|
By Ian Clark FBCI
I was prompted to write this short article following a statement made at the recent Gartner Data Center Conference in the US, where Gartner vice president and research fellow Ken McGee reportedly stated that “standard business continuity plans apply only to geographically specific disasters, such as floods, earthquakes and localized man-made disasters.”
This statement engendered three reactions in me:
1) I have yet to come across a ‘standard’ business continuity plan. I was led to question whether such “standard” plans are the ones generally advocated by the big corporate auditors as adequate for the organisation during a ‘Tick in the Box’ audit.
2) Where such ‘business continuity plans’ are merely enhanced disaster recovery plans that are developed using a scenario based plan development methodology, they will invariably fail to provide any form of continuity capability if the incident is outside the scope of the mundane ‘fire, flood, hurricane and power outage’ scenarios. This gives rise to an assessment of what chance does an organisation that is driven by action orientated checklist plans have of providing continuity of service in an unanticipated or multi-scenario incident?
Business continuity management has progressed into the 21st Century and some of our more progressive practitioners recognise that there needs to be a great shake up in thinking about what constitutes the scope of BCM. A commonly held belief is that we have got to promote the demise of scenario based planning, dump the perception that IT systems run businesses and move away from simplistic analytical processes that generally only plan for the last recorded disaster. It’s time to stop writing a specific plan, or section of a master plan, for each specific scenario. Such an approach leaves most organisations with enough plans to create their own fire hazard. Are they then expected to write another plan to protect against losing their plans?
Simply evaluating all business functions within an organisation against three generic denial of access criteria (personnel, premises and business infrastructure) will generally result in a business continuity management strategy that is designed to enhance the business resilience of the organisation within its own supply chain. The objective of a genuine business continuity management programme is to encourage a flexible response to any incident which is coupled with the ability to evaluate whether the organisation is experiencing a normal ‘operational outage’ that can be managed using the normal operational management structure or a potential ‘gob stopper’ whereby all contingency measures, including business unit plans, need to be activated and the appropriate level of tactical response directed towards safety of personnel, continuity of service, adherence to legislative requirements and resumption of business (whether critical services only, or full business as usual) in a controlled and auditable manner.
3) Most importantly however the statement raised the question: Is a transatlantic divide developing in the understanding of what constitutes business continuity management? Is the US view of business continuity management / planning activities diverging from the European view?
In reviewing the currently available standards and guidelines we now have the British Standard BS 25999-1 and the US NFPA 1600 Standard on Disaster /Emergency Management and Business Continuity programs in place. (I realise that NFPA1600 is undergoing a review / overhaul and that Canada is in the process of adapting it to suit their requirements.)
My view is that the British Standard is a stand-alone business continuity management code of practice, whereas the NFPA addresses business continuity as a subservient adjunct to disaster and emergency management. It appears as though the British Standard advocates the proactive approach whereas the US standard places emphasis upon the reactive nature of business contingency planning.
There is also a perception that some US-based organisations regard business continuity as belonging in the computer room, not the board room. This perception is evidenced in the wording of some of the current advertising material implying that by employing their proprietary hardware or software solution it ‘Guarantees’ an organisation’s business continuity. Isn’t such a statement a sure opening for a class action law suit in the litigious US when the client business fails despite the solution?
The US/European divide became increasingly apparent to me when I was working with a US-based IT service organization that refocused its primary efforts on IT service continuity, operating within the overall ITIL service delivery framework. IT service continuity management can be addressed as implementing a project, incorporating IT high availability solutions, whereas business continuity management needs to be addressed as the implementation of a dedicated, business focussed programme in an organisation.
With the publication of PAS77 from the British Standards Institute giving some definition to ITIL (ISO 20000) Service Continuity Management requirements there should be a realisation that IT disaster recovery and IT departmental business continuity planning efforts are there to support the enterprise business continuity management efforts as espoused in BS25999-1 code of practice. The continuity of IT business unit services is surely to provide continuous availability of business information administered by the IT department as dictated within the terms of a service level agreement.
