Most businesses that claim to be prepared for the worst, are ready but only in the sense that they would do something different from normal, The essence of good continuity, however, is that everything is planned in advance down to the smallest detail such that there is no need to think when something goes wrong.
There are numerous reports on the actual percentage of companies who have plans and none of them make pleasant reading. The statistics run from 50 to 70 % that have no full plans and if we add ‘tested and current plans’ we would probably find that at least 80% of all European businesses are exposed.
There are sufficient regulatory texts in place and the catch-all of ‘due diligence’ so it cannot be that this situation is deliberate.
The key to business continuity management (BCM0 is simplicity combined with planning for keeping the key parts (not all parts) of the business running at service levels customers accept. This service level can be much less than customers contracted for if the right measures are taken in terms of communications. BCM should aim at doing as much pre-planning as possible for probable events and plan for alternative ways to continue in business rather than adopting a simple break/fix attitude. There is almost always an alternative – for example, if the invoicing application breaks down, it could be done by hand in some cases.
There are multiple reasons for this lack of detailed BCM planning so here are some, in no particular order:-
- Over-analysis of the business. Not every part of a business has the same importance but someone needs to decide what does matter. Traditionally this is done by the Business Impact Analysis – risk etc.
- Focusing on IT only. IT is clearly the basis of every business so it needs to be a core part of the equation but IT has managed to create an illusion that availability will solve everything even though this is demonstrably not true.
- Over-analysis of impacts and risks leads to paralysis and project plans lasting years - by which time the original project sponsors have changed and support may be lost. Multiple milestones and short term deliverables are the key to keeping attention and being seen to be of value to the organization.
- Financing BCM is always an issue and the traditional approach is to use big numbers of potential losses to justify doing something. This should be avoided since it is simply not credible. How many companies realize that they lose more money from the hundreds of small inefficiencies in everyday outages than they ever are likely to when the big disaster occurs? BCM wins when it is easy and improves overall business efficiency in a reasonable timeframe. I will scream the next time I see a presentation on BCM with either a burning building, or worse, reference to ‘9/11’.
- Let’s get certified to a standard. The kiss of death quite often. Standards cause as much damage as good. They are a reasonable checklist but none say how to actually do concrete things in a level of detail which is reasonable.
- It won’t happen to us. Yes, it will. The classic excuses are – it happened last year so it won’t happen again. If this were true then you could buy your car, wreck it and then drive uninsured for the next twenty years certain in the knowledge that you would not have another accident because you have already had your share.
- You only need this for disasters. A disaster is a very subjective concept so the use of the word within a continuity capability can lead to endless confusion and, worse, misunderstandings where one person thinks their disaster is covered and another does not. The worst problem with the use of ‘disaster’ is that it gives the impression that planning only needs to be done for these events and not for any other kind of outage. As a result, no money should be allocated to the others either. Some standards and a lot of the bodies of work on the subject of continuity planning imply that BCM is only for ‘serious’ events.
So what should you do?
Someone, somewhere, commonly called a business manager, needs to be held to account to say what the impact is when the business can’t operate. (In some form of money if we are honest – reputational loss can, and should be, reduced to monetary terms).
Someone needs to decide on the risk appetite – and this is the hard part. Someone has to decide what the priorities are and aren’t. If this can’t be done, go no further because there is no basis for deciding how much money should be assigned.
Since the majority of planning exercises start without anyone really defining the business’ risk appetite, they are doomed to failure. The budget is usually the lowest that can be justified and is often the first to be cut and the management imperative is missing. Any project started in this way is often done with some degree of resentment so will lack support.
Don’t analyse every threat and every risk. The worst thing you can do is get some fancy tool with lists of threats. If you have to deal with any more than, say 20 risks, the project is no longer a BCM project but a risk project and worse, it will be considered to be complete when all the risks are analysed.
When it comes to threats and risks, the people who know best are those doing the work. The only successful way to do this part of the planning is to get these people involved. The person who knows transport risks best is the lorry driver.
Build scenarios that humans understand. When it is understood that a risk is, for example, fire, don’t ask people what they would do when there is a fire but ask them how they would continue work when their office is not available. All risks need to be reduced to scenarios which are understandable and the best way to do this is to involve, once more, the people doing the work.
For each scenario, build a step by step procedure. Use the same people (those actually doing the work) in a team setting and come up with a set of instructions. Then you have something you can desk test, live test, audit, and use to determine what your actual recovery capability and time is.
Now that you have set procedures saying what to do when something goes wrong, you can either put them in a book or on a server and offsite media (all three in practice) or you can do the job properly and make sure that incident management procedures (including any forms of service desk) are changed to be able to trigger the use of these procedures and that these in turn can trigger escalation management and crisis management procedures.
The key to BCM is making sure those who operate the business are involved at every stage once business management has given the green light. The key to financing BCM is not to use the big numbers but to understand that business efficiency is the way to go.
Having everything planned in advance so that breakdowns of anything are recovered as quickly as possible leads to an overall improvement. Remember that a five-nines data center is down for ten minutes per year but it could take longer than this to get the phone number of someone needed to fix a problem if it has not been put into a continuity procedure for the scenario.
Stuart Hotchkiss, CISSP, CISA, CISM, ABCP, PMP, is author of the Business Continuity Management, a Practical Guide, published this month by BCS, The Chartered Institute for IT and available here. Stuart is a Business Consultant at Hewlett Packard, based in Geneva. He has over 30 years' experience in IT in various areas from development to marketing and has worked the last 16 years in security and business continuity.