Regulatory and compliance issues have increased dramatically
The impact of regulations such as the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, HIPAA (Health Insurance Portability and Accountability Act) has been enormous over the past five years. Regulatory issues have driven organizations to invest in IT initiatives that enable stronger financial controls and privacy measures.
We expect to see many more changes in the regulatory area in the next few years. A number of states are already working on regulations that may, in some instances, be stricter than current regulations. That may include privately held companies. This holds tremendous implications for the business, IT, and business continuity communities.
As case law grows in this area, regulations will become better defined. It will be easier for organizations to translate regulatory requirements into specific IT initiatives and to evaluate what they need to do from a business and an IT perspective to achieve compliance.
Terror concerns now based in fact
The first World Trade Center bombing back in 1993 and the Oklahoma City bombing in 1995 showed the U.S. that terrorism on American soil was a reality. The Sept. 11 attacks shifted the scale of what we consider when we talk about disaster. As impossible as it was to imagine something like those attacks, we need to be prepared to move beyond our current imagination and recognize that something equally devastating is possible.
Whether a bomb that blows up a building and takes out its functionality or a tornado hits it, the impact is the same. Business continuity planning efforts need to focus separately on causes and impacts. Brainstorming possible causes is a valuable component of planning, but being prepared to recover from the impact – regardless of cause – is what will keep business going. Business continuity is not about anticipating every possible disaster, but rather, it is about keeping business going forward despite disruption.
The data ‘explosion’
In recent years the economy in this country experienced a troubled period. It seemed reasonable to assume that both soft and hard data, electronic and paper copies, would decrease in amount. Instead, for many reasons, we’ve seen a virtual explosion in the amount of data organizations are storing. Largely, this is due to the regulatory impacts mentioned previously. It is also a result of the increased information and service basis of business and the 24/7 mindset and reality that has replaced the 40-hour week. The dramatic decrease in electronic storage costs is also a factor.
There is no reason to believe any of this is going to change much over the next five years. Organizations will need to continue to find cost-effective, customized methods for dealing with the dramatic increase in data storage. Policies for determining the business value of different data will be as crucial to managing storage as any technology. Otherwise, the volume of data and the job of sorting through it may become a business performance as well as a business continuity issue.
More critical usage of Intranet and e-mail
The Internet and e-mail go back as far as the 1980s. However, in just the last few years, the number of organizations based solely on the Internet, and the impact it has on the revenues of many others, have grown exponentially. As the pace of business increases, more critical information is also being communicated via and stored in e-mail systems. Today, lost e-mails and e-mail/Intranet outages can be a business disaster. Regulatory compliance issues and basic business prudence are also making privacy protection and tracking capability for Internet commerce and e-mail communication paramount concerns.
As a result, e-mail and Internet outages must be considered as carefully as other systems outages when creating a business continuity/disaster recovery plan. In order to mitigate risk and loss to an acceptable level, restoring access as quickly as possible after a crisis must be balanced with restoring the same controls and capabilities that were in place before the crisis. This means being able to recover all relevant e-mail and transaction information, validate the information, and confirm who has had access to the information.
Insourcing vs. outsourcing alternatives for business continuity solutions
In the past five years, there has been a lot of conversation about organizations moving away from “hot site” disaster recovery/business continuity solutions and toward internal recovery alternatives. Some of the stated reasons include unexpected costs, insufficient access, and slow recovery times.
The fact of the matter is that both external and internal recovery solutions are viable options. A particular organization can only decide which is right for it based on a balanced evaluation in context of the organization’s mission-critical requirements. In some cases, the greater cost of establishing internal recovery facilities will be justified by increased control over availability and customer satisfaction. In other instances, an organization’s requirements and expectations may not justify the cost of an internal recovery location.
Several new trends appear to be emerging. While it’s likely that other trends will develop as well, the more we can anticipate, the better prepared we can be. It’s critically important that the professionals in the business continuity/disaster recovery industry focus on helping everyone manage to the change we’re going to see.
Risk management umbrella
In the big picture of American business, IT is still a relatively new element to be dealt with. In the past it was seen as a “nice to have” productivity booster, or as “bells and whistles,” rather than a key part of an organization’s processes, controls, and investment. A siloed approach to IT planning, management, and funding made sense as a way to keep IT agile and strategic while minimizing spending. But it also led to duplication of effort (and expense), incompatibility of systems, and lack of awareness of process interdependencies. To make matters worse, IT departments fostered a certain mystery about what their systems did. All these factors amplified the disconnect between business planning and IT planning and, as a result, created additional risks.
