Dr. Tom: Scott, as president of a company that provides comprehensive BC products and services, what is the most important objective to your customers in terms of business continuity?
Ream: For many of our customers, their critical concern is around engaging the business to provide “properly grounded” business requirements for the recovery of critical applications. Frequently IT-DR planners struggle to engage the business in a serious dialog regarding how quickly critical IT applications must be restored before they cause unacceptable adverse impact on the business. In many cases, business leadership has never undertaken a rigorous business impact analysis and has not quantified their “risk appetite” (amount of risk leadership is willing to accept before BC plans must be put in place). In the absence of clear direction, IT makes assumptions based on best available data and develops DR plans accordingly. In many cases critical systems are under-protected. Surprisingly, in too many cases, IT applications and infrastructure can be over-protected. Why? Because in the absence of disciplined BC focused dialog about realistically how long the business can survive without certain IT assets, IT planners look to do a good job and as a result invest in solutions that exceed recovery time objectives that could be tolerated.
Dr. Tom: How do you ensure that all potential disruptions have been addressed in the BCP?
Ream: We promote the idea of “event classes” rather than disruption or scenario-based BC planning. All IT-DR recovery and all business recovery efforts are far less concerned with root cause. We have learned that in the end, all disruptions fall into one or more of these five event classes:
- Loss of workplace (floor, building, campus or region)
- Loss of key personnel,
- Loss of access to critical IT applications
- Loss of critical services (internal infrastructure & external suppliers)
- Loss of critical assets (paper records, and specialized equipment)
Whether a fire, flood or HVAC failure, to the business and IT folks affected, it’s simply a matter of “loss of workplace.” How long will we be displaced? Do I need to invoke my “loss of workplace access plan?”
Dr. Tom: Public Law 110-53 recommends a voluntary accreditation for private sector business continuity planning. How might a business assess its current plan?
Ream: In October 2003, we released the “Business Continuity Maturity Model.” This document is the work of more than 40 BC professionals who defined and developed this landmark model. It is free of charge and can be downloaded from our Web site. This 68-page document describes the most comprehensive reference frame available today to objectively measure any BC program.
Dr. Tom: Do you see DR and BCP in public and private sectors converging?
Ream: I see it happening already. A key factor bringing on this convergence is efficiency-driven, complex dependency within the business and between business partners. In every corner of the world, public and private organizations are focused on the efficient utilization of their resources. And there is a plethora of innovative service and product companies available to assist them. The results, operations and cost-efficiency has driven increased risk of disruption across the business landscape. A now famous 2003 Harvard Business review article touted this shift to risk management for supply chain managers. Since 2003, the world hasn’t gotten less complex, it has gotten more tightly integrated and frankly, considerably more dangerous.
Dr. Tom: Scott, any final thoughts regarding the future of BCP and its implications to CIOs and other executives?
Ream: We are witness to the emergence of business continuity as an accepted “norm.” Throughout public and private organizations there is a shift underway. For many, business continuity is no longer something to be ignored or relegated to an unimportant backwater of the organization. This shift is still in the formative period. The most serious forces of change are coming from government regulation and world events. We already see much greater attention placed on sustainability and repeatability of BC investments in consulting and software tools. The consulting engagements we are being hired to implement are increasingly focused on teaching organizations how to distribute BC ownership across the enterprise. The most successful BC planning tools today are still those written to be used by BC professionals to do the planning. This is not the way of the future. BC professionals must be encouraged by their leadership to focus on process and facilitation skills. They should be challenged to determine how best can the organization deploy and sustain a repeatable BC process where managers do planning – not BC professionals.
Dr. Tom Phelan is a project executive with Virtual Corporation, president of Strategic Teaching Associates, Inc., and author of “Emergency Management and Tactical Response Operations: Bridging the Gap.”
"Appeared in DRJ's Summer 2008 Issue"