|
 Landing
On Your Feet
Being Prepared in the 21st Century
Current and Emerging Trends in Business Continuity
By MICHAEL CROY
Since 2000, our world has seen dramatic changes that have caused an
evolution in business continuity thinking. It used to be that recovery-minded
organizations focused on preventing and avoiding disasters. Today, it
seems inevitable that nearly everyone will be faced with unexpected
“bumps” in the terrain from time to time. The focus is changing
from avoidance of threat to “landing on your feet” in spite
of it.
In other words, organizations have found it necessary to become better
prepared and be more proactive about risk management. While the imagined
“disaster” in a disaster recovery scenario used to be an
environmental one – fire, flood, or tornado – thus far in
the 21st century we’ve seen likely examples of “disaster”
expand to include terrorist attacks with global political implications;
strings of powerful hurricanes; international power grid failure; threats
such as data worms and hackers; and ordinary business events such as
mergers and acquisitions, increased outsourcing of business processes,
and application process failures.
The bottom line these days is that if it’s disruptive to your
organization, it’s a crisis, regardless of the cause. And the
pressures for risk management planning are both internal and external.
At the midpoint of the first decade of the 21st century, certain trends
in business continuity thinking have been established. A consideration
of them, as well as several emerging trends, may help clarify what organizations
need to consider today in order to prepare themselves for tomorrow.
Regulatory and compliance issues have
increased dramatically
The impact of regulations such as the Sarbanes-Oxley Act, the Gramm-Leach-Bliley
Act, HIPAA (Health Insurance Portability and Accountability Act) has
been enormous over the past five years. Regulatory issues have driven
organizations to invest in IT initiatives that enable stronger financial
controls and privacy measures.
We expect to see many more changes in the regulatory area in the next
few years. A number of states are already working on regulations that
may, in some instances, be stricter than current regulations. That may
include privately held companies. This holds tremendous implications
for the business, IT, and business continuity communities.
As case law grows in this area, regulations will become better defined.
It will be easier for organizations to translate regulatory requirements
into specific IT initiatives and to evaluate what they need to do from
a business and an IT perspective to achieve compliance.
Terror concerns now based in fact
The first World Trade Center bombing back in 1993 and the Oklahoma City
bombing in 1995 showed the U.S. that terrorism on American soil was
a reality. The Sept. 11 attacks shifted the scale of what we consider
when we talk about disaster. As impossible as it was to imagine something
like those attacks, we need to be prepared to move beyond our current
imagination and recognize that something equally devastating is possible.
Whether a bomb that blows up a building and takes out its functionality
or a tornado hits it, the impact is the same. Business continuity planning
efforts need to focus separately on causes and impacts. Brainstorming
possible causes is a valuable component of planning, but being prepared
to recover from the impact – regardless of cause – is what
will keep business going. Business continuity is not about anticipating
every possible disaster, but rather, it is about keeping business going
forward despite disruption.
The data ‘explosion’
In recent years the economy in this country experienced a troubled period.
It seemed reasonable to assume that both soft and hard data, electronic
and paper copies, would decrease in amount. Instead, for many reasons,
we’ve seen a virtual explosion in the amount of data organizations
are storing. Largely, this is due to the regulatory impacts mentioned
previously. It is also a result of the increased information and service
basis of business and the 24/7 mindset and reality that has replaced
the 40-hour week. The dramatic decrease in electronic storage costs
is also a factor.
There is no reason to believe any of this is going to change much over
the next five years. Organizations will need to continue to find cost-effective,
customized methods for dealing with the dramatic increase in data storage.
Policies for determining the business value of different data will be
as crucial to managing storage as any technology. Otherwise, the volume
of data and the job of sorting through it may become a business performance
as well as a business continuity issue.
More critical usage of Intranet and e-mail
The Internet and e-mail go back as far as the 1980s. However, in just
the last few years, the number of organizations based solely on the
Internet, and the impact it has on the revenues of many others, have
grown exponentially. As the pace of business increases, more critical
information is also being communicated via and stored in e-mail systems.
Today, lost e-mails and e-mail/Intranet outages can be a business disaster.
Regulatory compliance issues and basic business prudence are also making
privacy protection and tracking capability for Internet commerce and
e-mail communication paramount concerns.
As a result, e-mail and Internet outages must be considered as carefully
as other systems outages when creating a business continuity/disaster
recovery plan. In order to mitigate risk and loss to an acceptable level,
restoring access as quickly as possible after a crisis must be balanced
with restoring the same controls and capabilities that were in place
before the crisis. This means being able to recover all relevant e-mail
and transaction information, validate the information, and confirm who
has had access to the information.
Insourcing vs. outsourcing alternatives
for business continuity solutions
In the past five years, there has been a lot of conversation about organizations
moving away from “hot site” disaster recovery/business continuity
solutions and toward internal recovery alternatives. Some of the stated
reasons include unexpected costs, insufficient access, and slow recovery
times.
The fact of the matter is that both external and internal recovery solutions
are viable options. A particular organization can only decide which
is right for it based on a balanced evaluation in context of the organization’s
mission-critical requirements. In some cases, the greater cost of establishing
internal recovery facilities will be justified by increased control
over availability and customer satisfaction. In other instances, an
organization’s requirements and expectations may not justify the
cost of an internal recovery location.
