Faqs

How often should a BIA be conducted?

Generally: Every 2-3 years unless there are significant reorganizations, divestitures or acquisitions.

~ Patrick Ridder, MBCP, MBCI, CHPCP ISO 22301 Lead Auditor

Culture and Legal/regulatory environment: Every organization is different and requirements for BIA frequency are often dictated by an organization's culture as well as it's associated regulatory guidelines.

Program Maintenance: Many organizations review BIA's yearly and some even quarterly. The review is often baked into a plan review process where the process level RTO and associated impacts are confirmed to ensure they still apply.

~ Laura Mosley, MBCI MBCP CBCLA SCRA

How do I rate / evaluate/ audit my data center?

I would recommend you partner with your internal audit department.  They can help you understand what they would be looking for.

~ Beth Epstein, MA, CBCP, MBCI

The Uptime Institute established the criteria for Data Center ranking. I'd start by reviewing their tier levels and develop an understanding of what the various rankings require. Measure your facility against that criteria and build a gap report from the results. It's also helpful to have an idea of what type of performance you require from your Data Center.

~ Patrick Ridder, MBCP, MBCI, CHPCP  
ISO 22301 Lead Auditor

What are the best conference events to attend?

DRJ of course!

~ Beth Epstein, MA, CBCP, MBCI

While Beth is technically correct, I'd like to expand on her answer just a little. The DRJ conference is the largest gathering of Business Continuity Professionals in the world. That type of attendance carries some advantages in having industry leading speakers, access to some of the most sought after vendors and excellent facilities. An opportunity to network with some of the industry's thought leaders and get face to face time to help address some of the issues you encounter all make the DRJ conference one of the best values in the industry.

~ Patrick Ridder, MBCP, MBCI, CHPCP  
ISO 22301 Lead Auditor

I want to work in Emergency Management in some manner. How can I get started?

I suggest looking into the FEMA Independent Study Courses.
https://training.fema.gov/is/

~ Stacie J Herzog, CBCP, MBCI

Each state maintains a website with information about your Emergency Management Association.  The home page will provide you with information about Events, Online Training classes and various links that will help you gain an understanding of your state requirements.  In addition, view the FEMA website for valuable information about the Federal Emergency Management Association and classes that are available to expand your knowledge in this field.

~ Colleen Huber, CBCP,MBCI,CBRM
Manager, BCP & IT Development

My company is considering building a new data center. I may be assigned as the project lead-HELP!

Take a deep breath - you'll do great!

~ Stacie J Herzog, CBCP, MBCI

I have been hearing about a variety of business continuity standards. A.) Which are the most recognized? B.) What should I be looking at? C.) What is this certification process?

There are many to chose from:

ISO 22301

National Fire Protection Association: NFPA 1600:2010

ASIS International: ASIS SPC.1-2009

Australia/New Zealand Standard AS/NZS 5050

British Standars Institute:  BS 25999, Part

Canadian Standard: CSA Z1600

Government of Japan BCP Guideline

Japanese Corporate Code – BCP

ISO 24762 (IT Disaster Recovery)

National Association of Stock Dealers: NASD 3510/3520

National Institute of Standards and Technology: NIST SP 800-34

New York Stock Exchange: NYSE Rule 446

~ Beth Epstein, MA, CBCP, MBCI

I live in the (major metropolitan) area and I have trouble getting approval for travel to conferences. Are there any local groups or chapters in my area you would suggest?

Check out the Association of contingency Planners, and look for local chapters. http://www.acp-international.com/
http://www.acp-international.com/

~ Beth Epstein, MA, CBCP, MBCI

What is the difference between Crisis Management and Business Continuity Management?

Let's start by directing you to one of the best resources out there, the DRJ Glossary. You can find it here: http://www.drj.com/resources/tools/glossary-2.html To answer your question, Crisis Management is primarily focused on responding to an event whereas Business Continuity Management or BCM looks at the organizations business continuity needs more holistically. Crisis Management is a component of BCM but BCM is not necessarily a component of Crisis Management.

~ Patrick Ridder, MBCP, MBCI, CHPCP  
ISO 22301 Lead Auditor

Can you provide some ideas on a career path in the data center operations profession?