These days, however, more organizations are coming to understand the business value of IT. It is being recognized as part of everyday functionality and as a discrete business unit every bit as important as sales, marketing, transportation, warehousing, or anything else. Over the next five years, we’re going to see greater integration of IT and business strategy and planning. Organizations will continue to move away from a siloed model toward more cohesive management.
Once IT is better integrated into the organization, the next step will be the integration of security, business continuity planning, disaster recovery, risk insurance, and physical security policies into comprehensive risk management planning. Comprehensive planning will involve both business and IT management. When policy and strategy are defined at the executive level of the organization and driven from the top down, risk management can truly meet an organization’s needs. Executives are also becoming more directly involved because of government regulations such as Gramm-Leach-Bliley, Sarbanes-Oxley, and HIPAA that hold them personally and legally liable for business issues including access to critical information, financial controls, customer privacy, and physical security.
At the same time, more traditional impacts such as insurance audits, SEC regulations, and bank covenants, as well as basic fiscal imperatives to protect assets and opportunity costs against business disruptions, continue. The emerging picture, therefore, is of true interdependency among all aspects of an organization, its processes, applications, and systems. Every element must be evaluated with regard to the others to determine acceptable risk and appropriate strategies for addressing it.
Even though standards like CobiT and ISO 17799 outline general best practices information, that’s only part of the picture. Effective business continuity measures require industry-specific and organization-specific steps. The level of complexity of today’s systems often means that it is not cost-effective for individual organizations to keep all the expertise they need on staff. And it is very difficult to maintain industry best-practice standards without comparative experience.
Whether they participate in professional business continuity associations such as DRJ or Association of Contingency Planners or engage experienced business continuity consultants for risk management planning, organizations will find it beneficial to obtain outside expertise.
The volume of experience risk management professionals acquire in assisting multiple organizations enables each to benefit from the lessons of others.
In addition, validation from outside resources builds confidence in a solution and enables an organization to clearly demonstrate its commitment to compliance. Simply put, neither a plan nor its implementation can be audited by the same people who created it without potentially raising red flags about its accuracy or thoroughness.
The importance of closing the business continuity gap
Too often, a gap exists between the availability of an organization’s information systems and the level of availability expected by its business units. In most organizations, the gap is discovered only after disaster strikes. Closing the gap requires that the IT department, the business units, and key executives work together to identify and assess vulnerabilities, and then develop effective risk management strategies to address them. Risk management strategies include accepting the risk through financial reserves, assigning the risk to an insurer or outsourcer, or mitigating the risk with proactive or reactive strategies suited to the organization’s IT infrastructure and recovery objectives.
A comprehensive plan enables the organization as a whole to view impartially the policies, processes, and organizational structures as well as the IT systems required to close the gap. A comprehensive view also enables an organization to recognize that serious consequences, such as loss of market space, can result from being insufficiently prepared for a business interruption. Deciding how much loss it can accept must be made by executive management based on a full understanding of the organization’s interdependencies and all the potential impacts of a loss.
The good news
The trends we see are promising. But we can’t allow ourselves to be lulled into complacency by overconfidence in our ability to predict what will happen. We need to continue uncovering areas of weakness and searching for innovative, out-of-the-box solutions that not only satisfy BC/DR/security issues but also respond to the business needs driving those issues.
With the introduction of innovative solutions that satisfy business continuity needs, the biggest trend we will see is continuing improvement in the way that business does business. By anticipating change and marshalling key technology forces, organizations can influence not just IT and not just BC/DR, but how well and how robustly they function overall. The lessons and the benefits obtained from anticipating change and staying committed don’t just pop up in a time of crisis. They can be applied day after day.
In other words, if you get business continuity right — evaluating and utilizing IT in a business context — you will end up with an organizational structure, policies, and IT that improve the way you do business everyday, not just when crisis strikes.
Michael Croy joined Forsythe in 2002, bringing more than 20 years of experience in building, developing, and implementing disaster recovery and business continuity programs. As Forsythe’s business continuity practice manager, Croy is responsible for the company’s business continuity offerings, including risk analysis, best practice models for continuity of IT infrastructure (storage, server, and network), and disaster recovery planning, strategy, and management.