The usual end-of-summer string of catastrophic weather-related disasters, combined with an incredibly turbulent economy, should have tech implementers looking more closely at the plans they have in place to survive the unexpected-no matter what the source.
Enterprise IT managers need to look beyond the technical side of things, mapping out the core elements of the business to help plan for the unfathomable. At the same time, they need to take advantage of newly burgeoning standardization and certification of business continuity practices.
Business continuity management, or BCM, describes the organized framework for building a company's defenses against potential threats, whether those threats are financial, technical, social, political or environmental in nature.
Through BCM, a business identifies the core processes in need of protections; anticipates potential threats to those processes (and, therefore, the company and its financial backers); predicts the potential impact of these threats on the way the company does business; clearly defines processes to remediate or work around those problems; and establishes methodologies for both testing and improving these remediation steps over time.
With these plans in place, a company should ultimately be able to continue business operations at levels deemed acceptable by the planning committee before the onset of disaster.
There are many different ways to go about building this level of resiliency into corporate practices and processes. Indeed, a BCM plan needs to be tailored toward the philosophy of the company, its tolerance for risk and the company's long-term goals. However, the plan needs to be grounded in enough measurable goals and consistent practices that it can be compared and contrasted with other companies' efforts to extend the security afforded by the plan to external entities. A BCM plan can provide only a limited amount of resiliency if worldwide facilities, supply chain partners or global affiliates are not holding themselves to the same standards in their continuity planning.
To provide this level of assurance to these external entities, a BCM standard becomes a critical element. Such a standard provides a way to measure and contrast your efforts with that of others, thereby allowing you to extend your organization's philosophy to those external relationships-and helping extend the company's ability to meet regulatory and customer requirements.
This kind of extensibility beyond corporate borders could become a significant competitive advantage for a company if the compatibility is proven through some kind of certification. The certification would allow that company to quickly prove to partners and affiliates that it meets a certain standard when it comes to continuity planning.
"Business continuity is designed to allow an organization to interrogate its processes so it understands how things work-where the risk points are and how to start building mitigation processes and strategies," said Todd VanderVen, president of BSI Management Systems, America. Certification "gives you the ability to do the audit and certification of those processes, so when you are out talking to the supply chain, you can ask them if they follow business continuity. They can say yes, but if it is not a certified type of process, you never really know," added VanderVen.
Unfortunately, one danger of a poorly drawn-out BCM standard is homogeneity. What works for one company may not be a good fit for another. Every company undergoing a BCM initiative must make sure that the strategy fits the ongoing interests of the company and its shareholders, is in line with the company's risk tolerance, and is actually achievable given the amount of manpower and budget allocated for the initiative. Therefore, a well-designed standard has to be generic enough in its guidance to allow companies of all shapes and missions to operate within its strictures, while maintaining enough of itself to achieve its stated purpose.
The corporate officials in charge of implementing BCM must also recognize that there really is no end game for a proper BCM initiative. The plan must constantly undergo evaluation and testing to ensure it meets the needs of the company, while adapting to changing business conditions. Without a defined process to evolve the plan, it can quickly fall out of date. It may provide the benefit of keeping auditors at bay, but may not be effective when actual emergent conditions arise.