As a former Data Center Manager, I can say that the Data Center Operations role is often seen as an entry level position. And while there are portions of the job that can be considered routine, the position is often undervalued. Working in DC Ops requires a broad understanding of an organizations technical portfolio. What apps do you use? What hardware does it run on? Honestly evaluate your knowledge in each of those areas and begin building on your current foundation. It also doesn't hurt to get to know the team sitting in that role. Tour the facility whenever possible and make sure they know who you are and your interest in becoming a member of the team. Perseverance can occasionally compensate for a slight lack of experience.

~ Patrick Ridder, MBCP, MBCI, CHPCP  
ISO 22301 Lead Auditor

Can you provide some ideas on a career path in the business continuity management profession?

You've phrased this question suggesting that a "formal" career path actually exists. By comparison to many professional responsibilities, Business Continuity Management or BCM is relatively new. Many of us in this role just weren't smart enough to say no. Seriously though, speaking for myself, I tended to be the guy that would do whatever no one else wanted to do. I took on unpleasant tasks which provided me a great background in turnaround management. Making poorly producing departments successful. Writing policy, interacting with upstream and downstream neighbors and developing a broad understanding of your organization all help in moving you toward a role in this field. And don't overlook the training that's available. Find your local ACP Chapter and become a member. Network yourself and find a mentor. Stay focused and be tenacious, all qualities you'll need to be successful in your chosen role.

~ Patrick Ridder, MBCP, MBCI, CHPCP
ISO 22301 Lead Auditor

 

I have been hearing a lot about ISO certifications and my manager asked me to do some research on the topic. What are the benefits of pursuing a certification for the organization? Which certifications are the most recognized?

This is a tough one.  Make the effort to research what is involved with ISO certification and investigate why the organization is considering certification.  Audit?  Reputation?  Bragging rights?  Insurance?

~ Beth Epstein, MA, CBCP, MBCI

Organizational certifications indicate that you've taken all the necessary steps to embrace an industry standard. An organization making a commitment to this depth has taken the necessary steps to help ensure their commitment will outlast the individual contributers or management. To Beth's point, you should also understand WHY you're considering certification first. Once you're ready to commit, the standards align with specific disciplines within an organization. Areas such as BCM, Data Security, Supply Chain and others all have specific standards that can provide certification options. The International Standards Organization (ISO) is well recognized and provides (for a fee) comprehensive and well documented standards for consideration.

~ Patrick Ridder, MBCP, MBCI, CHPCP
ISO 22301 Lead Auditor

 

What conferences do you see as the best learning and networking experience for my career in business continuity?
  • DRJ (http://www.drj.com/)
  • Continuity Insights (http://www.continuityinsights.com)
  • CPM (http://contingencyplanning.com)

~ Beth Epstein, MA, CBCP, MBCI

DRJ

~ Stacie J Herzog, CBCP, MBCI

What certifications do you see as the most valuable to my career in information security?

The most popular site for certification is http://www.isaca.org

~ Beth Epstein, MA, CBCP, MBCI

What certifications do you see as the most valuable to my career in business continuity?

The BCI offers the Certificate of the BCI (CBCI). This entry-level of certified Membership of the BCI, can be achieved by studying for and passing the CBCI Exam. This is ideal for professionals seeking a certification in business continuity. This is more than just certification though as it gives you access to a wide range of resources as well as CPD and mentoring programms, local chapters & forums, discounts and other value adding benefits.  www.thebci.org

~ Bob Arnold, MBCI(hon)

The most popular site for certification is https://drii.org

~ Beth Epstein, MA, CBCP, MBCI

I have worked in IT my entire career and now have been assigned to develop business continuity plans. What do I need to consider? Help!

You've gone from the frying pan into the fire my friend. Although IT will remain a focus in your efforts, you'll need to adopt a much broader scope of awareness. When you speak of "business continuity", that responsibility extends well beyond the boundaries of IT and technical solutions. You'll need to consider risks to facilities, personnel, processes, supply chain, basically anything that might interrupt the normal operation of your business. I would suggest you consult with some of the resources available on the DRJ website as a start. Then consider joining up with your local chapter of the Association of Contingency Planners.  These two actions will help move you forward very quickly in terms of knowledge.

