|
DISASTER
RECOVERY
JOURNAL
P. O. Box 510110
St. Louis, MO 63151
(314) 894-0276
Fax: (314) 894-7474
Internet
www.drj.com
E-mail drj@drj.com
PUBLISHER &
EDITOR-IN-CHIEF
Richard L. Arnold, CBCP
richard@drj.com
SENIOR EDITOR
Janette Ballman
janette@drj.com
MANAGING EDITOR
Jon Seals
jon@drj.com
COPY EDITORS
Richard Sandhofer
richards@drj.com
Pamela
Clifton
pamelaclifton@hotmail.com
ADVERTISING
Robert Arnold
bob@drj.com
_____________
Corporate
President/CEO
Richard L. Arnold, CBCP
richard@drj.com
Vice
President
Robert Arnold
bob@drj.com
CONFERENCE COORDINATOR
Patti Fitzgerald, CBCP
patti@drj.com
CONFERENCE REGISTRAR
Merce Knese
mercedes@drj.com
CIRCULATION
Laura Baugh
laurab@drj.com
INTERNATIONAL
CONTACTS
England: Thom Hetherington
Business Continuity
Phone: 0161-237-1007
thomh@tempus.demon.co.uk
Australia: Anthony J. Harvey
Journal of Business Continuity
Phone: 0011-613-953-0055-8
fax: 0011-613-953-0528
sector@notability.com.au
Japan: Shinji Hosotsubo
Quake Japan Co., Ltd.
Phone: 03-3215-2880
fax: 03-3215-2881
Brazil:
Jose Carlos Ferreira
Disaster Recovery Mercosul
Phone: 55
11 3666-9506
conc2000@uol.com.br
www.drms.com.br
|
|
Click
Here for a Printable Version
Organization
Where
Does Business Continuity Belong In Your Corporation
By JEFF DATO,
MBCP
 There
are many obstacles along the sometimes menacing path facing contingency
planning professionals, including gaining and maintaining executive
support, analyzing potential risks and their impacts, determining the
most cost-beneficial recovery strategies, building a robust yet simple
continuity plan, and exercising and maintaining an effective planning
and governance program. Negotiating each of these potential mine fields
requires adept skill, a little bit of luck, and the uncanny ability
to keep each piece moving along the business continuity continuum, simultaneously
until one day the program can be measured by an organization’s
level of resiliency rather than by the ability to recover in a timely
manner.
The movement along the continuum toward program maturity can be heavily
influenced by the organizational placement of business continuity within
the organization. This often overlooked aspect has a direct impact on
a company’s ability to meet each of the aforementioned “obstacles”
facing modern-day contingency planners. A key success word regarding
the determination of a program’s placement is “access”
– to decision-makers, to budgetary funding, to logistical support,
to technological capabilities.
So what’s the “magic bullet” that will slay this dreaded
beast? As is usually the case, the answer is surprisingly simple and
stupefying – “it depends.”
In the early days of the contingency planning industry, disaster recovery
– as it came to be known – was housed exclusively within the
confines of the data center. Executives concluded the corporation’s
most vital asset was information – information that was stored
electronically on computers. The Office of the Comptroller of the Currency
essentially echoed this sentiment when it released Bank Circular 177,
which mandated the creation of technology recovery plans for all financial
institutions, nearly 20 years ago.
Even today, most institutions, regardless of their industry, embark
upon the contingency planning journey by addressing technology recovery,
or disaster recovery first. This is the area where the most perceived
risk exists (rightfully so in many cases); thus, accordingly, it is
also where the programs are usually housed. Most begin as projects which
are temporary and have an “end” (versus a program, which does
not) – a disaster recovery plan. By addressing only the risks brought
about by technology failure, an organization is short-sighting itself
and not properly managing all the potential risks facing the entity.
In this technology-focused effort, most everything has a technology
slant and solution, or so it appears. This leads one to believe that
technology drives business, rather than the reality that business drives
technology.
Compare this to a more mature program where business continuity is housed
on the corporate side of the organizational chart. There is still a
linkage to the technology piece (disaster recovery) and, typically,
to the crisis management organization as well. While this practitioner
has seen it report to many different areas, including audit, accounting
and finance, engineering, facilities, general services (mail, transportation,
purchasing, etc), human resources, legal, marketing, operations, risk
management (insurance) and security (logical and/or information), each
company is vastly different structurally and organizationally and can
make the process work without much regard as to whom owns the overall
process.
Regardless of which area “owns” business continuity management
responsibility, one must understand the importance of having that accessibility
to key decision makers, process owners, logistical support, and technology
capabilities. Given that the key infrastructure support pieces are business
process-based, it would behoove a company to place this cross-functional
operative amidst these areas.
So where does it belong? The last few years have seen leading organizations
begin to integrate business continuity with risk management. The rationale
behind this move is that business continuity – in its core being
– is simply a component of an overall enterprise risk management
program, much like information security and insurance.
The good news is that such programs typically report up through the
chief financial officer, thus providing an in-your-face visibility with
executives and board members. Through the creation of either a chief
risk officer or a risk oversight committee, this process’ sole
intent is to review and manage all risks – financial, compliance,
strategic, operational, and technical – facing the organization
and determining how best to address them. From hacking incidents and
regulatory compliance issues to handling derivatives and large complex
projects, risk is inherent in every organization. One may get the sensation
that business continuity is actually a core competency of the firm and
maintains strong ties to other key risk processes within the corporation.
Risk Management 101
The “basic” rule of risk managers, like “(offsite) backup,
backup and backup” is a foundation of the contingency planning
industry – endorses that there are only four things one can do
with “risk.” These four things include: accept, mitigate,
insure, or plan. All risks can be addressed with a combination of these
four actions. One of the actions is “to plan.” When one considers
that “to mitigate” can include items such as information and
logical security, facilities (i.e. generators) and audit (controls)
and insurance covers the “to insure” portion, the inclusion
of business continuity in this group does not seem so farfetched.
Regardless of where your organization chooses to house the business
continuity/disaster recovery/crisis management function, remember the
following:
• Ensure the positioning allows accessibility to those key areas
which will maximize the amount of risk managed by the corporation;
• Push for integration on the corporate-side of the organizational
chart, especially with the risk management group (if one exists) and;
• If technology is where the function is ultimately placed, work
diligently with your key “access” areas to ensure all aspects
of the planning process, including the independencies with the logistical
pieces, are addressed within your efforts.
Jeff Dato, MBCP, is an Atlanta-based senior manager within the Risk
& Advisory Services practice of KPMG, LLP, with primary responsibility
for business continuity management for the southeast region. He has
been involved in the business continuity industry for the last 14 years,
evenly splitting his career between banking and consulting, and is the
chairman of the Disaster Recovery Journal Editorial Advisory Board.
Dato welcomes any comments and questions regarding this article and
can be reached via either phone (404) 222-7378 or e-mail: jdato@kpmg.com.
To comment on this article, go
to 1504-11 at www.drj.com/feedback.
|
