About Us  |  Search  | FAQ  | Contact Us
Your BCM
Risk Management
Human Resources
Smarts Cards
Optimise CRM
Data Warehousing
Disaster Recovery
Swift Messaging
BPM & Workflow
Capital Markets
Global Custody

Page last updated
February 15, 2003

ISSN No:1470-5494 All rights reserved. No part or portion of this publication may be reproduced or transmitted in any form without the express, prior and written permission of the publisher. Whilst every effort has been made to ensure accuracy, the publisher accepts no responsibility for any person acting as a result of the content herein.




Eating an Elephant
Feeling overwhelmed by the task of managing business continuity in your organisation?

www.golobal continuity.com

Business continuity is a big animal and it's unlikely you'll be able to digest even one tenth of it at a single sitting. This isn't too surprising in a discipline that aims to facilitate rebuilding the core of an organisation in just a few short days. But don't be dismayed or put off by this; enormity has hidden benefits! It means you can view the subject from many angles, touring it, taking in new perspectives with every turn. As you become familiar with its shape, form and anatomy you'll realise that business continuity can be both enlightening and challenging.

This article sets out to offer an introduction to the subject, taking you close but not so close that you lose sight of your objective or get trampled underfoot. It provides a view of the conceptual side, touching upon motivation and methodology as well as the more practical components of analysis and planning.

The art of comfortably digesting the business continuity elephant lies in understanding why it exists. It starts with stakeholders. These are individuals, groups or bodies that stand to lose in some way if the organisation fails to deliver on its promises. The makeup of the stakeholder population varies between organisations and can include employees, directors, shareholders, beneficiaries, pensioners, customers (in the widest sense of the word), partners, suppliers, the public and the media. Stakeholders' interests are similarly diverse, ranging from balance sheet preservation to the avoidance of hurt feelings, from maximising sales performance through to strong workforce morale and the ability to report news.

Most legislatures identify individuals responsible for 'corporate governance'; that is to say those whose duty it is to ensure that (at least) the formal stakeholders' interests are upheld. These are usually board directors, trustees or partners who in turn may employ managers to implement their instructions. One part of this broad swathe of responsibility, the protection of stakeholder interests from the uninsurable effects of major disruptive events, falls squarely on the shoulders of business continuity and to a large extent defines its purpose.

The words 'uninsurable effects' and 'major disruptive events' reduce the scope of what would otherwise be an immense task. Traditionally, they rule out most forms of financial crisis, commercial misjudgment and minor operational events that fall under the 'business as usual' banner, whilst allowing stakeholders some financial recompense when they claim against insurance policies.

You would be excused for believing you must now transform the organisation into an impenetrable Fort Knox, duplicating every piece of data and equipment, insuring to the maximum and training teams of staff to respond perfectly to every incident. The fact remains that as well as benefiting from resilience and the preservation of its integrity, many of the organisation's stakeholders will also have to fund the protection of their wealth. This is something they will be acutely aware of and reluctant to do unless they are convinced that they will receive a good rate of return on their investment. Most will also have a much firmer grasp of commonsense business finances than ever they will of business continuity.

Consequently, the business continuity manager (BCM) is left to juggle three contrary parameters:

n The level of residual risk that stakeholders are prepared to tolerate (i.e. the risk that remains after planned reduction measures have been applied);

n The actual reduction in risk offered by the available continuity measures;

n The budget available for prevention and disaster recovery.

These variables substantially define the BCM's role and the hunt for 'latitude' amongst them is continuous. Opportunities for improvement are present in many forms, for example:

n New products and services are continually introduced, offering greater protection against current threats sometimes at reducing cost;

n Many services are contracted and improved cover or terms can frequently be negotiated with the supplier by tendering and selection;

n Budgets are set according to stakeholder perception of the risks the organisation faces. Continual awareness-raising through education and participation can help align budget with expectation.

On the strength of these alone the BCM must adopt the mantle of researcher, corporate guardian, board-level communicator and canny negotiator.

Typically, tens, hundreds or even thousands of opportunities for risk reduction arise during analysis and as a BCM you must decide which of these should be implemented and in what sequence. A simple two-step mindset can be adopted:

n Identify and plug the big holes first;

n For each hole, identify and apply the best value solutions.

Finding the 'big holes' in the organisation's defences is easier said than done. For example it's easy to see that the mainframe might be a critical asset and that if destroyed, its loss would cripple the business. Less apparent might be that users rely on a front-end device to access the mainframe whose configuration is obsolete and which now represents a single point of failure. Add to this that that the likelihood of the mainframe failing is remote since it is heavily protected and that the front-end device sits in an unlocked closet, dusty and poorly maintained. Which (if any) of the two should we spend our last few dollars on?

Using this limited information it is of course impossible to tell, although you may have already made an assumption. We can only improve on this guesswork by systematically analysing the ways in which the organisation feels and accumulates 'pain' following an incident, usually using a technique termed business impact analysis (BIA).

