Archer Technologies EXCLUSIVE: Building the Case for Automated Business Continuity Management
- By Steve Suther, Susan Read-Miller
- Sep 15, 2009
Having grown up in the Midwest, I quickly learned that a family road trip in the midst of winter can test the crisis management skills of any parent. In one moment, you’re pondering the beauty of a perfectly formed snowflake, and moments later, State Patrol officers are waving you off the impassable interstate. Now, it’s decision time. Do we attempt to find another road? What is the risk to the family if we choose to keep going on an alternative route? Is there nearby lodging and food that would allow us to hunker down until the storm passes?
Thanks to the mobile revolution, this crisis can be mitigated if not completely avoided. The minivan’s GPS device can offer an alternate route based on construction, traffic and weather conditions. Mobile devices coupled with weather radar, traffic and mapping applications enable a change of course that can lead you around the storm. If a safe path does not exist, these devices can help reserve lodging and provide a list of local restaurants that are quality rated by other weary travelers. Technology enables our ever-connected society to get the information we need quickly during a crisis.
Wouldn’t it be great if we could leverage this amazing technology to enable our business continuity teams to quickly respond during a crisis event? Imagine receiving a notification on your mobile device indicating that a crisis has occurred. Using that same device, you could review the latest recovery procedures and activate your recovery plan. Depending on the severity and type of crisis, automated phone dialing systems would begin delivering notifications to internal BCM team members as well as HR, corporate communications, risk managers, third-party vendor managers and executive management. The corporate communication team would enact their communication plan, the risk management team would begin evaluating impacts to the business while vendor relationship managers contemplate notifying suppliers of a disaster being declared. In the meantime, the continuity team is feverishly executing their recovery procedures, turning “cold” or “warm” sites into “hot” ones. This dreamy vision of business continuity automation can be your reality with a bit of planning and automation.
Automating Business Continuity Management
Many organizations that maintain business continuity and disaster recovery plans and testing data using Word, PDF and Excel find that the data within these documents quickly becomes stagnate. As employees change roles or leave the company and as new business processes or applications come online, this information is not reflected in the continuity or recovery plans. When static documents age, the data becomes less and less usable.
To alleviate plan aging, organizations can collect business continuity information in a centralized, data-centric repository. Leveraging an automated repository to consolidate business continuity and disaster recovery plans, in addition to crisis response data, enables your team to:
- Standardize plan documentation and impact analyses.
- Reuse critical recovery strategies and procedures across multiple continuity or recovery plans.
- Ensure the accessibility of business continuity and disaster recovery plans in the event of a crisis or business disruption.
According to a recent business continuity survey conducted by Archer Technologies, a governance, risk and compliance solution provider, the primary technology challenge for business continuity professionals involves coordinating efforts between three core disciplines: business continuity, disaster recovery and crisis management (see Figure 1). Using automation to centralize your business continuity data, the challenge of coordinating information between each disparate plan, strategy and procedure becomes a much less cumbersome process and reveals interdependencies between critical business processes and procedures.
Figure 1: Results from an Archer Technologies business continuity poll regarding BCM professionals’ primary technology challenge
Transitioning from a paper-based process to an automated, data-centric repository is a shift in mindset and can be overwhelming for business continuity professionals. To get started, organizations should:
- Build an inventory of IT assets and business processes
- Centralize business impact analyses (BIA) to better relate them to identified risks
- Develop recovery strategies, tasks and procedures for easier plan development
- Establish emergency notification templates in advance of crisis planning
Leverage Business Continuity in your GRC Program
The 2008 recession has forced business continuity teams to grapple with executive management’s perception of business continuity as an insurance policy rather than a mechanism for driving organizational success. According to Roberta Witty, research vice president for Gartner, in Gartner Inc.’s “How the Business Continuity Management Professional Can Survive the Worldwide Economic Crisis” April 2, 2009, “The BCM professional must shift from a ‘recovery only’ mindset to one that focuses on the larger issues of risk management and business resiliency.”