Emerging trends
Several new trends appear to be emerging. While it’s likely that
other trends will develop as well, the more we can anticipate, the better
prepared we can be. It’s critically important that the professionals
in the business continuity/disaster recovery industry focus on helping
everyone manage to the change we’re going to see.
Risk management umbrella
In the big picture of American business, IT is still a relatively new
element to be dealt with. In the past it was seen as a “nice to
have” productivity booster, or as “bells and whistles,”
rather than a key part of an organization’s processes, controls,
and investment. A siloed approach to IT planning, management, and funding
made sense as a way to keep IT agile and strategic while minimizing
spending. But it also led to duplication of effort (and expense), incompatibility
of systems, and lack of awareness of process interdependencies. To make
matters worse, IT departments fostered a certain mystery about what
their systems did. All these factors amplified the disconnect between
business planning and IT planning and, as a result, created additional
risks.
These days, however, more organizations are coming to understand the
business value of IT. It is being recognized as part of everyday functionality
and as a discrete business unit every bit as important as sales, marketing,
transportation, warehousing, or anything else. Over the next five years,
we’re going to see greater integration of IT and business strategy
and planning. Organizations will continue to move away from a siloed
model toward more cohesive management.
Once IT is better integrated into the organization, the next step will
be the integration of security, business continuity planning, disaster
recovery, risk insurance, and physical security policies into comprehensive
risk management planning. Comprehensive planning will involve both business
and IT management. When policy and strategy are defined at the executive
level of the organization and driven from the top down, risk management
can truly meet an organization’s needs. Executives are also becoming
more directly involved because of government regulations such as Gramm-Leach-Bliley,
Sarbanes-Oxley, and HIPAA that hold them personally and legally liable
for business issues including access to critical information, financial
controls, customer privacy, and physical security.
At the same time, more traditional impacts such as insurance audits,
SEC regulations, and bank covenants, as well as basic fiscal imperatives
to protect assets and opportunity costs against business disruptions,
continue. The emerging picture, therefore, is of true interdependency
among all aspects of an organization, its processes, applications, and
systems. Every element must be evaluated with regard to the others to
determine acceptable risk and appropriate strategies for addressing
it.
External validation/expertise
Even though standards like CobiT and ISO 17799 outline general best
practices information, that’s only part of the picture. Effective
business continuity measures require industry-specific and organization-specific
steps. The level of complexity of today’s systems often means
that it is not cost-effective for individual organizations to keep all
the expertise they need on staff. And it is very difficult to maintain
industry best-practice standards without comparative experience.
Whether they participate in professional business continuity associations
such as DRJ or Association of Contingency Planners or engage experienced
business continuity consultants for risk management planning, organizations
will find it beneficial to obtain outside expertise. The volume of experience
risk management professionals acquire in assisting multiple organizations
enables each to benefit from the lessons of others.
In addition, validation from outside resources builds confidence in
a solution and enables an organization to clearly demonstrate its commitment
to compliance. Simply put, neither a plan nor its implementation can
be audited by the same people who created it without potentially raising
red flags about its accuracy or thoroughness.
The importance of closing the business
continuity gap
Too often, a gap exists between the availability of an organization’s
information systems and the level of availability expected by its business
units. In most organizations, the gap is discovered only after disaster
strikes. Closing the gap requires that the IT department, the business
units, and key executives work together to identify and assess vulnerabilities,
and then develop effective risk management strategies to address them.
Risk management strategies include accepting the risk through financial
reserves, assigning the risk to an insurer or outsourcer, or mitigating
the risk with proactive or reactive strategies suited to the organization’s
IT infrastructure and recovery objectives.
A comprehensive plan enables the organization as a whole to view impartially
the policies, processes, and organizational structures as well as the
IT systems required to close the gap. A comprehensive view also enables
an organization to recognize that serious consequences, such as loss
of market space, can result from being insufficiently prepared for a
business interruption. Deciding how much loss it can accept must be
made by executive management based on a full understanding of the organization’s
interdependencies and all the potential impacts of a loss.
The good news
The trends we see are promising. But we can’t allow ourselves
to be lulled into complacency by overconfidence in our ability to predict
what will happen. We need to continue uncovering areas of weakness and
searching for innovative, out-of-the-box solutions that not only satisfy
BC/DR/security issues but also respond to the business needs driving
those issues.
With the introduction of innovative solutions that satisfy business
continuity needs, the biggest trend we will see is continuing improvement
in the way that business does business. By anticipating change and marshalling
key technology forces, organizations can influence not just IT and not
just BC/DR, but how well and how robustly they function overall. The
lessons and the benefits obtained from anticipating change and staying
committed don’t just pop up in a time of crisis. They can be applied
day after day.
In other words, if you get business continuity right — evaluating
and utilizing IT in a business context — you will end up with
an organizational structure, policies, and IT that improve the way you
do business everyday, not just when crisis strikes.
Michael Croy joined Forsythe in 2002, bringing more than 20 years
of experience in building, developing, and implementing disaster recovery
and business continuity programs. As Forsythe’s business continuity
practice manager, Croy is responsible for the company’s business
continuity offerings, including risk analysis, best practice models
for continuity of IT infrastructure (storage, server, and network),
and disaster recovery planning, strategy, and management.
©Copyright
2004 Systems Support Inc. All rights reserved. Reproduction in whole
or in part in any form or medium without the express written permission
of System Support Inc. is prohibited.
«BACK
to the Articles Index
|