One adventurous way of collecting the data we need would be simply turning off the mainframe and then the front-end device in turn and monitoring the accumulation of stakeholder losses (and lawsuits) arising from each! Joking aside, it is extremely rare that we can measure actual loss and equally difficult to obtain an accurate likelihood figure for the loss of either device. Instead, we are obliged to build a portfolio of convincing guesstimates, a table listing the assets we wish to protect and, against each entry, our estimates of impact, likelihood and resulting exposure. We can then set this against the reduction in risk per dollar spent for each measure we decide to evaluate, an assessment of relative value to the business and a basis for comparison.

BIA is also used to prioritise recovery from disaster and is a vital component of every business continuity plan. It uses the rate of anticipated loss arising from the non-functioning of an asset or department to determine restoration timeframes, recovery priority and the degree of preparation required.

From the business continuity manager's perspective and despite its vagaries, BIA is a vital tool and a powerful justification for every decision made under the business continuity and risk management banner.

Plat du jour
The true currency of continuity, the bottom-line, the commodity that we strive to manage, is disruption itself. Many excellent books have been written on and around this subject, delving into the nature of chaos, entropy and disorder, providing fascinating background reading. However, the points that shape the continuity manager's role can be extracted on the strength of a simpler analysis.

Disasters begin with one or more causal events: an accident; an intentional act; a naturally occurring phenomenon or a compound of these. Each has a characteristic 'footprint' and if it strikes us severely or in a vulnerable place then it may puncture our defences in a very specific way. For example, a denial of service attack that penetrates the firewall may disable a server by deluging it with incoming mail. This footprint, combined with the likelihood of the event occurring defines it as a threat to our business and something we must take into account.

Once on the 'inside' the threat begins to disrupt operations in a particular way, affecting the parts of the operation it touches and potentially causing it to fail in a certain predictable way called a failure mode. All business assets (tangible and intangible) have one or more failure modes. For example, the server could also fail because of a disk crash, an operating system error or a power supply burn-out. Failure modes represent weaknesses and an awareness of these can help highlight opportunities for improvement by the business continuity manager.

Business assets are there for a reason - either they generate direct benefits or they add value by supporting other assets or processes. So when our server fails, there is an inevitable knock-on, a cascading effect where this single malicious act now affects hundreds or thousands of desktops, depriving staff of e-mail services, affecting departments and ultimately reducing service to customers. This escalation through the organisation is a function of 'causality', a unique characteristic with many time constants and dependencies. The causal net can be modified to halt propagation by building-in firebreaks and duplication of critical assets; it is another important consideration for the business continuity manager.

If the net effect of threat propagation results in the operation being damaged so severely that it rapidly causes intolerable loss to stakeholders, then a disaster can be said to have occurred. The cumulative end-effects of the threats propagation, again, tend to present in a characteristic way that is unique to the organisation, allowing them to be classified as 'scenarios' e.g. 'medium-term denial-of access to building A'. In each case recovery must be affected and the business continuity manager must be prepared and know how to respond.

From this much-simplified explanation, we can see that an organisation's exposure to risk can be reduced at three stages in the cycle:

n Before incidents occur, by managing down the likelihood or severity of certain threats arising e.g. training staff not to make operational errors, using CCTV as a deterrent to vandals;

n During incident propagation, by building or buying-in resilience in individual critical business components, systematically reducing vulnerability e.g. installing uninterruptible power supplies to computer suites, deploying firewalls for Internet traffic;

n After a disaster has been declared by being prepared and by responding appropriately to facilitate timely recovery e.g. training staff to respond, planning how they should act, providing alternative infrastructure and resources

These points attach two more vital strings to the business continuity manager's bow. The first is operational risk management (sometimes called risk analysis or risk assessment) which involves the systematic reduction of risk using tools such as failure mode effects analysis (FMEA), risk registration and the application of checklists and standards. The second is business continuity planning which has its own panoply of associated techniques, too many to cover here.

From this lightning foray into the basics of business continuity management it should be evident that the subject is truly multi-faceted; that in addition to being a collection of expert disciplines, it is a living process and a highly interactive management activity touching most aspects of the organisation. It has a Jekyll-and-Hyde persona, able to switch in an instant from a thoughtful, low-profile peacetime identity to a highly visible source of order, provision and knowledge; a saviour when disaster strikes.

You should know that the business continuity manager must maintain an up-to-the minute, in-depth understanding of the organisation s/he protects. S/he must anticipate and keep pace with markets, people, places, technologies, suppliers and information as it moves and changes over time. S/he is also the sweeper, the ultimate backstop, the safety barrier that one day may save the organisation from calamity. You should also have begun to appreciate the enormity of the task.

To compensate, business continuity managers are entrusted with a unique insight into how the business really works, from power cabling right through to process interactions sometimes on an intercontinental scale. They do this is by constantly accumulating knowledge, digesting it comfortably a piece at a time until they achieve control. A little like eating an elephant.

John Robinson
Managing Consultant

(A European business continuity and operational risk management consultancy. )

John is also an associate consultant with Global Continuity.

This article appears courtesy of Global Continuity.com who retain copyright.






Board strategy
BCM Solutions
Business Continuity Management
Your BCM




Home  |  About Us  |  Search  | FAQ  | Contact Us