Business continuity plans are often the only place within an organization to document business processes and their interdependencies. Business continuity teams must leverage this valuable information not only for operational recovery, but also to share key performance and risk indicators with business units and risk management teams.
Archer’s recent business continuity poll revealed that 38% of business continuity professionals are interested in integrating business continuity and risk management data to provide a consistent measurement of risk across the enterprise (see Figure 2). This integration into a larger governance, risk and compliance (GRC) program enables organizations to understand business availability risks in the context of their overall risk posture.
Figure 2: Results from an Archer Technologies business continuity poll regarding areas that offer the biggest opportunity for BCM programs
The ultimate value of Business Continuity automation can be realized when you are able to share operational data with other GRC processes within your organization. For example:
- Tying your BCM data to enterprise management assets such as business processes, applications, devices, facilities, and critical business information enables you to derive impacts to these critical resources when an event occurs.
- Connecting crisis event data with incident management capabilities allows the organization to tie recovery efforts to incidents and investigations.
- Relating business continuity and disaster recovery plans to specific vendors enables the organization to inform third-party suppliers that a crisis event may impact their ability to exchange information or provide services to the organization. It also allows effective management of threats resulting from vendor relationships.
- Identifying regulatory requirements that may fall into non-compliance if critical business processes are not effectively recovered may save the company potential fines and prevent impact to revenue, brand image and stakeholder confidence.
Once GRC data is consolidated, it becomes easier and more efficient to write business continuity or disaster recovery plans utilizing these related elements. Additionally, the business continuity team gains a win with executive management for providing valuable risk data to the enterprise, helping streamline operations in addition to ensuring operational recovery during a crisis.
BCM Going Mobile
You have taken your business continuity data from a static, stale document to an automated, data-centric system. You have integrated this vital data with core risk, enterprise asset, vendor and regulatory data across the organization. Wouldn’t it be nice to have access to all of this critical information when it counts?
The demands of business continuity and GRC programs don’t end when you step away from your desk. With the explosive amount of data that is managed to evaluate business risks and assure business resilience, mobile access to this information is no longer a luxury?it’s a necessity. Mobile access to business continuity data enables end users to rapidly review business recovery procedures and emergency notification procedures from remote facilities, satellite offices, warehouses, vendor locations, home offices and anywhere business takes them.
”Going mobile” enables business continuity teams to:
- Access business continuity plans, procedures and calling trees from a remote office in the event of a business process failure or crisis situation
- Integrate with geographical mapping applications for quick access to physical locations and contact information
- Review the details of an incident and make informed decisions on how to respond while away from the office
- Evaluate previous plan test findings and/or remediation while recovering at an alternate location
Mobile devices are changing how we can keep business running even when we are not in the office, and they are critical to an effective business continuity management program.
Final Thoughts
Taking an automated, integrated and mobile approach to business continuity management with the goal of mitigating operational risk and ensuring operational recovery during a crisis is no small task. However, a business that can do this effectively may have a competitive advantage. For organizations that provide products or services to customers that are dependent upon IT systems, as many companies offering a Software as a Service (SaaS) offering do, evidence of a sound plan can be used to win or retain customers and appease regulators. Implementing an effective business continuity management program can help BCM professionals demonstrate that they have key knowledge to help the organization better manage risks to their business.
Bio
Steve Suther, CISM, is a senior product manager with Archer Technologies with more than 20 years of experience in information technology. Prior to Archer, he served as a senior information risk management consultant with Dutch-based IT service provider Getronics, and prior to that, the director of information security management at American Express, where he was responsible for management of the company’s IT security policies and standards, development of new strategic capabilities, vendor and regulatory management. Prior to American Express, he held several IT management positions with companies including Bankers Trust Company, Fuji Bank & Trust Company and Merrill Lynch.
Susan Read-Miller, CISSP, is a product marketing manager with Archer Technologies with more than 14 years of experience in information technology. Prior to Archer, she served as the director of product marketing at CA, where she was responsible for security information management marketing programs. Prior to CA, she held several product and project management positions with eSecurityOnline LLC and Black & Veatch.