Putting the business back in business continuity
Dominic Hill’s recent article ‘Business continuity - are we still missing the point?’ questioned the emphasis of BS 25999 on recovery and plans by reference to a dictionary definition of ‘continuity’. He appears to argue from the definition of ‘unbroken and consistent existence’ that correct design and location of a resilient IT system could make it unnecessary to maintain and exercise recovery capabilities. Having quoted a definition for ‘continuity’ one should also do the same for the other word ‘business’. One web definition gives ‘a commercial or industrial enterprise and the people who constitute it’ - but no definition mentions IT as a necessary or even key requirement of an entity to be a ‘business’. That many organisations have a reliance on IT is obviously true but it is equally true they have a reliance on staff, premises, suppliers and many other resources. Therefore it is suggested that business continuity management’s objective is to ensure the ‘unbroken and consistent existence’ (continuity) of the business not necessarily that of the various support services (such as IT) except, perhaps, when the company’s business is in providing IT services to third parties. The BS 25999 standard is very clear that the scope of the business continuity management programme is focused on the delivery of the products and services of the organisation. This is because the success or failure of the response to a disruption will be judged, not by the organisation itself, but by those to whom those products and services are delivered. So does such delivery have to be ‘unbroken’? In reality, demand for almost all services is irregular and tolerant of some disruption. With the exception of life support systems, air traffic control and emergency control rooms there is a tolerance by customers of service unavailability for a period of time - which may vary from minutes to weeks depending on the service. We do not expect services from many businesses over holidays and week-ends and, in reality, how many people change their bank immediately every time an ATM stops working or their on-line service is unavailable? It may also be possible for the organisation to provide an acceptable service to customers for a period of time without the use of IT systems or to contract another company to provide the service for the duration - thus possibly dispensing of the need to resume anything for a while. There is a cost to recovery services but there is also a high cost of installing and maintaining fully resilient systems across multiple locations. Continuously available IT systems will be a significant outlay and a continuous drain on the finances of the organisation and therefore take considerable justification if their non-availability can be tolerated by the business for more than a few hours. Indeed, other organisational resources may actually be more urgently required than internal IT systems and may therefore demand resilience more than IT. This is why the BS 25999 standard lays such stress on ‘understanding the organisation’ before attempting to provide business continuity solutions. In addition resilient systems are, by their nature, complex and, while they may offer higher availability during ‘normal’ situations, require more expensive disaster recovery solutions and more expertise and time to resolve problems when they do fail. More worryingly, the article seems to suggest that a properly designed resilient IT system does not require a recovery strategy or exercising; justified this with the cliché ‘would it not be better to avoid the incident in the first place’. There seems to be a widely held belief that labelling a threat as ‘unlikely’ stops it happening to the point where it can be ignored. It is true that obvious measures should be taken to reduce risks and disruptions. However, we have to appreciate that because every location and organisation is unique, the statistical information to label a threat as ‘unlikely’ with any level of certainty does not exist. Therefore, where the outcome could threaten business survival, this uncertainty should be taken into account. As Nassim Nicholas Taleb says, warning about the narrow-focus of specialisms in his recent book ‘The Black Swan’ - “We can't get much better at predicting. But we can get better at realising how bad we are at predicting” So the aim of business continuity management is, surely, to enable the organisation itself to remain unbroken and continue to exist during and after a disruption. To determine appropriate resilience and recovery strategies to achieve this requires a deep understanding not only of the organisation and its operation but also the market in which it operates. This should focus primarily on its customers but also its competitors and its other stakeholders; and understand how and over what time period these would react during a disruption. Only then can the recovery timescale of activities and support services be defined to provide the required level of continuity. Ian Charters, FBCI is an independent consultant and training presenter with Continuity Systems Ltd and a member of BSI’s BCM/1 Committee. ianc@continuity.co.uk
•Date: 3rd January 2008• Region: UK/World •Type: Article •Topic: BC general |
