Tips for evaluating a business continuity as a service provider
- Published: Thursday, 10 August 2017 08:23
Business continuity as a service (BCaaS) is an emerging trend in the market. Steve Dance looks at what BCaaS is and what questions you should ask any potential business continuity as a service provider.
A number of existing disaster recovery as a service (DRaaS) service providers are looking to expand their offering to include business continuity as a service (BCaaS). This is hardly surprising: virtualization and cloud service offerings such as Amazon Web Services and Microsoft’s Azure have enabled many to enter the DraaS market without incurring the capital expenditure of establishing a physical data centre / center. This is good for the purchaser of these services – technology improvements and fierce competition have lowered costs - but for the players in the market it creates pressure for them to differentiate in order to stand out from the myriad of ‘me too’ suppliers. The problem is of course as soon as one supplier ‘puts it out there’ that they are offering business continuity as a service, others will follow with similar assertions, regardless of their intrinsic capability to deliver the service. (By the way, I’m not implying dishonesty here, but in a competitive arena it’s very tempting to announce ‘we can do that, too’, without fully understanding what’s required to deliver a world-class BCaaS capability.) So be prepared, if you are offered business continuity as a service: here a few questions that you should be asking of any supplier.
Business continuity as a service allows an organization to outsource maintenance of your business continuity strategies, response plans and assurance framework and should cover, as a minimum, undertaking the activities to ensure strategies and plans are relevant, fit for purpose and are proven to be effective. In essence, BCaaS is a business continuity management system (BCMS) that is operated by a third party.
Some of the main considerations for evaluating a business continuity as a service supplier are:
How does the supplier embed a management process in your organization?
This really is a success or failure issue. Offering to operate a business continuity management framework (or any other risk/compliance framework for that matter), requires that an external organization is capable of ‘keeping a finger on the pulse’ within your organization. This means that they can see what’s going on (or not going on) and can collaborate across physical organization boundaries. This requires more than a ‘how’s it going’ email and a few conference calls. What this requires is that your BCaaS supplier is capable of continuously acquiring actionable intelligence of the status and disposition of all aspects of your business continuity activities.
Do they know how to deploy business continuity as a service?
Another success or failure issue: providing BCaaS is not the same as developing a business continuity plan or providing access to a platform, it’s a continuous process and your supplier needs the skills and knowledge to ensure sustained adoption of the service throughout your organization. They’ll need to show that they can advise you of the implications of deployment, how to drive adoption of the service and how you – the customer – can monitor adoption and engagement
Will they use someone else’s work?
Do you have to adopt your supplier’s methodology or can they absorb your current framework? If you have something that works for you and is familiar to your organization, do you really want to rework it completely? It may be out-of-date, but a short remediation project could be all you need to make your plans ‘fit for purpose’. And what if you have a BCM consultant in place who knows your organization and with whom you want to keep working: can you continue with this relationship and have the flexibility for your existing consultant to operate the supplier’s BCaaS platform?
Do they go beyond plan content maintenance?
Ensuring that the content of plans and strategies is well maintained is basically a content management activity which can and should be automated, but a business continuity management system is more, much more, than this. When looking to appoint a BCaaS provider, ensure that they can do more than host your plans. Look for capabilities like:
- Operation of an overall assurance framework including, but not limited to incident management and business continuity exercises;
- Creation and delivery of awareness management campaigns;
- Issue tracking and management (with something a little more sophisticated than spreadsheets!)
Business continuity as a service done well will solve many of the perennial problems associated with the adoption and operation of a business continuity management system. Delivered with the right tools it avoids trying to manage a process via a blizzard of spreadsheets, freeing people up to focus on high value knowledge work. But choose your supplier well because, as the idea gains momentum, BCaaS could become a ‘fashion’: make sure that would-be suppliers have the tools, skills and capabilities to deliver the service you are being asked to pay for.