|
By Leslie Whittet.
Let me begin by saying that this paper is based upon experience in the Australian environment; whilst I suspect that it has a fair degree of universal applicability I leave that to the reader to determine. My assessment is that we have lost sight of the business continuity management program in most organisations. In some cases it is probably fair to say that there never was such an animal at all; rather that a ‘middle down’ or ‘bottom-uppish’ (not too far up!) attempt was made to develop something that may be labelled as a business continuity plan (BCP).
Over the last few years there has been a strong focus on the need to develop BCPs in both industry and government. All sorts of events have triggered this ranging from 911 and other terrorist events to climatic events and regulatory pressures. Those of us who practise in the BCM discipline are pleased to see this as evidence of increasing commitment to good business continuity – to a desire to build real business resilience. This, after all, is a critical component of good corporate governance. A second wave of business continuity effort is well and truly in progress at this time – I refer to the number of exercises being conducted against the BCPs.
Once again, practitioners are delighted to see this most critical aspect of the business continuity management program receiving the attention it so richly deserves. It is largely through repetitive exercises that we develop understanding, skills and confidence in our business continuity teams; identify potential improvements to the plans; and foster a knowledgeable and enthusiastic BC culture throughout our organisations. Nor should we overlook the fact that there is a broad spectrum of ways to exercise BCPs ranging from such things as verifying a telephone tree on a Sunday afternoon, to a full blown simulation involving emergency services and effectively exercising the whole BCP.
So, we are agreed that business continuity plans have been developed and that exercises have been/are being conducted. Well known Goon, Bluebottle, would probably say, “these are jolly good things what you are doing”, and I would certainly agree, but I would add that we need to stop and review our commitment to the WHOLE business continuity management program. The imminent release of BS 25999-2 is an excellent wakeup call providing, as it does, a concise and straightforward specification against which to assess a BCM program in its entirety. Indeed some of us have already developed review/audit tools that are largely based upon this stellar standard. It is to be hoped that the release of part two will cause all organisations to see beyond the BCPs and the exercises.
I stress, once again, that the BCPs and the exercises are absolutely critical components of the BCM program, of course they are. Unless the program itself is subject to review and ongoing maintenance the foundation for the BCPs and thus the exercises may end up being a crumbling cliff-top and all will gradually sink into the sea! Organisations often undergo frequent change in today’s business world and we are all subject to regulation to a greater or lesser extent. Structural change, mergers, changes in risk appetite – the list is almost endless and all of these factors may impact upon our BCM program and its several components.
Some organisations do attempt to integrate consideration of their BCPs into their key planning processes, but even in this leading group few go back to square one. How many organisations, on a periodic basis review:
* The business continuity policy;
* The key products and services;
* The maximum tolerable periods of disruption;
* The critical activities;
* The BCM program resourcing and funding;
* BCM training and effectiveness;
* Progress on agreed actions arising from incident and exercise reviews
* The validity and continuing applicability of the business impact analysis (BIA).
* The consequent strategy for business recovery.
I would suggest that most reviews go no further than the BCPs yet the organisation may have changed to such an extent that the BIA, today, would yield quite different results to when it was first undertaken. As a consequence the strategy forming the basis for the BCPs may also require significant review. Sure some of the plans will have been updated to accommodate a new process here and there, or some new ICT capability, but no systematic approach has been undertaken to ensure that the wheel remains round rather than having an irregular shape with random air bubbles, patches and punctures!
It is as though organisations have become trapped in a loop comprising just two steps – developing BCPs and exercising BCPs. Reference to the BS 25999 BCM Lifecycle will clearly show that far more is required. There is a very real danger that the BCPs themselves will, over time, become quite dysfunctional and unsuited to the current needs of the organisation if due attention is not given to the entire BCM program.
Much of what contributes to effective business recovery is really in the preparatory planning and this aspect gets primary focus during the BIA and strategy development phases. Unless there is organisational commitment and a process to revisit these BCM foundation steps, it is likely that we will experience a widening gap between our business resilience capability and what is potentially achievable. In other words we are diminishing the real value add that effective business continuity management brings to an organisation.
Whether you have implemented a full BCM program, or have undertaken some less comprehensive business continuity planning activities, I urge you to stop, take a deep breath and plan to put your house in order. BS 25999 parts 1 and 2, augmented if required by the Business Continuity Institute (BCI) Good Practice Guidelines, (http://www.thebci.org/gpg.htm) will provide a thorough description of what a BCM program should look like and how to get there. If you are new to the game it will pay to get assistance from an experienced professional. A BCP is not enough. A BCP plus exercises is not enough. Only a properly implemented and maintained BCM program will deliver maximum business resilience and all of the benefits that your organisation should rightly be seeking.
Author: Leslie T Whittet FBCI MACS MRMIA
Managing consultant
Leslie Whittet & Associates Pty Ltd
whittetl@netspeed.com.au
MAKE A COMMENT
•Date: 14th Sept 2007• Region: Australia/World •Type: Article •Topic: BC general
Rate this article or make a comment - click here |
