|
Source: Article Title. Contingency Planning & Management. January, 2003: pp 15-17.
Reprinted with permission from Witter Publishing Corp.
Content contained on www.ContingencyPlanning.com.
by: Paul Kirvan, CBCP, CISSP, FBCI
Pages: 15-17; January, 2003
The concept of business continuity, as it applies to information systems, dates back to the early 1970s. But if we really think about it, protecting business and personal information has been around for much longer than that.
We can imagine previous generations with valuable information and assets to protect. Kings, queens, military leaders, scientists, artists, philosophers, and regular citizens all had items they needed to safeguard. Today, though, those "assets" have morphed into a global network of electronic information systems, and the protection process has evolved considerably. So, for the sake of this article, let's assume our profession celebrates its 30th birthday in 2003. It's a milestone, and maybe also a turning point. And in light of recent events, it's time to take another look at business continuity.
To that end, CPM recently held a question-and-answer session with our Editorial Advisory Board regarding the state of business continuity today. The commentary we received as part of this effort paints a picture of an industry that has made significant progress in some areas, but yet has a long way to go in others.
What's wrong with business continuity as it currently exists?
Paul Boggini, Intel Corporation: Business continuity certainly seems to be gaining steam, but as a profession, I think we should document the high-level return on investment (ROI) — probably more in words than numbers at this point — of the BC work in which we are engaged.
We need examples of where BC has been done well and provided real value to companies (financial firms in New York City that stayed in business post-September 11), and we probably also need examples of where BC was not in place and how companies suffered.
Richard Corcoran, Eastman Kodak: Despite the tragedy of September 11, business continuity is still struggling to gain senior management acceptance. And despite the economy and the tendency to downsize, businesses must not leave themselves vulnerable; they must allocate resources to business continuity.
Steve Higgins, EMC Corporation: I don't think there is anything "wrong" with business continuity per se. Having said that, I believe the fundamentals of the BC industry are in question. Many companies believe that they need to control more of their BC capabilities. One effect of this is to shift away from traditional disaster recovery strategies. If the large-size, big-dollar customers decide to focus on internal recovery, it will take 10 to 20, maybe 30 new customers to fill this void. One can quickly see that this dynamic could significantly upset the existing balance, potentially limit recovery options for medium to small customers, and potentially impact the BC value chain.
Kathy Lee Patterson, Temple University Health System: In order to answer that question, you have to understand that all industries address business continuity in different ways. Each industry requires different levels of business continuity and disaster recovery. Since industries differ so much on structure, resources, assets, regulatory requirements, and funding, business continuity achievements also differ.
In my years in health care disaster recovery, it's obvious from attending conferences and reading articles that the health care industry as a whole falls far behind in BC development. Since our primary mission is healing human life, most funding is directed toward clinical technology and research. The new HIPAA (Health Insurance Portability and Accountability Act) regulations have forced business continuity/disaster recovery into the forefront for health care organizations.
Scott Ream, Virtual Corporation: There's nothing inherently "wrong" with business continuity. We are members of a relatively young (immature) business discipline. As such, there are many opportunities for improvement. Many companies focus excessively on technology recovery and little on continuity of their non-technical infrastructure (people, process, tools). Others have a myopic emphasis on crisis management — perhaps due to September 11 sensitivity — with minimal attention to recovery or restoration planning, testing, and education.
Jeremy Smith, Deloitte & Touche: Business continuity is still seen as a recovery planning exercise with a slightly broader scope. Instead, it should be focused on business resilience and recovery.
The level of BC ownership within business is changing, as more companies endorse BC within their corporate strategy. BC is perceived as a "softer" issue within the risk management industry, and is still viewed as an information technology issue. Do plans really address all risk scenarios (market and credit risks, customer business failures)?
BC professionals must increase their visibility in the boardroom.
Brian Turley, Strohl Systems: There seems to be a lack of formal business continuity training at our institutions of higher education. The addition of BC-related courses would greatly help in supplying educated and qualified professionals to support our growing industry.
Steve Yates, Telewest Communications plc: From a United Kingdom perspective, numerous factors must be considered. Since 2000, the business continuity industry in the UK has imploded. Today roughly 10 percent of existing UK companies provide business services, hence, less options are available.
Next, the number of BC magazines in the UK has dwindled to one: Business Continuity. Having said this, Survive relaunched its magazine, and Corporate Insurance & Risk was renamed Continuity Insurance & Risk.
Another concern is the availability of seminars and training. Today Survive and IIR seem to be the principal players in this market. Professional organizations, such as the Business Continuity Institute, seem to have different agendas and/or financial difficulties, and hence are not pulling in the same direction.
Finally, the government has not yet fully supported BC. While they have moved forward to support corporate governance and information security management issues, at this time there seems to be no "joined-up" approach or standard. Until we can heal some, if not all, of these "ills," business continuity will remain in intensive care.
What must the profession do to gain recognition and acceptance at the highest levels of a company?
Boggini: We need to validate our profession, and make sure senior management understands what BC buys us — insurance — and what the risks are if we decide not to invest in BC.
