Chris Bakowski, senior consultant, Linus Information Security Solutions Pty Limited.
Throughout our experiences with various organisations across government, industry and forum groups regarding business continuity management, flawed methods still prevail in organisations developing, or trying to develop, business continuity plans based around managing a predetermined disaster.
Unfortunately many organisations contribute significant time, effort and expense developing emergency response and business recovery solutions based on managing a pre-determined disaster such as a fire or electricity failure, only to find their logic and, hence their recovery capabilities, failing where the crisis falls outside of the scope of what has been planned for.
This approach, also known as ‘scenario-based’ planning, is fine for assessing potential risks, testing plans or developing specific media statements in response to a given event, however, it fails as a method of developing the business continuity plans themselves. Plans need to be focussed on WHAT needs to be done if a resource is unavailable, regardless of HOW it occurs.
Short sightedness is also evident within IT departments and their approach to disaster recovery planning. IT departments often build solutions just for IT failure and assume this provides their organisation with a business continuity management capability. There is not much point recovering an IT system if the business itself is out of action due to a non-IT failure. A holistic approach is essential, not just to ensure the business is covered, but to ensure the IT solution is matched to the organisation’s needs.
We equate this IT-driven process as the ‘tail wagging the dog’. We have seen numerous cases of where organisations allow their IT group to dictate the recovery of their business under the guise of business continuity management and yet it is quite evident in a number of cases that this process is undertaken in isolation of the business, or there is insufficient buy-in from the business. IT solutions created in isolation are typically based on broad assumptions about the business needs, often under-catering or ignoring key business needs or over-catering with expensive rapid-response infrastructure, which may not be essential.
Business continuity management plans must be developed based on organisational drivers, taking into consideration the impacts if the business cannot deliver its goods and services and hence fails to generate its normal outputs. The organisation clearly needs to understand the consequences if this capability does not already exist.
We feel that the best approach distinguishes the above by focusing on the recovery and restoration of affected resources and therefore does not depend on a given disaster such as a fire or IT failure to enable the business continuity plans and the business recovery processes to be initiated.
Our mantra is that ‘disasters are infinite whilst resources are finite’ and hence business continuity plans should be structured around restoring the business, irrespective of the nature of the disaster by identifying the key resources that enable a business function or process to be performed.
It is seeing first hand the impact that these failed plans have had that encouraged us to create a business continuity management methodology which enables organisations to achieve its business recovery within pre-determined timeframes, irrespective of the nature of the disaster.
Our methodology is based on the collective experience of delivering business continuity and disaster recovery solutions for over 30 years across a diverse and wide ranging number of industry and government sectors. Furthermore, it takes into consideration the various standards and, in particular, the BCI’s Good Practice Guide.
Our BCM methodology consists of six modules structured as follows:
It is in stage two of our methodology where we facilitate our business impact analysis workshop involving the organisation’s key business managers. During the BIA workshop, the business managers identify their respective business functions, determine their outputs and assess the recovery time objectives (RTO) for each business function. As part of this process, we also validate the RTO by qualifying the impacts to an organisation if an activity is unable to be performed.
It is in the resource dependency analysis workshop where the key resource owners, including IT are actively involved. Their involvement is to determine what resources enable the business functions and their outputs to be generated.
These resources are subsequently broken down into the following categories:
1) Business resources (e.g. fax, photocopiers, staff, application software etc)
2) Support resources (e.g. network drives, servers, PABX etc)
3) Infrastructure resources (e.g. computer rooms, storage facilities, etc)
The segregation of resources into these categories creates a direct relationship between a business resource (such as software) to a support resource (being a network drive / server) which is linked to an infrastructure resource (such as a computer room).
Once the governance group has determined those business functions which are in scope, the organisation then develops fully costed strategies based on the recovery of each of the key resources. The business managers then determine their preferred recovery strategy and once endorsed by the governance group, would proceed to develop step by step procedures for the recovery of each of these key resources.
It is these resource recovery procedures that form the basis of the organisation’s recovery plans, as it now knows what resources need to be recovered, the survival quantities and the recovery time sequence for each critical business function.
As can be seen the methodology is clear and logical in its approach and ensures that organisations have business continuity plans focused on recovering the business, irrespective of the nature of the disaster.
•Date: 19th May 2006 • Region: Australia/World • Type: Article •Topic: BC plan dev.
Rate this article or make a comment - click here