|
|
|
Features
< Back
Sarbanes Oxley : Auditing : Thought Leader
Business Continuity Plans Must Be Updated and Modified To Keep Organizations Safe
By
Eric Trapp
|
|
Eric Trapp
Senior Executive
Accenture
|
Events of the last few years have convinced corporate executives of the need for business continuity (or disaster recovery) services. One, after all, would need to live in a bubble not to acknowledge the potential havoc that events like 9/11, the SARS epidemic and Hurricane Katrina, not too mention more mundane events, can inflict on a business.
With all the attention given to natural disasters, terrorism and security attacks, as well as the need to comply with new regulations and legislation, it makes sense that responsible businesses have made the effort in recent years to develop recovery systems. Yet, while organizations have invested millions of dollars in protecting not only their IT, but also their people and their processes, the question remains whether or not their plans will be effective should a disaster occur. From my experience, where they often fall short is in updating these plans as the business changes, technology changes and the threats themselves change. As a result, these strategies and programs can become about as outdated ? and as effective - as the old shoe-sized cell phones that tended to break up and frequently disconnected.
Businesses, of course are not only interrupted or disrupted by cataclysmic events. Security issues, consisting of viruses, worms and denials of service, have frequently brought organizations to their knees, perhaps most famously those that affected online retailers and financial service organizations in the late 1990s. Additionally, mundane factors like faulty plumbing or various environmental problems ? due to heating, ventilation or air conditioning ? can expose businesses to major losses.
By neglecting to maintain their business continuity planning, organizations run the risk of no longer having a viable recovery capability. All the past effort and investment count for little if plans are not reviewed and updated. If anything, they end up giving a false sense of security. (And, according to Murphy?s Law, a disaster seems to hit when one?s least prepared.) Additionally, it has been shown that it is far more cost effective to incrementally modify and realign a corporate recovery plan, than to examine it every three to five years when an issue arises.
Important Questions
What are the key questions CEOs need to ask themselves and their staffs in order to feel confident that their enterprise?s business continuity program will, in fact, mitigate any risks? Here is a look at them:
1. When was the last time I tested my disaster recovery plan? How comprehensive was the test? How realistic was the disaster scenario used for the test? Was there a third party or outside observer watching and documenting it? Were issues or problems that occurred during the test tracked, followed up on, and resolved?
2. What has changed during the last time I was comfortable about our business continuity plan? Have there been significant technology changes? Have we put new storage and network technologies in place?
3. Has my business changed? Are there new processes in place that weren?t there when I first did my disaster recovery planning activities? Have they been addressed and built into our overall business continuity capability?
4. What are today?s threat scenarios? What?s changed in the geopolitical environment? How is my company situated in an area where there is unrest and what is the risk?
5. How am I positioned for risk mitigation with my insurer? Have I looked at my business continuity capability as a way to lower overall insurance premiums?
6. When was the last time I updated the plan? Do I have a function within my organization whose sole responsibility is to ensure that our business continuity efforts are current and relevant? Am I getting frequent enough updates on how that is being done?
7. Have I developed my business continuity plans in a vacuum? Have recovery plans for my information technology services, for my facilities, for my people, and in response to some piece of regulation or legislation, all been coordinated so they don?t yield redundancies or potential gaps in the plan?
8. What about the people outside my organization who could have an impact on my organization? Have vendors and outsourcing partners been contracted to have sound business continuity plans in place that will not leave me vulnerable? What about my supply chain?
9. Have I leveraged my organization?s inherent capabilities to my best advantage? Am I able to provide a recovery capability within my own corporate confines? Can I multi-purpose this capability for business purposes and then rely on it later if needed for recovery purposes?
We frequently hear about the war stories, like the company that failed to employ inexpensive leak detectors to protect against flooding and ended up with a plumbing problem that shut down their IT systems, or the organization that built a data system up to earthquake standards but didn?t take the time to strap or reinforce the service straps so that the servers would be braced effectively when the earthquake hit.
Yet, even business continuity plans that were well conceived and executed several years ago, may be ineffective today if they haven?t been re-examined. Organizations that developed recovery and restore procedures and then put them on the shelf, may be more vulnerable than they think.
Eric Trapp
Senior Executive
Accenture
Eric Trapp is a senior executive with Accenture?s Security Practice and a specialist in business continuity strategies and planning.
He can be reached at eric.g.trapp@accenture.com.
|
|
|
|
|
