The usual end-of-summer string of catastrophic weather-related disasters, combined with an incredibly turbulent economy, should have tech implementers looking more closely at the plans they have in place to survive the unexpected-no matter what the source.
Enterprise IT managers need to look beyond the technical side of things, mapping out the core elements of the business to help plan for the unfathomable. At the same time, they need to take advantage of newly burgeoning standardization and certification of business continuity practices.
Business continuity management, or BCM, describes the organized framework for building a company’s defenses against potential threats, whether those threats are financial, technical, social, political or environmental in nature.
Through BCM, a business identifies the core processes in need of protections; anticipates potential threats to those processes (and, therefore, the company and its financial backers); predicts the potential impact of these threats on the way the company does business; clearly defines processes to remediate or work around those problems; and establishes methodologies for both testing and improving these remediation steps over time.
With these plans in place, a company should ultimately be able to continue business operations at levels deemed acceptable by the planning committee before the onset of disaster.
There are many different ways to go about building this level of resiliency into corporate practices and processes. Indeed, a BCM plan needs to be tailored toward the philosophy of the company, its tolerance for risk and the company’s long-term goals. However, the plan needs to be grounded in enough measurable goals and consistent practices that it can be compared and contrasted with other companies’ efforts to extend the security afforded by the plan to external entities. A BCM plan can provide only a limited amount of resiliency if worldwide facilities, supply chain partners or global affiliates are not holding themselves to the same standards in their continuity planning.
To provide this level of assurance to these external entities, a BCM standard becomes a critical element. Such a standard provides a way to measure and contrast your efforts with that of others, thereby allowing you to extend your organization’s philosophy to those external relationships-and helping extend the company’s ability to meet regulatory and customer requirements.
This kind of extensibility beyond corporate borders could become a significant competitive advantage for a company if the compatibility is proven through some kind of certification. The certification would allow that company to quickly prove to partners and affiliates that it meets a certain standard when it comes to continuity planning.
“Business continuity is designed to allow an organization to interrogate its processes so it understands how things work-where the risk points are and how to start building mitigation processes and strategies,” said Todd VanderVen, president of BSI Management Systems, America. Certification “gives you the ability to do the audit and certification of those processes, so when you are out talking to the supply chain, you can ask them if they follow business continuity. They can say yes, but if it is not a certified type of process, you never really know,” added VanderVen.
Read about how to develop an effective and timely notification process here.
Unfortunately, one danger of a poorly drawn-out BCM standard is homogeneity. What works for one company may not be a good fit for another. Every company undergoing a BCM initiative must make sure that the strategy fits the ongoing interests of the company and its shareholders, is in line with the company’s risk tolerance, and is actually achievable given the amount of manpower and budget allocated for the initiative. Therefore, a well-designed standard has to be generic enough in its guidance to allow companies of all shapes and missions to operate within its strictures, while maintaining enough of itself to achieve its stated purpose.
The corporate officials in charge of implementing BCM must also recognize that there really is no end game for a proper BCM initiative. The plan must constantly undergo evaluation and testing to ensure it meets the needs of the company, while adapting to changing business conditions. Without a defined process to evolve the plan, it can quickly fall out of date. It may provide the benefit of keeping auditors at bay, but may not be effective when actual emergent conditions arise.
Whats Out There Now
Last year, title ix of public law 110-53 tasked the Department of Homeland Security to take the lead in developing, implementing and administering a voluntary certification program for BCM in the private sector, moving to help define a de facto standard in the process. The DHS has not yet recommended a standard to fit this voluntary certification program, and the guidance the agency provides to help a company plan for disaster on the DHS Ready.gov Web site does not match the scope necessary for a full-fledged BCM initiation, let alone a certification program.
At this time, the only auditable BCM standard available that can help C-level executives fully identify and make more resilient the processes in need of protection is the British Standard Institution’s BS 25999.
Celebrating its first birthday in November, BS 25999 is actually composed of two distinct documents (available for purchase).
Part one is a code of practice that lays out the terminology, scope and objectives of a BCM scheme, while part two comprises the actual specification that enumerates the steps that need to be taken to meet business goals. Part two is therefore intended to be auditable and certifiable, providing the basis of comparison needed to extend the relationship externally.
Third-party providers-such BSI Management Systems-currently perform the certification testing, while others – such as Avalution – provide consulting services to help kick-start a BCM pilot or guide a growing iteration’s development.
These and other providers can come in to provide impartial and objective guidance and strategies, helping to deliver their clients to the certification stage. Ultimately, however, the DHS has charged the American National Standards Institute’s American Society for Quality National Accreditation Board, or ANAB, with administering the certification program, so the certification processes provided by providers such as BSI Management Systems may need to evolve as time goes on.
However, BSI Management Systems officials are quick to point out that companies do not have to certify their BS 25999 implementation to reap tangible benefits.
“You can bring [BCM] into the organization as a best practice to start the process of interrogating where the key processes and people are, and to establish what to do to maintain sustainability in the organization,” said VanderVen.
He added that planning with an eye toward BS 25999 also helps business leaders understand their companies better.
“BS 25999 causes an organization to begin a journey into what their processes really are, but may not necessarily be evident,” VanderVen said. “We’ve had customers come to us who thought they had 80 different activities that they thought they needed to track, but it turns out there were 18 core processes that really made a difference in their business. Then they were able to distill down to make sure those 18 key processes were maintainable and protected.”
While BS 25999 is a globally recognized standard (and one that the DHS recognizes), projects nonetheless are under way to establish a U.S. standard for BCM. Officials with information security company ASIS International, for example, recently notified ANSI that it would begin work on a new BCM standard.
According to VanderVen, the British Standards Institution is working with ASIS on the development of this standard, with development slated to begin this month. VanderVen anticipates that ASIS will largely utilize BS 25999 at its base, with the intention of the new proposal becoming an ISO (International Organization for Standardization) standard two or three years down the road.
??
eWEEK Labs Senior Technical Analyst Andrew Garcia can be reached at agarcia@eweek.com.