I frequently hear from other BC/DR professionals who are either unable to secure funding or gain support from senior management for their efforts. Year after year, they continue to press on with the same approach and message, hoping that some day something within the organization will change. The problem is, nothing within the organization will change until we change ourselves.
For business continuity management to be more widely recognized as a professional discipline and elevated to a boardroom level issue, we need to get out of our comfort zone and go beyond the mainly IT-centered approaches taken over the last 25 years. If you ever want to be a "chief continuity officer," then you need to talk and act like one. The good news is that most of us already have the tools and experience to bring about this change using the business impact analysis (BIA) as the foundation.
The BIA and Strategic Convergence
At its core, a properly designed BIA should identify the value of business processes within the organization and cascade that value data to all of the supporting "stuff" that makes the processes work (hardware, software, people, facilities, etc.). Business impacts and the resultant formal and informal determinations of criticality drive decisions throughout the organization every day.
In a 2003 survey conducted by Continuity Central, only 31 percent of large companies were found to re-use their BIA information outside the confines of the business continuity area. Why is it that so many of us only position the BIA as something needed to drive the business continuity or disaster recovery efforts? If we ever hope to effectively compete against other initiatives for the limited corporate funding that is available, then we need to make a compelling business case that demonstrates strategic value to the company and its executives.
Some practitioners have already recognized the value of convergence bringing together security, risk management, and business continuity under one umbrella. We need to expand our vision even further than that. The time has come to position the BIA as the foundation for effective strategic decision-making throughout the organization. By using the same base information for decision-making in all areas, we can achieve better, more consistent results as well as ensure reliable cost/benefit analyses and effective risk management.
Expanding our Vision and Demonstrating Business Value
Many areas within our organizations perform some type of limited impact analysis or cost justification on their own, with each one using different criteria and methodologies for defining whether or not something is "critical." This duplication is unnecessary, inefficient and costly, and usually results in ineffective operational controls.
If we expand our vision outside of the traditional boundaries and position the BIA as a tool to address inefficiency, reduce costs, and improve due diligence and fiduciary responsibility, we’ll be well on our way to speaking the language of senior management. So, by now you are probably asking yourself, "How in the world am I supposed to make this happen?"
Even if you are buried somewhere deep within your company’s IT organization, you can still initiate this transformation and begin selling the ideas to senior management. Both within and outside of the traditional boundaries of BC and DR, there are a number of internal functions you can partner with to demonstrate tangible benefits from refocusing the BIA as an overall strategic management tool. Below are some ideas:
At its most basic level, "risk" is defined as the combination of the probability and the impact of an event. If we’re assessing business impacts in the BIA, doesn’t it logically follow that we should be leveraging that same data in the risk management area? Conversely, if you haven’t kicked off your BIA effort yet, maybe the risk management department already has the impact data you need.
Identifying what is most important to the business, and then identifying the potential threats that could impact those things, properly directs investment into pre-disaster prevention or risk mitigation efforts. How much investment into redundant facility infrastructure or network resilience is prudent based upon the potential impacts? What about the impacts of consolidating manufacturing sites or reliance on single vendors creating potential points-of-failure in the supply chain? Clearly, a properly conducted BIA should be an integral part of a wider risk management program.
If you don’t know exactly how much is at risk of loss, then how do you know how much business interruption insurance coverage is needed? Work collaboratively with your corporate insurance department. They probably have some of the impact data you need, and they can also use your completed BIA in their efforts. Once your company has used the BIA data to build a solid business continuity capability, your insurance department may be able to negotiate better premiums with your carriers by clearly demonstrating the "duty to mitigate losses" has been addressed.
Information Lifecycle Management
Most companies have only two tiers of storage, usually consisting of very expensive disk arrays and tapes. What ILM aims to achieve is the proper protection of data according to its criticality and its present value to the organization.
As a prerequisite to ILM, disk storage must first be managed centrally as a commodity resource so that corporate assets can be effectively utilized (i.e., not having multiple disk frames "owned" by individual departments with minimal utilization). The cost savings from this consolidation and resource management alone are substantial, but this can be taken even further.
With ILM, the idea is to store the most valuable data on the most reliable ("five nines") and most expensive disk. Data that is less valuable or is not immediately essential to continuing business operations can be moved to a lower tier storage device ("four nines") at a much lower cost. The bottom line is that you really can’t do ILM effectively unless you have data from the BIA as a foundation.
