Chapter 8: Business Continuity and Recovery – Governance and Internal Controls for Cutting Edge IT

CHAPTER 8: BUSINESS CONTINUITY AND RECOVERY

“Hope is not a strategy.” Rudy Giuliani

Business Continuity for Cutting Edge IT

Business continuity are the activities performed in an organization to ensure that business functions during and after disruptive events. These can include localized events that require a work group relocation, up to regional disruptions. It requires investment and attention at the executive level to ensure a crisis response that is aligned with business strategy. This business strategy alignment is crucial, according to industry professionals such as John DiMaria. “The biggest challenge to pervasive Business Continuity Management (BCM) comes from those organizations who fail to fully understand the gap between recovery objectives and their recovery capability, and what that means to their business and the people and companies who are dependent upon their company’s products and services” (personal correspondence).

The international standard for Business Continuity Management, ISO22301, specifies the requirements for a management system to protect against, reduce the likelihood of, and ensure your business recovers from disruptive incidents. It covers BCM elements familiar to business continuity planners (BCP), including:

  • Board and executive management accountability;
  • Regular reporting to all stakeholders, including the BoD;
  • Responsiveness of the BCP to risk;
  • Integration of the BCP across personnel, lines of business, technology, and external providers and customers. Clear incorporation of interdependencies in recovery planning, both internal and external to the institution, is necessary for organizations adopting third-party services;
  • Active participation of employees in exercising the plans and testing assumptions, even when third-party providers provide recovery services;
  • Specificity as appropriate, but flexibility to respond to new situations.

This accountability involves establishing the process, resources, tools, and structures for BCP across the lines of business within the organization, as well as appointing the senior executive with responsibility for oversight of BCP. Regular periodic reviews of BCM are advisable to ensure ongoing engagement by executive management to ask questions regarding BCP exposure, ensure the resources are applied to appropriately address the institution’s risk, provide for the ongoing maintenance of the program, and get third-party opinions as to the effectiveness of the program.

BCP cannot be buried in the institution where visibility of its progress may be delegated to others. The board and senior management’s accountability for the resilience of the institution requires engagement, visibility, and regular briefings on BCP status, with emphasis on reporting of gaps, problems, and remediation plans.

The foundation to effective BCP is the business impact analysis (BIA). An effective BIA will require that the lines of business be able to define and communicate their business processes in such a manner that potential impacts of business disruption can be quantified. Senior management of the lines of business within the institution will need to understand legal and regulatory requirements, particularly as they pertain to business continuance. Line management will need to be able to clearly express:

  • Impact of breaches of statutory duties or regulatory requirements;
  • Maximum tolerable period of disruption for business activities within the lines of business;
  • Maximum time period within which specific business activities must be resumed;
  • Length of time within which normal levels of activity need to be resumed.

Institutions will find the BIA effort to be well worth the investment of time. Approaches to BIA need not be beyond the reach of institutions with smaller support staffs and limited consulting budgets, particularly since multiple business activities, such as security, compliance reporting, IT projects, and asset management all utilize similar information to that gathered for a BIA. A credible BCP will require a clear identification of critical business processes, something that comes from the BIA across the lines of business. Because lines of business will need to identify interdependencies between business process, third parties, and technologies, this is a significant undertaking and the key place to start in business continuity planning. The good news is that understanding the business explicitly, and documenting it for business continuity, has business benefits supporting risk management of the institution in multiple ways. The FFIEC (Federal Financial Institutions Examination Council)guidance, published in 2008, is consistent with the COBIT 5® approach: business impact analysis should include the “assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis.” Working across organizational silos, and sharing processes and information, aids cost-effective BCM and risk management regardless of the size of the institution. It also improves business function.

Institutions have an opportunity to avoid scenarios that are business impacting, if not damaging, by carefully evaluating assumptions during the BCP process. Integrating BCP into project management and aligning it with business initiatives that all utilize the same processes, such as records management, can deliver an effective program without the burden that most people associate with business continuity.

Many of the processes supporting BCM can be integrated with security processes as defined in ISO27001:2005, the Information Security Management System standard. While some benefits are immediately available, interdisciplinary elements to alleviate the BCP burden will have the most impact as processes are integrated over time.