Corcoran: Within the financial community, for example, business continuity is accepted; this is not the case in other industries. BC professionals must demonstrate the potential vulnerabilities of the firm, and that the company is responsible for business continuation.
Higgins: Executives in most companies need to feel they are spending their money wisely and that the investment is balanced against their risk portfolio. I think we as BC professionals need to communicate more on a financial/investment basis.
Patterson: If you can prove that business continuity is adding value to the organization, you will gain recognition and acceptance. You demonstrate value through incorporating policies and procedures into your practices that are professionally founded, tested, and consistent with the needs and requirements of your organization. In addition, obtaining accreditation is a strong force. If we are all united and saying the same thing, then our voices will be stronger.
Ream: The key lies in defining and marketing internally the essence of the pure "business case." Senior management is driven by a discernible set of business guidelines. Business continuity value must be defined in this context.
Smith: We must lobby for proper legislation and regulations; communicate the correct message about BC to industry; increase educational programs and standards; promote the industry at business management courses and conferences, universities, and other relevant venues; and keep abreast of economic and technological change so that BC products and services will meet market needs. Finally, we may need to evolve BC into enterprise risk management, so that BC incorporates risk management.
Turley: Information is key. We need to conduct more studies that show BC's value or ROI. If senior executives could see a monetary value, they would be more willing to accept the costs associated with planning.
Yates: Having said that BC is in "intensive care" here in the UK, some important improvements include two new industry magazines, a new BC course at Coventry University, and the BCI's [Business Continuity Institute's] efforts to develop standards for training material and work with the government to produce standards and benchmarks.
What can we as professionals do to encourage this acceptance?
Boggini: We can emphasize the "big picture" on what we propose, and we should also use risk assessments to give senior management real choices (tradeoff risk and dollars) of what they would like to implement, and when.
Corcoran: Senior managers and executives must be made aware of the risks of not having business continuity through continued promotion of BC awareness and training programs.
Higgins: I believe we need to elevate the discussion from a cost-based/insurance-based discussion to one of investment. The true value of business continuity only occurs when it becomes integrated in every new application and business process.
Patterson: Sound professional practices will be recognized if they are demonstrated as part of an overall plan — policies, procedures, business impact analyses, risk analyses, testing, etc. Business continuity standards need to be followed; this will lend more credence to you as the professional. Get certified with the DRII [Disaster Recovery Institute International] or BCI and follow the best practices outlined by those groups. Do not take shortcuts. If you've ever listened to a speaker or read an article that seems really off base, you realize how important proper training is. How seriously are we going to be taken as professionals if we contradict each other?
Ream: Business continuity professionals must demonstrate the ability to understand the businesses they are in, translate identified exposures into tangible, reasonable business examples that resonate with senior management, and have the communication/presentation skills to be heard.
Smith: We must define and implement senior-level BC positions. This will help propagate the importance and status of BC. We must continue to deliver high-quality results and aggressively position BC on the board's agenda. We need to continue personal and professional development, increase the profile of BC conferences by attracting big-name speakers, build BC into business processes, develop new BC procedures, and market, market, market!
Turley: We should be willing to share information, statistics, and best practices. This industry has traditionally been affected by a lack of information and a lack of sharing. That needs to end.
Yates: Professional organizations and associations, government agencies, and universities must agree to a "joined-up" approach to emergency management and business continuity, thus delivering a public/private partnership.
What else is needed to move business continuity up on senior management's short list?
Boggini: I think we need to promote industry standards on what percent of our respective scope/budgets should be directed toward BC. If senior managers know that approximately 7 percent of their effort and dollars should go toward BC (similar to discussions on R&D spending), this will help further embed BC into senior management thinking and in the way we all run our businesses.
Corcoran: We must not let complacency ruin business continuity. In some areas, the memory of September 11 is starting to burn out, yet we are constantly in terrorists' gun sights.
Higgins: Let's have clear regulations with penalties, and better define the impact of the business continuity value chain.
Patterson: September 11 woke up many CEOs to what we have been trying to get them to realize for years. Business continuity needs to be a partner with the rest of the organization. Federal regulations are usually effective in getting senior management to notice, but are often open to interpretation. One case in point is HIPAA, where some organizations are ramping up to prepare for HIPAA, while others are doing very little and waiting to see how heavily it is enforced. Documentation on business functions is very important. Instead of what-if stories, present well-researched data defining the risks and what can be done about them.
Ream: Many other business disciplines have developed objective measurement tools for evaluating the effectiveness and maturity of their programs. BC professionals will benefit from the development of a standardized maturity model. Once this tool is broadly adopted, organizations will have an effective means of comparative analysis and potentially an effective organizational certification tool.
Turley: Unfortunately, regulations may be needed to jump-start BC in numerous industry sectors. For example, the health care industry is very focused on HIPAA. Regulations will only improve the resilience of each industry and of our economy as a whole. When regulations become accepted, standards and education will undoubtedly follow.
Yates: The BCI is currently working with government bodies to deliver standards and benchmarking. Their key work is with the BSI on proposed BC standards. And with a focus on public/private partnerships, our patient (business continuity) should soon be off the "critical list" and moving toward — full health — in 2003 or 2004.
|
