How vulnerable are public sector systems? cont'd...
Business Continuity and rebuilding infrastructure
BCM is a business as usual, business-owned and driven process that unifies a broad spectrum of management disciplines (see figure 9). Just as systems should not be seen as relating wholly to technology so business continuity should not be seen as just relating to ITDR. To their detriment many organisations tend to focus all their efforts on ITDR because of its business critical nature leaving them exposed on many other fronts.
Figure 9: The Unifying Process
Source: Dr David J Smith 2002
As a result of its all-embracing nature, the way BCM is carried out will inevitably be dependent upon, and must reflect, the nature, scale and complexity of an organisation’s risk profile, risk appetite and the environment in which it operates. BCM also has close links to operational risk management and corporate governance strategies. The importance of a holistic approach across these areas has been reinforced in legislation and numerous regulations and guidelines published by governments and regulators throughout the world.
Ignoring business continuity issues can happen for a number of reasons. A process of ‘group think’ can develop whereby an organisation genuinely starts to believe that their size, or some other feature, makes them immune or firmly believe that insurance will cover them, without realising that insurance cannot indemnify against loss of intangible assets. Research shows that crisis-prone organisations tend to exhibit these tendencies seven times more often than crisis-prepared organisations. Whilst all individuals may make use of such defence mechanisms from time-to-time, the key difference is the degree, extent and frequency with which they are used.
Changing such mindsets is not easy, and blindly implementing so-called ‘best practice’ business continuity techniques is not always the most beneficial approach. As all organisations are different, techniques that work in one organisation will not necessarily work in another. Most executives tasked with addressing business continuity issues are keen to achieve quick wins, and the ‘tick box’ audit approach, which tries to copy successful strategies used elsewhere, is often adopted without consideration as to suitability.
Each organisation needs to assess how to apply the ‘good practice’ BCM process and lifecycle (see figure 10) to their own organisation. As identified earlier they must ensure that their BCM competence and capability meets the nature, scale and complexity of their business, and reflects their individual culture and operating environment.
Figure 10: The BCM Lifecycle
There is no doubt that setting out the Recovery Time Objective(s) (RTO) and data Recovery Point Objective(s) (RPO) are essential (see figure 2) within business continuity strategy(ies) and a plan(s)
The strategy(ies) and plan(s) become(s) a source of reference at the time of a business continuity situation or crisis, and the blueprint upon which the strategy and tactics of dealing with the situation/crisis are designed. In particular, it can provide essential guidance on damage limitation in those short windows of opportunity that often occur at the beginning of a crisis.
A further and critical reason for having an effective BCM lifecycle and process (see figure 10) is so that the individuals who are required to implement it can rehearse and test what they might do in different situations. Scenario planning exercises are a very helpful technique for destruct-testing different strategies and plans.
Having said this, it is simply not possible to plan for every eventuality. A trade-off needs to be achieved between creating an effective and suitable capability or relying on untrained and untried individuals whilst hoping they will cope in a crisis. The spanning of the gap between the plan and those who carry it out can be achieved by either formal tuition and/or exercising simulations.
Creating Continuity ... Building Resilience ...
If you would like to know more about how your organisation can get involved and benefit from working with the Continuity Forum, please email us HERE! or call on + 44 (0) 208 993 1599.
____________________________