When using the BIA in your ILM efforts, make sure to work with your records management department to accurately identify vital records and implement rational and cost-effective ways to "keep everything forever." Managing historical data in a more economical archive tier rather than keeping everything stored online can deliver substantial savings.
Should hardware and software support agreements provide a four-hour "emergency" response or would next day be sufficient?
The answer is, it depends. The criticality defined by the BIA should drive the model for making these decisions. In many cases, companies have contracted a rapid response for a hardware failure, but that same hardware isn’t even covered in their disaster recovery plan. Implementing and maintaining an impact-based support model where response time is balanced against business impacts should result in both appropriate levels of coverage and lower support costs.
Security and Information Protection
Using the BIA, you’re already identifying those things that are most critical to continued operations, aren’t you? Why then does that data rarely get passed along to the information security function as the basis for developing appropriate investments in protecting the most critical systems? Additionally, shouldn’t the handling of security advisories, alerts, and software patches be categorized by the criticality of the systems, thereby prioritizing your limited resources?
What about physical security measures for your people, property, and products? When you have identified which of your facilities are most important to the supply chain, call centers, etc., is that data then used to evaluate where those facilities are domestically and abroad so that proper protection measures are developed commensurate with the level of impact and the degree of risk?
Work collaboratively with your information security and physical security departments to integrate the BIA with the strategic planning efforts surrounding implementation of appropriate, impact-based security measures.
How is the severity of an IT help desk call determined within your organization? Usually it is a "scientific" formula calculated by the number of users impacted, who is yelling the loudest and the management level of the person calling. Use the BIA data to design a framework that assigns severity of calls based upon the impact to the organization as a whole so that the things that are really important to continuity of critical business processes are taken care of first.
Unless you work for a government agency, your company competes against others for sales of your products or services. With that in mind, talk to your colleagues in the marketing department about strategically using the BIA driven BC/DR capabilities as a market differentiator. If you can show that your company will continue to be in business and reliably supply whatever it is that you produce, and your competition can’t make the same claims, your area might start to be recognized as adding value to the business rather than just as a cost center that drains the budget.
Basel II. FFIEC. Turnbull. Sarbanes-Oxley. HIPAA. The list of regulations related to internal risk controls, and especially those that specifically require BC/DR capabilities, continues to grow. With so many regulations, and so many high-profile legal cases involving companies and their officers failing to perform due diligence (or those committing outright crimes), your legal department should be a very willing and powerful ally.
Your chief counsel certainly has the ear of senior management, usually reporting directly to the CEO. When you reach out and demonstrate how much value the BIA has not only in driving the traditional area of risk mitigation and controls, but as a solid foundation for strategic decision making, your message will get through. If you’re working at a publicly traded company, you should also be actively involved in contributing to the reporting of risk controls in the annual report.
Business Continuity/Disaster Recovery
Even in the traditional area where the BIA has been used, we can make strategic improvements. By elevating the BIA to a board-level approach, companies can centralize budget authority and responsibility, resulting in decisions being made at a higher level and better protection of the overall business.
This elevation will eliminate the tendency of many companies to invest in BC or DR based upon a "best guess" of what is critical. It will also ensure that items which are not really critical to the business do not end up in the plan simply because a department had the budget to add it, or conversely, that something which should be covered is left out because that department did not have the budget to cover it.
Similar to the ILM concept above, disaster recovery and business continuity solution tiers should be developed based upon standardized and comprehensive criteria.
When the BIA data indicates a certain level of criticality, a "standard" type of solution is already defined. Whether it be mirrored systems, a duplicate manufacturing facility, geographic dispersal of call centers and workload shifting, or whatever, this consistent global approach will ensure proper protection of the business for its stakeholders.
Clearly, the BIA has the potential to be used as the foundation for so much more in our organizations. Will it be easy to make the transformation? Of course not.
Might you need to refine or enhance your existing BIA tools to support all these areas? Quite possibly.
But for those of us willing to take on the challenge, there is a tremendous opportunity ahead.
If we want the directors and officers to listen to us, we need to start clearly speaking the boardroom languages of effective management, fiscal responsibility, fiduciary duties, and operational controls.
Only when more of us start to do that will we achieve the well-deserved recognition and stature that has long eluded so many in our profession. Build up your credibility as a "big picture" thinker, and the senior level support for any of your stalled BC and DR efforts will follow.
James G. Callahan, CBCP, has more than 16 years experience in security, safeguards, BC/DR, and risk management. He is currently a senior process manager of business continuity and risk management at AstraZeneca Pharmaceuticals LP.
"Appeared in DRJ's Winter 2007 Issue"