Business continuity and disaster recovery outsourcing issues Business continuity/disaster recovery – outsourced. Can it be? Could that really happen? With more and more companies focusing on core business objectives, outsourcing is taking hold on an international level at a fast pace. Have a problem with your credit card? You may be talking with someone from Bangalore , India . Want to get that laptop repaired? You may have it repaired without the manufacturer ever touching the machine. Working on a large design development project? You may be collaborating with Japan. Today, many areas of business are becoming comfortable with outsourcing, off-shore, insourcing, and home sourcing. With global changes in culture, economics and political landscapes, it is no surprise that companies are expanding their options to areas that were once inaccessible years ago, both politically and from an infrastructure standpoint. On first pass, you would find the logistics of outsourcing business continuity and disaster recovery a difficult one. How could a company risk their existence on something that is difficult to manage if it is not under the control of the corporate organizational structure? Projects and business functions can be developed and maintained in a methodical way. They can be assessed against established assumptions. These assumptions are things such as facilities that are fully functional and infrastructures that are working smoothly. These parameters aid in implementing an outsourced solution. Yet, disruptive events do not always follow established parameters. The uncertainty and scope of events that could impact a business can be as small as a water pipe breaking in a facility to events that impact entire regions where public and private sectors collaborate to ensure public safety while trying to re-establish business and basic communications. So how does a business continuity manager operate in this new paradigm without introducing greater risk? Also, what are the solutions that are needed to mitigate those risks associated with business functions being extended across international borders? Business continuity managers need to maintain two different perspectives. From a business continuity management standpoint we analyze from a core level of critical business function. This always will remain the focal point. Traditionally, many of those critical functions came under the same corporate ‘umbrella’. There is the hierarchy, an organizational chart to which we refer when identifying responsible resources for these functions that are core to the business existence. With outsourcing, another dimension takes shape. Now those functions are not only outside of the ‘castle walls’ but are being managed by another organization that has their own hierarchy, a different organizational chart that drives their business. As business continuity managers know, you always need someone ‘on-site’ during an event that threatens the business. Outsourcers that are taking control of critical functions from predominantly western companies realize they need to adhere to strict guidelines to secure this new business. Business continuity is more prevalent at the start of discussions when deciding who and where outsourced functions will be performed. Many outsourcing companies acknowledge the need and concerns around business continuance due to the requirement to conform to service level agreements and through realizing that it is good business practice which helps them to maintain customers and grow their business. Many of these companies have established risk management teams to include business continuity organizations. So, where do we as business continuity managers fit in this changing dynamic of how business is conducted? Many new aspects need to be investigated. Interdependences between offices where business is being conducted need to be analyzed in greater detail. Business continuity needs to be more aligned with corporate governance groups. Business continuity needs a stronger voice at the ‘table’ when service level agreements are being developed. New metrics need to be established to ensure core business functions are being protected. Some of those include: * Outsourced domestically vs. internationally * Critical functions vs. non-critical functions (what is being outsourced) * Financial and personal data protections * Networks – reliability * Power grid reliability * International industry certifications at outsourced companies * Crisis management communications * Local recovery options or relocating workload to corporate * Service Level Agreements * Contracts – Force Majeure- What are the implications * Facilities protections – physical security * Data protection – Information security * Government protection during civil unrest. * Investigation of the interdependent companies servicing the outsourced company. * B usiness continuity vs. corporate governance vs. risk management government * Regulatory requirements for distribution and access to data These are some of the topics that need to be discussed when assessing the risks and the ability to continue business when critical functions are managed by outside organizations. There may be more, depending on how unique the relationship is between two companies. Most issues are being addressed currently with organizations having international offices. But another dimension takes shape when the controls are handed over to a separate entity. When interfacing with business continuity groups at these outsourced companies be sure to look for methodologies that are similar to US-based corporate programs. Look for certifications in their staff. DRII and BCI are a few certifications that help ‘level set’ initial expectations and provide a baseline for conversations moving forward. Can business continuity be outsourced? That depends on how much risk a company is willing to take. This can be a double-edged sword. On one hand, outsourcing means that a company can distribute its functions across regions and continents. This helps mitigate the overall geographical risk. On the other hand, putting a company’s critical functions in the hands of outsiders can introduce other varying types of risks. The question is, what level of risk are companies willing to bear and when does the balance tip from efficient operations to operational risk? In these changing times, although a business continuity manager’s focus remains the same - to protect staff, company assets and shareholder interests - we also now need to look at the changing dynamics around the world and how business is being conducted. The advantage we have is that by the nature of our business, we are always challenged to look at things from different perspectives, yet stay focused on continuing business. Outsourcing business continuity functions is in its infancy. We can look at this as a new way to expand to another level, bringing with it more tools and innovation that will help us manage the overall process of protecting our companies while keeping pace with inevitable change. Lawrence Robert, CBCP, Director, Business Continuity, NEDRIX lawrencerobert@nedrix.com New England Disaster Recovery Information X-Change (NEDRIX) is a non-profit organization with more than 1200 active members throughout the six New England States. NEDRIX was formed as an organization in August 1991, to provide a low cost venue for disaster recovery and business continuity planning professionals from the six New England states to meet and share effective disaster recovery and business continuity ideas and experiences. http://www.nedrix.com/
•Date: 20th March 2006 • Region: US/World • Type: Article •Topic: BC general |
