As business continuity and disaster recovery professionals, we thrive on the prospect of disruptions, interruptions, and catastrophes. The world economy looks like a catastrophe in progress. Bank bailouts, billion dollar government loans to industries, bankruptcies, layoffs, credit crunches, foreclosures, Ponzi schemes, volatile markets ... the list seems endless and still growing.
So what are you going to do about it? Not on a global scale, but within your own organization. Risks don’t go away just because management doesn’t think they can afford to deal with them. In today’s environment, risks are compounded by the new demands that spring from the need of organizations to insulate themselves from risk. Not only are regulators likely to be breathing down your company’s neck, but both its bankers and its customers want to know what you’re doing to protect their interests. Meanwhile, non-economic risks – pirates, rocket fire, car bombings, avalanches, blizzards, and the like – aren’t abating either.
You can’t change any of it. But what can you do? What should you be doing? There are two specific areas you must consider:1. What can you do to improve your organization’s risk mitigation and readiness efforts to adapt to these changing times?
2. What can you do to increase your value to your own organization?
It should be obvious that making visible improvements to your organization’s readiness should correlate to increase your own value to the organization. But it won’t happen magically – you’ve got to make the effort, and you’ve got to make a visible impact if you hope to increase your value and sidestep any potential “right sizing” waves.
In better economic times, your organization may have been willing to absorb certain risks. That may no longer be true. Disruptions of service delivery – Web services, customer services, service level agreements – that once were simply annoyances, may now be unacceptable, even fatal disruptions. Company image and brand loyalty become more fragile – and more important to protect – when sales are down and competition fiercer. Your organization’s tolerance for risk may have changed, and you can help it quantify and qualify what risks still exist, and how they may have changed since your last business impact analysis and risk assessments.
Improving Your Organization’s Risk Mitigation and Readiness
High Level BIA Review
You probably don’t have the resources to conduct a new, full-scale business impact analysis. But that shouldn’t stop you from reviewing your last one and cataloguing the obvious differences (especially if, like most organizations, you don’t update your BIA annually):- What new technology/applications/data centers have been added, augmented, or omitted since the last BIA?
- What new products, services, or business processes have been added (or omitted) since then?
- What new locations have opened, closed, expanded, or contracted?
- What shifts in organizational business strategies have occurred since the last BIA?
- What other changes (including the latest shifts in markets, finance, and consumption) may have changed the criticality of particular business processes, technology systems, people, supply chain elements, or facilities?
Summarize those changes – and extrapolate where impacts have changed (increased or decreased) and where dependencies (upon technology, suppliers, people, processes, or facilities) may have been added.
Analyze Changes to Risk Impacts
Just like the BIA, you may not have the cycles or resources to conduct new risk analyses, but you should make every effort to what has changed in your organization’s environment since the last one:
- Are there new threats?
- Has your organization’s vulnerability to any threat changed?
- Would the impact of certain risks be more devastating now than previously?
- Has the likelihood of any threat occurring increased?
- Are their potential strategies available – at little or no cost – that might mitigate the impacts of these changed risks or new threats?
Updating the threats, vulnerabilities, impacts, likelihoods, and mitigation strategies of your most recent risk analysis may yield vital information, including opportunities for your BCM program to add value at a reasonable ROI.
Review your Plan Readiness
How prepared is your organization to react to an unexpected disruption? Once you’ve discovered, the situational changes in your organizations risks and vulnerabilities, analyze how your current plans stack up against them.
- Are there gaps in the scope of your plans (new critical processes that aren’t covered or haven’t been given sufficient RTOs or priorities?
- Are there gaps on recovery teams (due to layoffs or “right-sizing” activities)?
- When were plan tests last performed? Were those tests performed by team members who are still with the organization – and still have the same responsibilities?
- Are there, or will there be, gaps in dependencies:
- Critical suppliers who can no longer meet SLAs, or meet your recovery needs.
- Customers who now demand more than your plans are designed to deliver
- Operational dependencies (geographically split processing, distributed assets, dedicated recovery space, etc.) that may have been eliminated – or which may be compromised by resizing or consolidation.
Performing a gap analysis on your BCM plans (including crisis management and IT disaster recovery plans) should result in sufficient information to create a project plan for plugging the gaps.
Increasing Your Value
to Your Organization
How do you build justification for the continuation of your organization’s business continuity management capability? Assuring that BCM is not on the list of non-essential functions that become the first to go in a right-sizing exercise will take work.
Why does management need you or your BCM program? What value do you bring – and at what price?
If you’ve done your homework – reviewing and analyzing your BIA, risk assessment, and plans – you should have collected information that senior management may find extremely valuable.
- What new or increased risks is the organization exposed to as a result of changes in the economy and the marketplace?
- What low cost, high impact mitigation efforts could be made to deliver a measure of protection to the organizations?
- Where are their new, critical exposures that could pose potential problems – single points of failure, sole source suppliers, dependency relationships with at-risk suppliers, customers, landlords, network providers, etc.?
You or your BCM team may be the best source of “what if” information that management can rely upon. What if ...
- the company closes a facility where half of a “split processing” operation occurs? What are the potential impacts and the risks?
- the company opts to eliminate a non-critical function, which you can identify as an essential dependent in the critical path of one of the company’s most critical business functions?
- re-sizing, consolidation, or reorganization changes the alignment of players? Is anyone else aware of the impact of those changes on crisis management, IT/DR, and business continuity critical teams? Will the loss of key players on critical BCM teams expose the program – and the company – to the risk of being unable to respond to a disruption?
- the company eliminates the BCM program? What are the implications for the company? How will customers and regulators view that move – both immediately and in the future?
Providing management with information to help them make wise decisions can help justify the continued existence of your BCM program. But your focus should be more than just self preservation. Your job should be to help management understand that BCM, because of its organizational value is a critical priority, not just a short-term expense.
Be reasonable about that value. Faced with the difficult task of deciding how to trim the organization’s expense to prolong its survival, compromises must be made.
If you’ve done the work and are able to demonstrate the value of your BCM program, you may survive until the next round of layoffs. But, you may find your operating budget trimmed, your staff reduced, your projected capital expenditures cancelled – or all of the above. Move on. Show you are a team player. Demonstrate that your program’s contributions are far more important than your management “empire” or your own career aspirations.
One day soon the economy will turn around. If you’re still on the team, and your BCM program is still intact (even if a bit smaller), your future opportunities will grow quickly. You’ll be among the survivors, the steadfast few who made it through the tough times. You and your entire program will benefit from that experience.
Jim Mitchell, CBCP, is director of professional services at eBRP Solutions Inc.
Jennifer Craig is a marketing coordinator at eBRP Solutions.
"Appeared in DRJ's Spring 2009 Issue"