Our work with organizations of all sizes has led us to identify eight key factors that contribute to the success of an organization’s information technology disaster recovery (ITDR) program. Over the next few weeks, we’ll publish a post about each factor and discuss tips for success. So make sure to check back, and then join the conversation by commenting at the bottom of this post or sharing with your social network. Continue reading
Business continuity is an often talked about risk management practice, especially with what appears to be an ever increasing number of serious disasters, including Superstorm Sandy, the California wildfires, and the Japanese Tsunami – and that’s only natural disasters! Disruptive incidents can stem from major events such as these, but they can also originate from events that are far less visible and widespread, including sprinkler malfunctions, power outages, supply shortages, and an IT disruption.
This perspective discusses why organizations make the decision – or should make the decision – to invest in business continuity planning. Continue reading
In previous articles, Avalution has espoused the value of using a management systems approach to business continuity and articulated the notion that business continuity is more than just a collection of plan documentation. This approach is reflected in many different standards, including ISO 22301.
Even though business continuity plans represent just one component of a larger business continuity planning effort, they are what guide the organization through all phases of response and recovery following the onset of a disruptive incident – from the initial response and assessment to the eventual return to normal operations. Effective planning is meant to ensure that response and recovery efforts align to the expectations of all interested parties and provide a repeatable approach to minimize downtime.
This perspective explores the different types of business continuity plans that Avalution finds to be the most effective for organizations and examines their purpose within a wider business continuity strategy. Continue reading
The last several years have continued to see an increase in the sophistication and volume of cyber threats, with a 42% increase in targeted attacks in 2012 (as reported by Symantec, in its 2013 Internet Security Threat Report). The range and types of threats vary greatly as well; in June 2013, InfoSecurity magazine listed the top five specific IT cyber security threats as: data breach, malware, DDoS, mobile threats, and industrialization of fraud – each of which requires a different preventive and response approach. An Ipsos survey for Lloyds Risk Index 2013 indicated that cyber risk is the third biggest concern for CEOs when assessing organizational threats, jumping nine spots from the previous year’s ranking of 12th.
In most organizations, monitoring and response has continued to develop and mature within IT to proactively address vulnerabilities. That said, there may be opportunities to better integrate IT’s response to such illicit activity with the organization’s business continuity program and structure, so that if an event does occur, the organization ensures a timely and coordinated response. After all, cyber security incidents can have business continuity implications and impacts that extend far beyond IT. Continue reading
This perspective is the sixth in a series to discuss key elements of the ISO 22301 business continuity management system, including value-adding elements of the standard or requirements that could “trip up” an organization during the certification process.
Today we’re going to take a look at ISO 22301’s requirements for the establishment of an early warning network. Continue reading
The management system approach to business continuity requires a culture of continual improvement in business continuity programs. One of the key steps in facilitating continual improvement is to regularly evaluate existing business continuity procedures. This perspective takes a closer look at Clause 9.1.2, ISO 22301’s requirement for evaluation of business continuity procedures. Continue reading
So you’ve just completed your business impact analysis (BIA) – identifying recovery time objectives for a variety of processes and functions throughout your organization and captured the names of applications and systems that business owners state they just can’t live without. In addition, the IT department heard you were conducting a BIA and mentioned on a few different occasions that they were excited to see what the final results would be to help with their planning. You’ve taken all the applications and their reported recovery time and recovery point objectives and crammed them into a very lengthy spreadsheet, and then the inevitable happens… you realize that everything you have collected is a huge mess.
But, don’t worry, this is a common issue! This perspective will explore the process of taking that seemingly disorganized pile of data and organizing it into something that can be utilized by IT disaster recovery planners to help meet continuity goals. So, let’s get started! Continue reading
Building a business continuity program (or anything worthwhile for that matter) takes time and dedication. It also requires compromises – constantly balancing what is practical and what is possible to protect the business. BUT – it’s important to remember that politics, committees, and making everyone happy isn’t the goal of business continuity.
If you’re lost, playing the same game over and over and ending up at the same result, maybe it’s time to start from a blank page so you can focus on what matters most. Continue reading
The business impact analysis (BIA) and risk assessment are foundational elements of every effective business continuity program; however, in our experience, many business continuity planning participants experience a lot of confusion regarding the definitions, relationship, and expected outcomes between the two processes. This confusion often results in outcomes that fail to drive preparedness.
Avalution acknowledges that there are many different ways to design and execute BIA and risk assessment processes, depending on the objectives for each. We also know that many experienced business continuity professionals have strong opinions on this topic, which may not fully align with our view. This article simply aims to provide Avalution’s perspective on how to best design and execute the BIA and risk assessment processes to achieve results that align with how management views business continuity risk. Continue reading
This perspective takes a look at Clause 9.2, ISO 22301’s requirement for internal audit, defined as an independent assessment that provides management with feedback regarding the performance of the management system. The content found in this perspective is specifically based on lessons learned from our ISO 22301 certification audit (which Avalution completed successfully in the Spring of 2013). Continue reading