Information security practitioners should also come to the realisation that their discipline doesn’t own business continuity but in fact ISM is a critical support function of the ‘enterprise business continuity management environment’ – any dissenters should be encouraged to carefully peruse BS/ISO 17799:2005 – section 14 wherein it states in the foreword: “Information security should be an integral part of the overall business continuity process, and other management processes within the organisation.”
Finally; how do we, as business continuity management practitioners, get the message across that we’re all in this as a team? How do we get the message across that spending all our energies claiming ascendancy over other disciplines is not serving any purpose in terms of enhancing the greater understanding of what should be regarded as a holistic approach to business continuity management? What BCM control objectives will be contained within BS25999-Part 2? But of course that’s an entirely different subject for discussion!
Ian Clark
MAKE A COMMENT
Mmm - having read Ian Clark's article it begged one question - 'When was BCM thinking ever joined up globally?' In truth each country and culture have many diverse views about the whole subject and it has for ever been a 'night-time sport' - not a core discipline and that's where we as a body of knowledge have failed to capture the hearts and minds of 'the board'.
The question of why is, I believe, simple - we have made the subject too difficult/teccie and have been unable to articulate the true business benefits in a simplistic manner - in my experience if we cannot capture the ROI in simple terms i.e. one A4 Sheet, the average board member just switches off.
So - our immediate mission - 'should we wish to accept it!' is - simplification; simplification; simplification.
Mike Mikkelsen FBCI MCMA
Redan International Limited
Well done. I totally agree. The fact that business continuity practitioners struggle with IT driving BCP is a symptom of a greater problem. In too many organizations, IT doesn’t just drive BCP, it drives the business. The business units must drive technology choices such that the business goals are achieved efficiently and effectively.
In the article, you refer to “personnel, premises and business infrastructure”. Our plans are based on the loss of one of more of technology, staff, and/or facilities. Essentially, the same concept. I am delighted to see independent verification of our strategy.
Ray Cross, CISA
Business Recovery Analyst
I believe that Ian Clark's third point sited in the recent article "Is business continuity diverging?" to be inaccurate.
Two points he uses seem to be very evident of this inaccuracy. The first is his use of advertising as an indicator of professional practice. BC professionals cannot control the vendors or the marketing departments that create the ads. These ads do not represent the way I feel as a business continuity professional, and I am sure this is opinion is held by many.
The second point he makes is that an "IT service organization that refocused its primary efforts on IT service continuity." Okay. It was an IT service company focusing on IT continuity. It was not a business continuity consulting company refocusing in on IT continuity. It seems by the way it was portrayed to be a company attempting to play to their strengths. I for one would not hire an IT service organization to do my business continuity planning. On the other hand, if he was referring to an in-house IT department focusing on their own continuity…well, isn't that within their realm of ownership? Shouldn't they be accountable for their continuity of operations?
As a professional in this field, having read the very high level BS25999-1, I believe that it is in line to a large degree with what many envision a BCM program to be. It follows much of the 10 Professional Practices provided by the Disaster Recovery Institute International, a body of knowledge that I for one follow more actively than the NFPA standard.
I would hope that in the future US practitioners are not judged by the actions of a marketing slick, the intents of a singular IT group, or the standards from a largely emergency management focused specification.
As a small insert, just as it was in the article, I highly doubt that the ongoing debate of security vs. BC/DR was moved any by Mr. Clark's reference to one sentence written in an international standard. I suppose by the sentence quoted that the majority of corporate functions should fall in to the BCM domain since it includes "other management processes within the organisation."
Brad Grissom, CBCP
•Date: 6th Feb 2007• Region: Various •Type: Article •Topic: BC general
Rate this article or make a comment - click here
UPDATED 8TH FEBRUARY
UPDATED 9TH FEBRUARY |
