Disaster Recovery Journal- Volume 19, Issue 3 - Summer 2006 Issue -Establishing A Corporate Business Continuity Program And Continuity Program Office

Return to the
Summer 2006 Issue

DISASTER RECOVERY
JOURNAL

P. O. Box 510110
St. Louis, MO 63151
(314) 894-0276
Fax: (314) 894-7474
Internet www.drj.com
E-mail drj@drj.com

PUBLISHER
Richard L. Arnold, CBCP
richard@drj.com

EDITOR-IN-CHIEF
Jon Seals
jon@drj.com

SENIOR EDITOR
Janette Ballman
janette@drj.com

COPY EDITORS
Richard Sandhofer
richards@drj.com
Pamela Clifton
pamelaclifton@hotmail.com

ADVERTISING
Robert Arnold
bob@drj.com

_____________

Corporate

President/CEO
Richard L. Arnold, CBCP
richard@drj.com

Vice President
Robert Arnold
bob@drj.com

CONFERENCE COORDINATOR
Patti Fitzgerald, CBCP
patti@drj.com

CONFERENCE REGISTRAR
Merce Knese
mercedes@drj.com

CIRCULATION
Laura Baugh
laurab@drj.com

EXECUTIVE COUNCIL
Jeff Dato, MBCP, KPMG
John Jackson, J Albright Advisors
Edward Devlin, E.S. Devlin & Associates
James Hammill, CBCP, JMH Consulting
Pat McAnally, SunGard Availability
Brian Turley, Strohl Systems
Belinda Wilson, Hewlett-Packard

INTERNATIONAL
CONTACTS
England: Thom Hetherington
Business Continuity
Phone: 0161-237-1007
thomh@tempus.demon.co.uk

Australia: Anthony J. Harvey
Journal of Business Continuity
Phone: 0011-613-953-0055-8
fax: 0011-613-953-0528
sector@notability.com.au

Japan: Shinji Hosotsubo
Quake Japan Co., Ltd.
Phone: 03-3215-2880
fax: 03-3215-2881

Click Here for a Printable Version

Establishing A Corporate Business Continuity Program And Continuity Program Office

By ROBERT E. DUNCAN and BILL DIMARTINI

Developing a corporate business continuity program is a function of wide-ranging and critical operational concerns, including the need to drive higher revenues and profits, control costs, respond to increasing regulatory issues, and plan for unpredictable business disruptions or catastrophic disasters. Many forward-looking companies are finding that meeting these concerns requires 24x7 information availability – the ability to access vital business information at any time and from any place. The degree of information availability may vary according to the requirements of the business, but it typically involves a combination of technology, technical expertise, and a redundant IT infrastructure.
In contrast, a traditional disaster recovery strategy that typically involves a certain amount of downtime – from hours to days – may not be sufficient for truly business-critical applications. A comprehensive business continuity program will not only include a disaster recovery plan, but will also ensure that people and information remain connected with no downtime – no matter the potential cause of disruption.
A dedicated program office can efficiently and effectively manage the process for developing, testing, and implementing a business continuity program. It also will bring consistency and predictability to a company’s information availability strategy. A clearly defined and properly staffed program can accurately determine the investment needed for the required level of information availability. It also allows for a company to maintain the skill sets for managing the business continuity program, conduct evaluations of in-house or outsourced models, and seamlessly integrate outsourcing options, such as managed hosting. In this article, we will provide IT managers with the tools to understand, plan, establish, and manage a reliable and cost-effective corporate business continuity program.

A Business Continuity Program: Concepts and Definitions
As defined in standard business continuity industry terms, a business continuity program is an on-going effort to ensure that business continuity and recovery requirements are addressed, resources are allocated, and processes and procedures are completed and rehearsed. The program is most effective with management sponsorship and when defined and chartered by a corporate business continuity policy statement. Fig. 1 shows the relationship between the major components of a business continuity program, including:

