organizations ability to resume its critical business functions and recovery the business over time. You need to spend only what needs to be spent for your recovery solution – overkill means over spending. Under spending or not spending at all could be fatal to the organization from a business resumption perspective.
Are you prepared to deal with an emergency in your home, your business or your community? September is National Preparedness Month http://www.ready.gov/america/npm10/index.html . If are not prepared now is the time to prepare. If you are prepared, now is the time to ensure your plan is up to date and viable.
From a business planning perspective September would be a great time to review or conduct your risk assessment, examine or conduct your business impact analysis, review or put your recovery solutions in place. In addition, you will want to examine or develop your documentation and conduct an exercise to ensure your plan is viable and would indeed hold up if your organizations activities were to be interrupted by a disruptive event.
Businesses should ensure their plans are based on professional best practices and that the plan addresses life / safety (emergency preparedness), crisis management (responding to the event), business continuity (resumption / recovery of critical and essential functions), and disaster recovery (recovery of the technology assets). Here is a link to more information on professional best practices https://www.drii.org/professionalprac/index.php
Every business should have a plan – Plan to Stay in Business!
I am often asked about SAS70 conformity in relationship to the need for business continuity planning. Technically speaking business continuity planning or any variation thereof is NOT a requirement of SAS70. When reviewing a client’s vendor management process from a business continuity perspective, I often will hear that the client is not concerned about their third party provider’s business continuity plan “because they have provided proof of a SAS70 Type II audit”.
If you are truly interested (and you should be) in your critical third party provider’s business continuity planning process you really need to dig deeper. Specifically, you will need to do further inquiry. First off – determine if your vendor’s SAS70 Type II has an existing control specifically written for their Business Continuity Plan. Most don’t and therefore it is not being audited as part of the SAS70 Type II audit process. You should determine if there plan meets profession best practices and guidelines. To include, process management, risk assessment and mitigation, business impact analysis, solutions planning and implementation, plan documentation, testing and exercising and plan audit in certification.
Until you get more specific, you will NOT know whether your critical third party provider’s have a viable business continuity plan that will allow them to respond to a major business disruption, resume their critical business functions and recover their business over time.
It is paramount that your critical service provider’s have a working and documented business continuity management plan in place. It just makes good business sense – for them and you.
There seems to be a common thread of late in industries that are regulated in regards to business continuity and disaster recovery planning. That common thread is complacency. I have had the opportunity to work with several clients that are regulated, and they have done an excellent job in developing BC / DR plans that not only meet their industries regulatory expectations and they have also developed plans that would indeed work should the need arise. I know many of you that read this blog have either developed such a plan or have worked with those that have.
BC / DR plans are typically put in place to ensure recoverability in order to protect the organizations shareholders – at least that’s the intent. Regulators charged with overseeing BC / DR expectations and ensuring plans are in place give little consideration to the components or elements that they themselves have “suggested” or “mandated”. Thus the reason for complacency! Many organizations have put significant time, effort, and real dollars into ensuring that not only the regulatory expectations are met, but that the plan is executable and viable as well. I’m all about protecting the client or customer, but I can certainly see the point of those being instructed to put BC / DR plans in place – doing just enough to get by.
The regulatory world, if they are truly concerned about BC / DR being done and being done the right way, in an effort to protect the consumer, needs to step it up and audit to the level of their expectations. They must ensure accountability. It is one thing to suggest or mandate BC / DR expectations, but it’s another thing to measure the planning effort to those expectations. Until that happens, the various regulated industries (healthcare, government, finance and utility sectors) will continue to be complacent about their planning efforts and when the time comes – their plans (if they have one) won’t work — thus defeating the purpose for regulatory oversight and the protection of each and every one of us.
Courtesy of Continuity Central — On Thursday June 3, the chairmen of the Senate and House Homeland Security Committees urged the Department of Homeland Security to step up its implementation of PS-Prep, the voluntary program to help private sector companies develop preparedness, response, and business continuity plans.
For those of you that have taken the time and spent real dollars to develop your business continuity plan here is a tough question for you. How usable would that plan be at-time-of-event? As I travel from prospect to prospect or conduct plan audits for small to medium sized organizations there seems to be a common thread between those that have chosen to use specialized business continuity planning software. That common thread is “frustration”. Most indicate it has proven to be more of a hindrance then a help — especially during an event.
Ask yourself the following questions. What does the content of your documentation reveal? How is the document organized? Can you (or someone other than the planner) follow the defined path for response, resumption and recovery? Just how effective would the documentation be if you actually had to utilize it?
I once had an consultant from one of the larger insurance organizations define the use of specialized business continuity planning software by small and medium sized organizations to develop their plan documentation, “like hunting squirrels with an elephant gun.” You really only need to develop basic documentation – a team roster, employee information, basic tasks and responsibilities, internal and external contact information, and some basic information regarding your resource needs. Word and Excel and other like tools work great for developing “exactly” what you need at-time-of-event. By keeping the documentation simple and uniform for your team(s) and business units it will ensure usability. Years ago I saw a quote in Computerworld regarding business continuity plans – “Business continuity plans that are generated by people within the department with known software like MS Word or Excel have proven to be more successful in a real disaster.” There are pros and cons for each solution – you need to determine what works best for you and your organization.
If you are just beginning the planning process and analyzing how you will document the process ask yourself — should I use specialized business continuity planning software or something more “friendly” to ensure plan viability. Choose the one that will work best for you and your organization. A well organized, yet simple plan document can save a lot of time when it’s needed!
So you have a documented business continuity plan – where do you keep it? How easily could you and / others access it at the time of a major business disruption – let’s say a building fire? As I conduct tabletop exercises for organizations, I am amazed at the number of times the plan is “unavailable” to those that need access to it in order to respond to the event and /or those that have the responsibility to resume critical business functions following the event.
