Sunday, April 27, 2014

Business Continuity Management: Sounds boring yet saves lives, companies, butts

Lately, I've been revisiting an area of information security into which I have dived deeply on several occasions over the years: Disaster Recovery, which is pretty much the same as Business Continuity Management or BCM, which includes Business Continuity Planning (BCP). Along the way I have assembled a list of high quality BCM resources and articles that folks might find useful (and available for free in most cases). You will find the list at the end of this article. Here's a scene-setting quote from one of the articles:
Disasters can strike at any time – often with little or no warning – and the effects can be devastating. The cost in human lives and property damage is what makes the evening news because of the powerful tug of human interest. Much less coverage, however, is given to the disruption, struggle and survivability of business operations. A study fielded by the Institute for Business and Home Safety revealed that 25 percent of all companies that close due to disasters – hurricanes, power failures, acts of terror and others – never reopen. (Disaster Preparedness Planning: Maintaining Business Continuity During Crisis, Disruption and Recovery)

What is BCM? 

The scope of BCM encompasses or is adjacent to Disaster Recovery (DR), Disaster Preparedness, Incident Response Management, Business Technology Resiliency, and Emergency Response Planning. You could say the goal of BCM is to "make sure you survive and thrive despite the bad things that are bound to happen at some point, where you = your organization, its people, and its mission." In fact, I did say that once, when asked for an informal definition.

A more formal definition of BCM is: "Those management disciplines, processes, and techniques which seek to provide the means for continuous operation of essential business functions under all circumstances" (Jim Burtles, Principles and Practice of Business Continuity, see resource list for more details).

Another formal definition of BCM would be: "Strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable pre-defined level." That's from BS 25999, where BS stands for British Standards Institute and BS 25999 was the "Business Continuity Management Standard".

BS 25999 was replaced by ISO 22301 and ISO 22313, which are Societal Security—Business continuity management systems—Requirements and Guidance, respectively. As ISO puts it: "While ISO 22301 may be used for certification and therefore includes rather short and concise requirements describing the central elements of BCM, a more extensive guidance standard (ISO 22313) is being developed to provide greater detail on each requirement in ISO 22301."

Incidents and accidents...

One way to get a better picture of the things that can test your organization's resilience and interrupt its march towards its objectives is to see what type of event or incident causes a business continuity plan to be invoked. Fortunately, Forrester Research has surveyed executives on the question of "invocations." You click on this chart to enlarge it.


Another way for companies to look at BCP/BCM is that revenues, profits, reputation, market position, and share price are intrinsically linked and widely seen as the pillars of corporate resilience, however: "a blow to any of these props could cause serious problems for a company and its management team." That's from a booklet available in PDF from the Allianz insurance company: Managing Business Interruption: An insurer’s perspective on supply chain risks. I'm not always a big fan of big insurance companies, but this is an excellent read because it brings into focus the huge challenges to resilience that arise from outsourcing, foreign suppliers, and supply chain inter-dependency.

Helpful Business Continuity Resources:

Footnote: My previous BCP deep dives 

I did a fair bit of research on disaster recovery and business continuity about 10 years ago when I worked on a project to create an incident response tool for SMBs and regional offices of larger enterprises. That experience dovetailed nicely into a contract to work with Prof. Michael Miora on the development of a Masters degree BCM curriculum for Norwich University in Vermont.

2 comments:

Alan Brady said...

Are you sitting comfortably? Many an afternoon has been enjoyed by a family, bonding over the discussion of Business Security. While it is becoming a hot topic for debate, there are just not enough blues songs written about Business Security. Inevitably Business Security is often misunderstood by the over 50, many of whom fail to comprehend the full scope of Business Security.

Alan Brady said...

Are you sitting comfortably? Many an afternoon has been enjoyed by a family, bonding over the discussion of Business Security. While it is becoming a hot topic for debate, there are just not enough blues songs written about Business Security. Inevitably Business Security is often misunderstood by the over 50, many of whom fail to comprehend the full scope of Business Security.