Steering Committee: A committee of decision makers, business owners, technology experts, and continuity professionals, tasked with making strategic recovery and continuity planning decisions for the organization. Generally, it:
- Is comprised of senior personnel from all key corporate entities with a stake in the ongoing program.
- Has the authority to make decisions, implement new policies, commit resources to support and implement the program.
- Provides strategic direction and decision-making.
- Establishes annual program objectives and ensures appropriate commitment to the program.
Continuity Program Office: (CPO) The CPO provides the corporate business continuity program management standards and practices that comprise the enterprise recovery management process (ERMP). The ERMP is overseen by the CPO and provides business availability/technology availability projects, and ongoing lifecycle management functions (e.g., training and awareness program, certification program) with policies, procedures, guidance, and methodologies.
Continuity Planning: The process of developing advance arrangements and procedures that enable an organization to respond to an event in such a manner that critical business functions continue with planned levels of interruption or essential change. Elements include the ongoing design, procurement, and use of robust systems, facilities, staffing models, as well as the equipment (and services?) to mitigate the risk of outages and the impact of outages should they occur.
Business Impact Analysis (BIA): A procedure designed to identify critical business functions and workflow, determine the qualitative and quantitative impacts of a disruption and help prioritize and establish recovery time objectives. The results of the BIA are used to:
- Identify and validate department critical business/support functions;
- Determine information technology and connectivity requirements to support the corporation’s critical business/support functions;
- Determine the financial and non-financial impacts associated with the loss of critical business/support functions over time;
- Determine the recovery time objectives (RTO) – how quickly a business or support function must be restored in order to avoid substantial business impact;
- Determine recovery time objectives for supporting applications if different than the RTOs for their supported business functions;
- develop recovery point objectives (RPO) – the point to which data must be restored in order to maintain critical business/support functions; and
- establish minimum acceptable recovery configuration (MARC) for departments at various corporate work locations.
Technology Availability: Planning the strategic and detailed planning for the timely restoration of information technology, network and voice services following a disaster.
Business Availability: Planning the strategic and detailed planning for the timely restoration of vital business and support functions following a disaster.
Crisis Management: Planning the overall coordination of an organization’s response to a crisis, in an effective, timely manner, with the goal of avoiding or minimizing damage to the organization’s profitability, reputation, or ability to operate. The planning process is used to organize staffs/personnel, equipment, and decision making for the rapid evaluation and response planning necessary to control significant events that impact an organization’s normal operations. It provides the overall policies, procedures, and guidance (PP&G) for communication and coordination of an organization’s response to an event judged to present a potential substantive risk or disaster to the corporation.
Testing Program: The scoring and testing of technology availability and business availability plans using defined metrics to validate an organization’s ability to respond to a crisis in a coordinated, timely, and effective manner.
Certification Program: A program for formally rating business availability and technology availability plans using plan scorecards, testing results, and other criteria to assess and manage plan readiness.

Developing a Corporate Business Continuity Program
To establish a corporate business continuity program, a corporation first needs to generate and obtain senior leadership support and approval for a comprehensive corporate business continuity policy. This policy establishes a corporate business continuity program under an executive officer with sufficient influence to obtain adequate program resources and enforce its policies, procedures, and guidance. Fig. 2 (left) shows the development cycle for developing the corporate policy.

To obtain the skills, focus, and dedicated level of effort a corporate business continuity program requires, corporations must create a continuity program office (CPO) to plan, implement, and manage the corporate business continuity program. The CPO reports to the corporate business continuity program executive sponsor; a detailed discussion of the CPO roles and responsibilities are addressed later in this article.
CPO staffing requirements will vary depending upon the responsibilities and projects assigned to it. Generally, an initial permanent staff organized as shown in Fig. 3 (below) should be considered.

Staffing should be reviewed annually and adjusted as required by the corporate business continuity program needs. General functions of the CPO principals are shown in the table on the right.

The corporate business continuity program must be chartered for:

Technology availability/business availability project management; and
Ongoing, lifecycle technology availability/business availability program planning, testing, and management.

To establish and manage an effective corporate business continuity program, the CPO must create and implement an enterprise recovery management process (ERMP). The ERMP consists of supporting policies, procedures, guidance and methodologies for corporate business continuity program project management and ongoing program lifecycle functions.
The corporate business continuity program ERMP must address not only the planning, testing, and management oversight of IT technology availability, but also cover planning, testing, and management oversight of business availability for the departments and the vital business functions that define the corporation.

Continuity Program Office (CPO): Roles and Responsibilities
At the macro level, the continuity program office (CPO) provides two functions to the corporation:

Technology availability/business availability project management
Ongoing lifecycle corporate business continuity program oversight and management.

Technology Availability/Business Availability Project Management
The CPO provides project management oversight of crisis management, technology availability, and business availability projects as shown in Fig. 4 (below).

The CPO provides policies, procedures, guidance, and methodology to:

ensure standardized, timely, and coordinated initiation, planning, execution, control, and reporting of program projects;
identify, integrate and manage the critical dependencies that exist between multiple business continuity projects; and
provide quality control for approved projects.

