By Mike Thompson
As a practitioner in the business continuity management space for over 15 years and having personally dealt with the actual recovery of businesses, I've seen an industry undergoing significant change. Recently these changes have been very positive as business and government leaders push for more holistic protection of our businesses. However, there is still a long way to go.
It’s all in our best interests to ensure that the business continuity industry delivers solid, cost effective and pragmatic BC capabilities.
Poor business continuity management practices not only tarnish the industry and destroy credibility, but leave organisations very exposed. Based on numerous poor practices and cleanup jobs with organisations that had supposedly implemented BCM, we (Linus) have identified ‘nine deadly sins’. Is your organisation guilty?
I can't believe how often I see this flawed method used to develop business continuity capabilities. Scenario planning assumes that planning can be built around the activities required to manage a specific event. For example, if there was a building fire, what would we need to do?
Scenario planning might lead participants to consider a fireproof safe to protect key documents. All looks well until we consider another scenario - for example, loss of access to the building due to a local chemical spill. Suddenly the fireproof safe is not such a good idea, as the documents cannot be accessed. After considering numerous scenarios, the number of procedures increases proportionally until the realisation that scenarios and their combinations are infinite. We forgot about the flood to floor 10, the electricity outage, the gas leak...
The answer is actually very simple. Planning should be based on the loss or unavailability of key resources, regardless of the circumstances.
The quick and dirty
Some businesses are pushed to implement business continuity because of regulatory forces, media or vendor scarce tactics, or even internal reporting (for instance, an audit). They have no real understanding of the investment and process required to implement business continuity management.
I often find managers have little regard for the process, have never been involved in a major incident and have the 'it won't happen to me' syndrome. They are just lucky - not correct.
It happens time and time again. We see outsourcing, hardware, software and backup site vendors attempt to use business continuity as a tool to generate more revenue. Why would you pay a vendor with a vested interest in their equipment or services to tell you what your business continuity needs should be? Is there any chance the solution might include some outsourced services or equipment? Are they likely to have the analysis expertise? We work closely with a number of vendors, but these are the smart ones that recognise the boundary and see the win-win of an independent approach.
I feel sorry for the CIO that cops the business continuity management responsibility (often referred to as disaster recovery planning in IT circles). Hopefully the Boards of today realise that business continuity is a whole-of-business issue, not just an IT problem.
IT systems are resources of the business just like staff and equipment. I can envisage an IT department informing the CEO after a disaster that IT systems have been restored and the CEO saying, "That's great - the only problem is we don't have a business that can use it!"
IT benefits greatly from business continuity management, through the provision of pragmatic business targets supported by formal business cases.
Miss the big picture
Some organisations simply view business continuity management as a risk mitigation strategy. BCM is far more than that, providing a holistic understanding of what the business actually does, how it does it and what it needs to do it.
In many cases, it is the first time that management sees a complete view of the operational business, rather than a list of titles and departments on an organisational chart. Business process improvement, organisational restructure and strategic planning are examples of activities that significantly benefit from the BCM process.
The 'black-box brigade'
I am referring to the unfortunately commonplace practice with many major consultancies of performing business continuity management as if it was a black-box audit activity. The emphasis is on extracting information, not describing the process or educating. The results magically appear out the other end of the project via a report (with accompanying invoice). The client is left with no buy-in, no understanding of the process and expenses that can't be justified.
This process fails because the business is not given the opportunity to discuss and challenge ideas or to learn the process themselves. Ideally the business only needs a small team to coach, mentor and guide them through the process so they can believe in the results, learn and repeat the process themselves as the business changes, long after the consultants disappear.
Poor industry standards
Standards are often poorly constructed, rushed and offer little, if any, practical guidance. The gap between theory and practice is all too obvious. I understand that, by definition, a standard must be generic enough that organisations across all industries can use it. However, that does not remove the responsibility of the authors providing sufficient direction to enable the practical application of the standard.
For example, if a standard says 'define critical functions' then there should be supporting information that describes how one would define and contextualise this within the organisation. Even a glossary definition would be a starting point. Some standards don't even identity review and sign-off points during the process. There should also be a focus on costs, rather than advocating a process that is 'analyse the strategies then implement'.
Without wider industry peer review from those with real practical experience in these areas, it's easy for the standards to become meaningless.
Business continuity management is a complex business. Organisations rely heavily on software to support their business but when it comes to managing the BCM lifecycle there seems to be a reluctance to adopt a software management tool. The challenge is to find a vendor that actually 'walks the talk' with real and substantial methodologies reflected in the software (not just a glorified asset and contact list), and that doesn't cost you a corporate arm and leg.
Paper-based management systems result in poor update cycles and distribution challenges that turn your business continuity capability into 'shelfware'. Independent automatic off-site backup of business continuity material should be used to ensure you have access to your plans if disaster strikes.
