Availability of information is an area that is often overlooked in the information security space. Having in place a strong business continuity programme, however, requires successful integration between a business and its IT function.
In today’s global economy, every aspect of a company’s operations is vulnerable to disruption, the risk and cost of which extend beyond its IT function.
Business continuity management (BCM) programmes today are a lot more complex, just like the businesses they serve. A comprehensive BCM programme has to include a framework as well as processes to manage a coordinated incident response, maximise protection of the company’s people, reduce the risk of data loss and, most importantly, operate as “live” programmes that adapt, improve and incorporate lessons learnt from past experiences.
My experience from the market shows that the most common reason for a BCM programme to fail is the lack of governance integration and misalignment with the organisation’s BCM and IT disaster recovery (ITDR) initiatives. Any disparity between the two strategies can hinder an organisation’s timely recovery after an incident.
Despite the obvious benefits of an integrated programme, establishing an integrated governance model for a BCM and ITDR programme is not a simple task.
The most common reason for a BCM programme to fail is the lack of governance integration and misalignment with BCM and IT disaster recovery initiatives
Mark Brown, Ernst & Young
According to Ernst & Young's latest Global Information Security Survey (GISS), 17% of responding businesses admit that they do not have such a programme in place. Moreover, of the businesses that do have such a programme in place, only 25% believe that it reflects a leading practice approved by senior management with defined standards and guidelines, roles and responsibilities, tools and techniques.
Despite most organisations having some sort of continuity plans in place, very few can boast of one without governance challenges. For organisations without any plans in place, on the other hand, statistics are alarming. Studies show that 40% of businesses that experience a disaster go out of business within five years. For organisations that effectively respond to and manage a disaster, a critical success factor is strong commitment from senior executives and the establishment of a BCM planning and governance process.
Business support for continuity and disaster recovery plans
So how can businesses have BCM and ITDR plans in place that involve the whole business?
Firstly, for these plans to be a strategic initiative, addressing any challenges in their implementation should be a priority to senior executives. Implementing damage control will help organisations as a whole develop an integrated and effective governance structure and as a result promote a better understanding of the organisation, reduce costs, protect their reputation and brand, and sustain vital activities.
More on business continuity and disaster recovery
- Case study: Disaster recovery boosts business continuity
- Comparing enterprise resilience and disaster recovery
- SMEs see the benefits of cloud disaster recovery
- Six business continuity management (BCM) lifecycle guidelines
- A different approach to your business continuity management programme
- Disaster recovery audit, maintenance and continuous improvement
- Management update: Best practices in business continuity and disaster recovery
Then, BCM and ITDR plans must be driven by organisation-wide objectives. Instead, these initiatives are often executed in silos leading to a fragmented approach, with misaligned priorities. A successful programme will leverage integrated governance to promote effective communication between the business and its IT team, and between the team working on the BCM programme and the decision-making executives.
Additionally, companies need to keep in mind that a BCM programme is an ongoing process and that plans should keep up with the changing business needs. This should take into account everything from the organisational change to changes needed in the IT infrastructure, but also turnover of experts in the field of disaster as well as business unit leadership that may result in loss of institutional knowledge.
Finally, the plans in place should support the quick transitions these changes demand through a change management process. This will help ensure that changes are identified, risks are revisited and essential modifications are made to the existing plans. A sustainable programme will continuously identify and manage organisational risks through regular review of strategies, reassessment of threats and risks, review of plans, exercises conducted and metrics reported. Governance must also facilitate knowledge transfer and awareness across the organisation and promote a culture of proactive risk management.
Integration and availability of information are crucial. The successful implementation of a few clear steps will minimise issues in any recovery process, ensuring that the established BCM plans protect the business and that any disruption to the information needed to run a business is minimised.
Mark Brown is director of information security at Ernst & Young
This was first published in January 2013