Taken together, the policies, procedures, guidance, and methodologies form the project management portion of the business continuity program management process (BCPMP). The BCPMP provides the standards and procedures to:

Measure and report assigned projects’ progress;
Define project milestones and deliverables;
Monitor and report the status of key milestones and deliverables;
Prepare weekly project status reports, including:
- accomplishments
- issues
- completion percentage
- burn rate;
Manage issue resolution;
Manage change control process to include:
- Prepare estimates for change requests;
- Conduct change control meetings;
- Conduct impact assessment for agreed upon changes;
- Update technology availability/business availability plans to reflect changes
Foster clear communications in multi-project or site programs;
Maintain a viable, accessible, project documentation repository;
Ensure proper sign-off of key deliverables;
Establish a quality assurance program to include:
- Ensuring establishment of quality standards
- Quality reviews of reasonableness of planned deliverables and dates
- Managing standards adherence;
Identify potential synergies among various inter-related projects;
Synchronize activities amongst projects;
Facilitate planning workshops;
Conduct risk reviews;
Establish a risk mitigation plan.

Within organizations that have mature project management processes, established project management policies, procedures, and guidance can be evaluated for use on corporate business continuity program projects.

Lifecycle Program Oversight and Management
The functions performed by the CPO in the management of ongoing lifecycle corporate business continuity program functions vary by company. The following responsibilities are generally included, to some degree, in the charter of a CPO:

Ownership and management of the corporate crisis management and technology availability/business availability training and awareness program;
Ownership and management of policies, procedures, and guidance for change management as it pertains to technology availability/business availability;
Staff lead in development of a comprehensive crisis management and technology availability/business availability testing program;
• Participation in establishment of technology availability/business availability testing metrics and audit criteria;
Ownership and management of the corporate technology availability/business availability plan certification program;
Crisis management team alerting and activation;
Facilitation of crisis management team response planning;
Staff lead in developing and providing financial justification for corporate crisis management and technology availability/business availability annual budget requests;
Providing crisis management and technology availability/business availability expertise to committees and executives during consideration of process, equipment, software, facility, etc. design or changes.

Key Steps In Establishing a CPO
The key steps to setting up an effective continuity program office (CPO) are:

Identify and define desired goals, objectives, business benefits, and measurement methods for the CPO
a. Define goals and objectives of the CPO
b. Codify the charter of the CPO
c. Write a vision and mission statement for the CPO
d. Document the purpose of the initiative and what value is to be created
e. Determine how return-on-investment will be measured
f. Determine what other metrics and measurements should be used (e.g., quality, customer satisfaction, productivity)
Define governance structure
a. Define how the CPO will be organized and staffed.
b. Determine what rules the CPO will follow, and how it will interface with corporate departments (e.g., information technology, corporate real estate) and subordinate headquarters.
c. Codify a CPO charter.
Define the impact management process
Establish policies, procedures, and guidance on how changes, issues, and other events that will impact CPO projects and program will be recorded, tracked, and resolved.
Define leadership and communications protocols
a. Establish how information, status updates, and decisions will be communicated.
b. Determine how and who will make key decisions.
Define risks and develop mitigation strategy
a. Identify risks to program success.
b. Determine how risks will be mitigated.
c. Establish how additional risks that may arise later in the corporate business continuity program will be identified and mitigated.
Define program support
a. Identify support requirements for each CPO project and lifecycle functions assigned the CPO.
b. Identify standard methods and procedure for corporate business continuity program execution, reporting, and management.
c. Develop process for the creation of additional standards as the need arises.
d. Decide if CPO should create a technology availability/business availability center of excellence for critical technical knowledge that will be shared by multiple projects.
Define integration approach and methods
a. How will programs and projects that have interrelationships and dependencies be identified and integrated?
b. How well does the portfolio of programs and projects assigned to the CPO support the business goals and objectives of the corporation?

Conclusion
The cost of downtime for critical business/support functions and their supporting information technology can be substantial and the effects pervasive throughout a company. Only a properly chartered and staffed continuity program office (CPO) can provide the project management, enterprise recovery management processes, and ongoing lifecycle focus/management necessary to create and maintain a viable corporate business continuity program.

Robert E. Duncan, PMP, MBCI, a former SunGard Availability Services employee, has extensive experience with professional services consulting engagements and has documented success in: project leadership; needs and risk analysis; identification and prioritization of critical business; disaster recovery strategy development and plan development; and, crisis management planning and exercises. With the delivery of over 100 formal presentations, Duncan is also a very experienced trainer. Duncan has degrees from the University of Southern California and the Georgia Institute of Technology.

Bill DiMartini, senior vice president, has been with SunGard Availability Services for more than 15 years, exclusively within the professional services organization. DiMartini has orchestrated the growth and expansion of the professional services group from a business continuity-focused organization to a more broad-based information availability consultancy, supporting business availability, information security, and technology solutions. DiMartini holds a bachelor’s degree in political science from the University of Pittsburgh and a master’s degree in international relations from Villanova University.