We've seen too many examples of corporate response and recovery procedures that require you to read six chapters of project history, steering committee minutes, etc. before you get to the first recovery step. History and reason is important, but only when cycling through the business continuity management process. Linus has created the concept of the 'coloured books'. Each coloured book has a specific role to play in the response and recovery process and provides succinct information to get the task done. History is kept separate in its own colour book and not required in times of crisis or disaster.
The 10 commandments of business continuity management according to Linus:
- Avoid scenario planning to develop plans. It is only useful for testing established plans.
- Make BCM a serious part of your normal ongoing business processes, don’t just react to media reports or scare tactics.
- Avoid using vendors without an independent BCM approach.
- Make sure BCM is business-driven, not IT driven.
- See BCM as not just risk management, but as a means of gaining true insight into what the business actually does, how it does it and what it needs to do it.
- Avoid the black-box brigade: adopt a methodology-centric ‘coaching’ approach.
- Don’t use standards as your only source of information.
- Use a software management tool to build and maintain your analysis, planning and procedure information.
- Make sure your plans are automatically backed-up and accessible at short notice (preferably over your own Internet).
- Keep your plans concise and divided into meaningful sets; avoid including background analysis and history with actual procedures.
Mike Thompson is a managing partner with Linus Information Security Solutions, an Australia-based business continuity management specialist. www.linus.com.au
MAKE A COMMENT
Thanks to Mike Thompson for a listing of what we often find wrong in our business – and wrong-headed in customer management. I especially appreciate “The quick and dirty”; even today I often see short-sighted attitudes that result in resources spent to meet a short-term requirement compliance where the result has no other value other than to give the firm a false sense of security.
However, I do have something to add for scenarios. I do agree with what he says, but I think that we also must acknowledge that those outside of the BC industry find it difficult to work without a scenario focus. In working with such a client, we developed an approach that includes scenario classes, based on a variety of characterizing factors. These are divided into external scenario classes and internal scenario classes.
External Scenario Classes include those interruptions largely beyond the control of the organization, and these are what are most commonly addressed by DR and BC plans. The following factors characterize each external scenario class, and grow increasingly severe as the number of the external scenario class gets larger, ranging from 1 to 5. Note that continuity components such as data backup, crisis management planning and exercising, staff notification, and recovery activities would predominate here. There are few prevention / probability reduction measures that apply. The methodology then prioritizes implementation projects based on their applicability to the least severe (and most probable) scenario class, adding gradually until all necessary components have been implemented for all scenario classes, including the most severe.
* Day/time of occurrence (working hours, non-working hours)
* Geographic scope (firm premises to regional infrastructure)
* Duration of interruption (several minutes to several weeks or more)
* Nature and extent of firm premises infrastructure services impact
* Nature and extent of firm premises damages
* Injuries to firm personnel
* Impact on the workplace
Generally five External Scenario Classes are created. Obviously, the sensitivity and range of values for each factor may vary for a specific firm based on the nature of its business. A sample of the duration factor as represented in the five External Scenario Classes is as follows:
DURATION OF INTERRUPTION BY EXTERNAL SCENARIO CLASS
Class Length of Interruption
1. Minor Less than 1 day
2. Significant 1-3 days
3. Serious 3-5 days
4. Very serious 5-10 days
5. Catastrophic 10 or more days
Internal Scenario Classes are specific to each site, although some of these are found in nearly all environments. Here is a sample of the types of Internal Scenario Classes that are commonly encountered. There will always be others that are specific to the firm and to the site, particularly the single-point-of-failure resulting from excessive dependence on a single staff member with knowledge and skills unique in the organization. Identifying these internal scenario classes allows for specific preventive and mitigating measures to be identified and then implemented how and where appropriate for these far more probable causes of interruption. The internal scenario classes are derived from a high-level risk assessment and interviews with key staff. One of the many advantages of this approach is that it allows for the identification and addressing of the so-called “soft” risks, such as those that make up reputational risks.
COMMON INTERNAL SCENARIO CLASSES
A Building services failure (electrical, HVAC, water)
B PBX failure
C Local network outage
D Workplace violence
E Disease or injury to personnel in travel status
F Supplier or distributor interruption
G Unauthorized disclosure of confidential information
H Loss of critical staff
I Reputational Risk
A Steering Committee then approves both the internal and external scenario classes as follows:
* The characteristics as defined for external scenario classes are reasonable for the sites and functions of the firm.
* The list of internal scenario classes is correct and complete, covering the most important and probable risks that could cause an interruption of firm business.
So it is not as if I am advocating the use of specific scenarios such as fire, but I find that a unique focus on the “worst-case” scenario does not work well either. So far we have used this approach in four organizations, and it seems to be a compromise that works. It also creates a shared vocabulary within the organization that is not based on insider jargon.
Kathleen Lucey, FBCI
•Date: 20th March 2006 • Region: Australia/World • Type: Article •Topic: BC general
Rate this article or make a comment - click here
UPDATED 28TH MARCH