I always “encourage” folks to “keep a paper copy in the office and one at home”, even if it’s only the portion of the plan that pertains to their responsibilities at-time-of-event. Some planners even encourage key people to keep a copy of the plan in their car. Unfortunately, we see people consistently keeping a copy of the plan on a network shared drive or on their personal PC or laptop. For those that keep it on their laptop, my experience is that the majority them do NOT take their laptop home all the time.
So here’s the question for those that retain a copy of the plan on that shared driver or that PC or laptop – what’s the point? If the network is unavailable, even if you have connectivity from home, or your desktop or laptop are part of the event – you don’t have at hand the materials you have spent a considerable time, effort, and even real dollars to develop for the moment.
At IT-Lifeline clients are offered access to a secure portal, that should they have access to the internet, they will be able to access their planning documents. Other BC providers, such as IT-Lifeline, offer the same. But the key here is that organizations must take advantage of the offering.
Take an inventory of those that have or should have access to their planning documents and see if they would indeed have access to those documents at-time-of-event. If not, you will need to make the necessary changes to ensure plan availability when the time comes. Common sense you say – you’re right, but you’d be surprised how many haven’t considered this critical issue.
In early March we saw a number of articles talking about the risk of the Northwest to an earthquake similar to the one that devastated Chile. We’ve heard about the fault off our west coast that has been dormant for several hundred years, and that it in fact might wake up some day — nothing new right? During recent computer simulations of a “hypothetical” 9.0 quake it was determined that the shaking could last as long as up to 5 minutes. That would rattle the Seattle, Portland and Vancouver areas significantly. It’s no secret that a quake of that magnitude would severely affect the infrastructure in those major cities. Business as we know it would be disrupted as well. Buildings that were constructed in the Seattle prior to 1994 are expected to collapse due to the lesser building codes under which they were built.
Disaster Managers throughout the region are working to strengthen the infrastructure to withstand a major seismic jolt, but they won’t be able to touch everything. Even if your structure withstands the rocking and rolling, it’s highly likely your business will still be disrupted due to the damage to the surrounding infrastructure. How long can you afford to be away from your business? What are the expectations of your local clients? They may understand for a period time because they too will be unable to get around. Do you provide products and services to those outside the area? What are their expectations? This may put a different spin on things.
In the interest of the survival of your business you should consider geographical diversity. Not necessarily a “second place of business” but at a minimum, from a business continuity perspective. You should develop a plan that allows you to respond to the event, to resume your critical business functions and processes, and to recover your business over time – you should consider an alternative outside the region and away from the seismic risk. For example, a few years back Forbes Magazine published a list of the safest cities in the US. Four out of the top five were in the Inland Northwest. They were Boise, Yakima, Spokane and the Tri-Cities. Here at IT-Lifeline, as a provider of business continuity services, we not only take pride in our location, but also in the technology environment that we’ve put together in support of an organization that experiences any major business disruption – including that 9.0 shaker.
It’s your choice – wait and assume the risk or take action and put a viable business continuity solution in place. The success of your business will depend on it. Remember, scientists cannot predict when a quake will occur, but they are certain that one will happen.
How comfortable are you with your business continuity planning efforts? Does it meet regulatory expectations? Could you respond to a significant business disruption? Does the plan ensure timely resumption of operations and processes during adverse circumstances? Could you recover your business over time? Does it reflect your current business operating environment? Have you considered conducting a strategic audit of your business continuity planning process?
Someone once said “if you don’t know where you’ve been, it’s hard to figure out where you are. If you don’t where you are, how can you decide where you want to go? If you don’t know where you’re going, any road will get you there.” Interesting, but how does that apply to the auditing of your business continuity plan you ask?
There is great value in reviewing the road an organization has traveled to get to the place it is today as it relates to their business continuity planning process. A best practices audit helps paint a picture of the level preparedness resident in the business continuity plan. A clear picture of how your organizations resources have been allocated enables you to see where your assets (people, capital, facilities, and equipment) have been deployed. If you have invested time, effort and real dollars in the business continuity planning process, by reviewing the returns associated with these investments, you will be able to make decisions with inherently more confidence and higher expectation of superior results. In our current economy and at time of event this could make a significant difference. Find out if the road you took to get you there was indeed the right one.
Perhaps now is the time to consider conducting an audit of your business continuity planning process? Conducting a best practices audit will answer all the questions noted above and perhaps offer you a better night’s sleep.
Most of you that read this post periodically know that I’ve been a business continuity planner for quite some time, in fact – 35 years. One of my issues with the “industry” over the years has been the constant shift in terminology. When I started, the process was called disaster recovery, it then became crisis management, the process then became business continuity and today the last time I checked, it was still called business continuity management planning. So over the years I have been a disaster recovery planner, a crisis management planner, a business continuity planner and now a business continuity management planner.
Now we are starting to see a change in some of the terminology that has been associated with the components of the business continuity professional best practices. I say, “Leave them alone” – many of us have spent years educating our organizations / clients on these terms.
The most recent change I’ve come across during some recent reading is something called “undetected configuration drift”. Have you ever seen it used? I’ve seen it used in a number of fashions and they all make sense from a business continuity perspective, but from a terminology perspective –a bit much, in my opinion. It sounds like some type of disease or illness. The term used to be called “gap”. To me it’s a little easier to say and a lot easier to explain. What we’re talking about here is the “disparity” between your disaster recovery (technology assets) environment you’ve defined / set aside and the actual technology required at time of event to recover your critical business functions following a major business disruption. Doesn’t “gap” make more sense?
Let’s commit to the “keep it simple” process! No need to make things difficult. “Gap” works for me!