GRC Tuesdays: Is Business Continuity a Separate Activity?
During a breakfast event few months ago – back when it was still possible, I was having coffee with two security managers who were in charge of business continuity for their organizations: one was from the IT department and the other one was a business operations manager.
The questions of our debate revolved around who should be the most significant contributor to business continuity activities and should continuity management be a separate activity?
Interestingly, we all agreed that we saw more and more business continuity management reaching outside IT domain where it historically focused on IT disaster recovery planning and information security to a more business-process orientated approach. The key value assets and processes of the company are identified and continuity plans are defined and tested specifically to ensure that these assets and processes are always operational, even if on a degraded more. The final intent being for the company to continue functioning and delivering its services and products.
Unfortunately, the restart of the presentations didn’t allow us to continue this discussion, but today I’d like to share a few of my thoughts with you. And if these gentlemen are reading, I invite them to respond to this blog, of course!
To me, business continuity isn’t a separate activity. As a matter of fact, it’s a true example of an integrated approach that is at the cross-roads of many functions including the following:
- Risk management: since business continuity leverages the critical risks identified that would prevent the company’s objectives from being achieved and on which continuity plans can be true mitigation measures – not preventing the risk from occurring that is – but reducing its impact in time and damage caused should an incident occur;
- Internal control: since sections of the Business Impact Analysis will derive from the process map and its associated control level;
- Audit (internal and external): since auditors will be key in reviewing the business continuity plans, sometimes even testing them, and potentially issuing some improvement recommendations.
I personally think that great business continuity managers have a rare talent – being able to understand the business context and its necessities, and being able to assess the recovery measures (technical and non-technical) that need to be implemented to secure the continuity of the operations, in particular.
Furthermore, in our constantly evolving environments, they also have the ability of regularly taking a step back and asking themselves: Is this sufficient today? Will it suffice tomorrow?
They are certainly not alone in this quest and my belief is that they should be supported by the different functions I mentioned earlier and more, such as facilities, communications, and so on, since I don’t think that they can operate efficiently if maintained in a silo.
I hope I’ll be able to continue the discussion that started with the two gentlemen, and I would also very much like to have your opinion on the topic either on this blog or on Twitter @TFrenehard
Originally published on the SAP Analytics Blog
I manage business continuity for my company's corporate datacenter and I reside within IT. I, however, assist the business units with their bc plans: communication, coordination, logistics, etc. My company isn't big enough to have a dedicated to BC unit so IT has assumed responsibility because it carries the most when it comes to disaster recovery.
Because our business units have enough to worry about I have designed our BC so that it is seamless to the end user. In other words, regardless of which data center our IT services are being hosted from our users click the same icons, enter in the same passwords, etc. all the time, and it is supposed to always work. This frees up IT when we conduct our DR exercises. And it streamlines testing for the business to be very simple, "I want you to do what you normally do everyday."
Our exercises are comprehensive and very thorough. Meeting RPO's/RTO's is a given. We are drilling down into the deeper layers of operating out of DR in case we had to host our services there for weeks or a month.
Many thanks for taking the time to share your experience here, it is very interesting indeed.
I think the situation that you describe where your company isn’t big enough to have a dedicated to BC unit so IT has assumed responsibility of the process is the one that I have most often encountered.
I also very much like your take on this to the business: "I want you to do what you normally do everyday"!
Thank you once again for sharing.