Although plan documentation isn’t the only business continuity planning outcome, and absolutely should not be the sole focus during a program assessment, it’s certainly an important one. Plans are one of the first things customers and auditors ask to review because these documents should summarize the response and recovery approach used by the business following the onset of a disruptive incident, as well as a summary of the resources needed to deliver products and services. If asked to evaluate a plan, what’s the best approach, and what elements and content should you expect to see? The purpose of this perspective is to outline a simple, straightforward plan assessment approach. Continue reading
Recently, a question was raised by a client regarding whether it would be better to create a method to manage technical information in support of the IT disaster recovery planning effort, acquire and implement a commercial Configuration Management Database (CMDB) solution, or customize its existing business continuity software solution. The short answer is, “it depends”. This perspective discusses this commonly asked question, which by the way, is very important given the need to understand the relationship between IT infrastructure, applications, data, and business continuity requirements. Continue reading
Congratulations! You’ve started your business continuity planning effort—sometimes, that’s the hardest part. Now, you’re working diligently on your organization’s business continuity program, but it’s not delivering the results you had hoped. You’re performing a business impact analysis (BIA) and risk assessment, documenting plans, and socializing the next steps for your program, but it’s not progressing like you would expect or maybe it doesn’t have the capability your organization needs. So, what can you do?
This perspective outlines the common challenges organizations face when implementing a business continuity program that meets response and recovery expectations, and offers solutions that business continuity managers can pursue to address these challenges. Continue reading
Nearly all business continuity professionals understand the importance of the business impact analysis (BIA) as the primary means for laying the foundation of a business continuity program. However, many professionals struggle to receive executive buy-in, as well as the necessary resources and support for the process. This article dispels common myths in attempt to help remove barriers to obtaining support and contributes to the creation of the business case for performing the BIA in any organization. Continue reading
Our work with organizations of all sizes has led us to identify eight key factors that contribute to the success of an organization’s information technology disaster recovery (ITDR) program. Over the next few weeks, we’ll publish a post about each factor and discuss tips for success. So make sure to check back, and then join the conversation by commenting at the bottom of this post or sharing with your social network. Continue reading
Business continuity is an often talked about risk management practice, especially with what appears to be an ever increasing number of serious disasters, including Superstorm Sandy, the California wildfires, and the Japanese Tsunami – and that’s only natural disasters! Disruptive incidents can stem from major events such as these, but they can also originate from events that are far less visible and widespread, including sprinkler malfunctions, power outages, supply shortages, and an IT disruption.
This perspective discusses why organizations make the decision – or should make the decision – to invest in business continuity planning. Continue reading
In previous articles, Avalution has espoused the value of using a management systems approach to business continuity and articulated the notion that business continuity is more than just a collection of plan documentation. This approach is reflected in many different standards, including ISO 22301.
Even though business continuity plans represent just one component of a larger business continuity planning effort, they are what guide the organization through all phases of response and recovery following the onset of a disruptive incident – from the initial response and assessment to the eventual return to normal operations. Effective planning is meant to ensure that response and recovery efforts align to the expectations of all interested parties and provide a repeatable approach to minimize downtime.
This perspective explores the different types of business continuity plans that Avalution finds to be the most effective for organizations and examines their purpose within a wider business continuity strategy. Continue reading
The last several years have continued to see an increase in the sophistication and volume of cyber threats, with a 42% increase in targeted attacks in 2012 (as reported by Symantec, in its 2013 Internet Security Threat Report). The range and types of threats vary greatly as well; in June 2013, InfoSecurity magazine listed the top five specific IT cyber security threats as: data breach, malware, DDoS, mobile threats, and industrialization of fraud – each of which requires a different preventive and response approach. An Ipsos survey for Lloyds Risk Index 2013 indicated that cyber risk is the third biggest concern for CEOs when assessing organizational threats, jumping nine spots from the previous year’s ranking of 12th.
In most organizations, monitoring and response has continued to develop and mature within IT to proactively address vulnerabilities. That said, there may be opportunities to better integrate IT’s response to such illicit activity with the organization’s business continuity program and structure, so that if an event does occur, the organization ensures a timely and coordinated response. After all, cyber security incidents can have business continuity implications and impacts that extend far beyond IT. Continue reading
This perspective is the sixth in a series to discuss key elements of the ISO 22301 business continuity management system, including value-adding elements of the standard or requirements that could “trip up” an organization during the certification process.
Today we’re going to take a look at ISO 22301’s requirements for the establishment of an early warning network. Continue reading
The management system approach to business continuity requires a culture of continual improvement in business continuity programs. One of the key steps in facilitating continual improvement is to regularly evaluate existing business continuity procedures. This perspective takes a closer look at Clause 9.1.2, ISO 22301’s requirement for evaluation of business continuity procedures. Continue reading