~ Patrick Ridder, MBCP, MBCI, CHPCP   ISO 22301 Lead Auditor

Keep it simple.  There are a number of sources you can find on the internet.  Best place to start is https://drii.org/  Check out the “Resources” section and review the “Professional Practices”. It’s a great starting point and you can have the flexibility to evolve and mature your plans.  Another great website is http://www.drj.com

~ Beth Epstein, MA, CBCP, MBCI

Welcome to the world of man vs machine.  You will need to consider anything that can impact what a person does.  What are the threats and vulnerabilities?  Just to get you started, consider what the business processes are that are conducted by the employees, upstream and downstream dependencies, third party risks, required resources, regulatory requirements, types of scenarios, etc...the list goes on.  A great place to start is the DRJ website.  Reach out to the contacts listed!

~ Stacie J Herzog, CBCP, MBCI

Don't feel alone is my first piece of
advice!  Most BC Planners started their career working in IT in some capacity or another.  My second piece of advice is to remember:  IT provides the Technological Resources for the recovery.  Your Business Operational Teams provide the business knowledge requried to accept the recovered environment and get the business back up an running again.  And finally, attend a BC Planning course, such as offerred by BCI or DRII.  Gaining an understanding of the Business Impact Analysis, and making sure your Business Operational Units complete a BIA is a critical step in development of a BC Plan.

~ Colleen Huber, CBCP,MBCI,CBRM
Manager, BCP & IT Development

I work in risk management at my firm and we now have responsibility to making sure we have plans in place to protect our people and assets. We like standards and best practices here. Which standards do you recommend we review as a starting point?

Your best bet is to start by researching your organization’s management and how they feel about standards.  There are many standards to choose from.  This link can provide you with a side-by-side comparison of a few:  http://www.isaca.org/Journal/Past-Issues/2003/Volume-2/Pages/Business-Continuity-Management-Standards-A-Side-by-side-Comparison.aspx All of the business continuity standards are not the same, but they all address the established issues for business continuity management. It then becomes a matter or corporate preference, or perhaps the ultimate standard will be dictated by industry regulations.   Keep in mind, however, the standards address Business Continuity Management, but very few provide any real instructions as to how to plan and implement a Business Continuity program.

~ Beth Epstein, MA, CBCP, MBCI

 

I am new to business continuity. I work for a small company and have been assigned to develop contingency plans for the organization. We have some IT technology plans in place and that seems to be acceptable to our management. So where do I start?

Without knowing it, you just answered your own question. You’re making an assumption that the IT plans “seem” to be adequate to your management. Step one, VALIDATE that assumption. It might be a fact that your management doesn’t understand the depth and complexity of improving your organizations resilience. Meet with your management. Give credit for what has been done and identify for them the gaps in the process. Help them understand that the IT plans might not be adequate when the impact reaches beyond the walls of the Data Center.

~ Patrick Ridder, MBCP, MBCI, CHPCP ISO 22301 Lead Auditor

IT Disaster Recovery Plans would be a good start in the BCM journey. The company would require additional procedures to supplement that are business and personnel related.

  • Workflow recovery
  • Desktop recovery
  • Physical Documentation recovery
  • Crisis management and communications
  • Emergency response
  • Incident Escalation

~ Andrew Lee

Don’t just view with a technology lense. Look at the people, location and processe. Perhaps an organizational chart will be a good start, so you can build plans from that. The org chart will identify (hopefully) who does what, where, etc.

~ Beth Epstein, MA, CBCP, MBCI

Start looking at what the people do that use this technology. Identify what business processes they do, where they do them, what regulatory requirements they have, SLAs, predecessors, etc. Once you've identified these, continue looking at other areas that may not have an IT technology plan but are dependent on the business areas you started with. Eventually, take a look at the organizational chart and map it out to ensure you have identified all the business processes that are conducted for your company.

~Stacie J Herzog, CBCP, MBCI

Once IT Recovery is complete, the Business Units will need to verify the recovered environment and "accept" the recovery. To accomplish this, Business Units document their Business Resumption Plans, or Business Recovery Plans. A good way to start this is to work with your Business Operations Staff to identify their most Critical Business Processes - these are the processes that need to be back up and running or you could sustain irreparable damage to your organizations Image, Brand or Reputation.

~ Colleen Huber, CBCP,MBCI,CBRM
Manager, BCP & IT Development

Leave a Reply

Your email address will not be published. Required fields are marked *