Recently, a question was raised by a client regarding whether it would be better to create a method to manage technical information in support of the IT disaster recovery planning effort, acquire and implement a commercial Configuration Management Database (CMDB) solution, or customize its existing business continuity software solution. The short answer is, “it depends”. This perspective discusses this commonly asked question, which by the way, is very important given the need to understand the relationship between IT infrastructure, applications, data, and business continuity requirements. Continue reading
This perspective takes a look at Clause 9.2, ISO 22301’s requirement for internal audit, defined as an independent assessment that provides management with feedback regarding the performance of the management system. The content found in this perspective is specifically based on lessons learned from our ISO 22301 certification audit (which Avalution completed successfully in the Spring of 2013). Continue reading
A critical and foundational element of business continuity planning is a clear understanding of the business environment, together with the critical products and services and processes that contribute to the creation of business value. To recover successfully, an organization must connect its critical products and services to the key elements that produce them. In addition to facilities, equipment, people, technology and data, these elements include suppliers and the goods they supply, the internal process stream (or streams that transform the resources and input), and the consumers of the output. Overall, a business continuity professional must have a clear understanding of day-to-day business processes and resources in order to be successful in planning for disruptive incidents.
The question then becomes how to develop a repeatable process that provides this clear understanding without making it an end unto itself and creating unsustainable overhead. Even better, how can the business continuity professional leverage tools and methodologies in use by other disciplines to improve performance throughout the organization? Continue reading
The goal of any recovery plan, regardless of the size or nature of the organization, is to protect life, minimize damage from an event, and quickly resume the delivery of critical products and services to meet customer requirements. How this is accomplished, however, not only depends on the nature of the organization, but also its customers, size and resources, and culture. The objective is to build plans that are based on realistic requirements, fit within the organization’s culture, and remain cost effective and appropriate. The remainder of this article will discuss these characteristics and how they are incorporated into recovery plans. Continue reading
Many organizations think having a disaster recovery plan is all the protection they need from disasters. However, there is so much more to disaster recovery than just a plan! That’s why most industry professionals see disaster recovery as an ongoing program or process that contains a number of distinct elements. Key process activities include: Continue reading
After approval by the ISO member bodies, the ISO Technical Management Board Working Group on risk management released ISO 31000:2009, Risk Management – Principles and Guidelines in November of 2009. The authors designed the standard to be applicable for any organization and any risk type, but, unlike the familiar ISO quality standards, ISO 31000 is not certifiable.
For those familiar with the AS/NZS 4360:2004 standard on risk management, this ISO standard should be easily recognizable. With the exception of wording changes, ISO 31000 is essentially the same standard. Continue reading
As has been confirmed by the events of the last year, risks to an organization can come from any number of often unpredictable sources, and can result in an impact far more serious and long-lasting than anyone would have imagined. Relationships that up to now have been assumed to be secure, from banking relationships to the stability of a country’s financial system, have been called into question. Continue reading
Recently, Standard & Poor’s announced that they will begin to evaluate Enterprise Risk Management (ERM) processes with non-financial companies in the third quarter of 2008. S&P also indicated that it will begin to consider ERM program maturity and capability in determining ratings as of the fourth quarter. Continue reading
As our industry evolved, we moved from methodologies based on information technology-focused disaster recovery to more holistic, but still reactive, business continuity. Now, our industry’s rhetoric, and a growing number of its standards, point to more proactive practices, commonly called business resiliency. Still, all of the approaches start from the same point; something bad has or will happen. Even business resiliency is primarily concerned with structuring an organization to withstand events, not prevent or avoid them altogether. Continue reading
The goal of business continuity is to re-establish critical business processes in a timeframe and at a level that will sustain the business after a disaster. To establish a program that is able to operate effectively in recovery mode, an organization must develop recovery strategies and plans that satisfy the requirements determined during a Business Impact Analysis (BIA), take into account the human and technological constraints inherent to their business model, rigorously challenge all assumptions made during the planning process, and validate the recovery process through ongoing exercises. Continue reading