Fall World 2014

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 27, Issue 3

Full Contents Now Available!

A Boardroom Agenda for Business Continuity Planning

Who should spearhead the business continuity planning (BCP) initiative within an organization? Risk function? CEO? Board of directors? During a recent survey, a majority of the respondents suggested that BCP should belong to the risk management office. However, all of the respondents believed that the person responsible for the BCP should have direct access to senior management or report to a C-level executive in an organization. This implies that BCP is not a functional agenda; it is one of the top-10 risks covered by enterprise risk functions of the organizations.

Why BCP?

Planning for recovery from a disaster is now commonly recognized as an essential component in the management of risk. Businesses today have become accustomed to planning for commercial risks, such as the sudden failure of a critical parts supplier, an unexpected debt or liability, labor strikes, or the discovery of a serious fault in a retail product. Planning for a terrorist incident is, in many ways, very similar. Nearly one in five business houses suffer a major disruption every year. Business continuity planning is a means of ensuring that essential functions of your business survive a terrorist incident, natural disaster, or other disruption. It is crucial for any business or organization to plan its survival following the loss or denial of access to buildings, a significant number of staff, their IT systems, important records and information, or a myriad of other assets they depend upon to operate successfully.

Traditional business continuity planning and disaster recovery planning (BCP/DRP) address risk management, crisis response planning, and timely recovery of business functions following “worst-case” disaster scenarios. In these scenarios, the normal place of business becomes inaccessible or unusable as a result of a natural disaster, fire, flood, explosion, or extended loss of power or communications facilities. The assumption is that anything less than a worst-case scenario can be handled successfully within the worst-case planning structure.

The focus of BCP/DRP is on identifying and mitigating risks, identifying business recovery requirements and recovery strategies, event response and recovery planning, plan maintenance, and exercising the plan. The business continuity plan assumes that the implementation of all the physical means of recovery is complete and reliable.

Key points to consider when engaged in a BCP project:
  • Ensure the management is cognizant of the total effort required to develop and maintain an effective plan;
  • Obtain appropriate management commitment for support and participation in the plan development and implementation;
  • Define recovery requirements that focus on business processes;
  • Document the impact of an extended loss of operation for the company’s data center;
  • Work with the management to encourage and develop their self-sufficiency so they are able to effectively maintain, test, and periodically exercise their plans;
  • Focus appropriately on disaster prevention, impact minimization and recovery;
  • Select project teams comprised of individuals with functional and industry expertise;
  • Develop a continuity plan that is understandable and easy to use and maintain;
  • Define a mechanism for ensuring future business planning and system development processes will consider business recovery implications to help assure the viability of developed continuity plans.
BCP vs. Strategy

BCP and strategy can be considered Siamese twins. There is an aspect of business continuity that is not discovered – that is business continuity as an offensive strategy and as a competitive strategy. This is where business continuity is seen not just as a way of protecting and safeguarding the business, but it is seen as a way of growing the business. It’s the same old story of moving from a reactive to a proactive approach.

Some questions to ponder before we discuss this further: Why do organizations need to be prepared? What good could an organization bring to its balance sheet at the end of the year if business continuity was done as per the expectations? The point that all business continuity professionals make: how does my CxO see benefit coming out of business continuity strategies if an incident does not happen?

It’s interesting to know that we all try to convince management by saying that if you do business continuity, it will make the organization better placed among the competitors. Do we all know who these competitors are? Are we able to quantify or equate the words “competitive advantage” to the dollar amount and present this to management? Do we know what business continuity strategies the organization’s competitors have put in place? Does this reflect in the annual review with our management? If we can answer these questions and ensure management is aware of the opportunities that will come their way during the time of crisis.

The Role of Top Management

Before the Disaster

Having a top-quality, tried, and tested business continuity management structure in place helps your company stand out from others. This will become an even stronger competitive advantage over the next few years as business continuity standards take hold around the world and their associated accreditation schemes highlight those companies that have taken business continuity seriously. For example, many companies before outsourcing the work to other companies ask detailed questions about the level of BCP in the organization. The time may come when companies will only be able to do business with the public sector, for example, if they can show that they are accredited to a business continuity standard.

Another non-disaster related benefit of business continuity management is that it can help to create a business which operates its systems to the optimum level. As highlighted in the definitions, business continuity management involves creating resilient businesses, companies that are flexible and which can quickly identify and respond to challenges and threats. However, resiliency is not just a benefit in times of disaster. Resiliency can provide day-to-day business benefits, with hardened systems failing less often and production returning more quickly from day-to-day glitches than would be the case in less resilient businesses.

The company that successfully operates a true business continuity management culture will have systems that are more effective, more efficient, more fully utilized than their competitors. Such a company will be able to maximize the return on investment it makes in business processes. It will be more productive, more reliable, and an excellent partner and supplier.

After the disaster

It is documented that an effective disaster response can help a company’s share price to increase and its reputation to become stronger. The definitive study in this area was carried out by Knight and Pretty (“The Impact of Catastrophes on Shareholder Value,” 2000).

However, beyond this there is another, more entrepreneurial, competitive advantage. The business that recovers most quickly from a wide-area disaster is the business which is able to capitalize on the situation. Disasters create new markets and open up existing ones. This may allow the rapid development and launch of new products or -- if your products and services are available when a competitor’s aren’t – you can gain temporary market share. This can become permanent if your products and services are at least as good as your competitor’s. Weakened competitors can be weakened further by effective business continuity coupled with good marketing.

That may sound “against the spirit of business continuity.” But business is about competition. It is about being one step ahead of the competition. It’s about building your company to be better and more capable in what it does than others around it. Business continuity can be one tool which enables you to do this.

Jaspreet Singh is working with Ernst & Young as a senior manager in advisory services, New New Delhi, India. He is CISA, BS 7799 lead auditor, and CBCP. Singh has a bachelor’s degree in computers from Punjab Technical University and an MBA (systems) from Symbiosis Institute of Business Management. He has been associated with books on computer security and is a regular contributor to leading IT magazines. Topics include: legal compliance in India, ROI security, and information security policy.