Supporting IT Disaster Recovery Planning – A CMDB versus Traditional Business Continuity Software

Recently, a question was raised by a client regarding whether it would be better to create a method to manage technical information in support of the IT disaster recovery planning effort, acquire and implement a commercial Configuration Management Database (CMDB) solution, or customize its existing business continuity software solution. The short answer is, “it depends”. This perspective discusses this commonly asked question, which by the way, is very important given the need to understand the relationship between IT infrastructure, applications, data, and business continuity requirements. Continue reading

Internal Audit – Protecting Your Investment in ISO 22301

Part of Avalution’s Conforming to ISO 22301 Series

This perspective takes a look at Clause 9.2, ISO 22301’s requirement for internal audit, defined as an independent assessment that provides management with feedback regarding the performance of the management system. The content found in this perspective is specifically based on lessons learned from our ISO 22301 certification audit (which Avalution completed successfully in the Spring of 2013). Continue reading

Don’t Reinvent – Be Successful by Leveraging “Non-Business Continuity” Tools and Methodologies

Non-Business Continuity” Tools and MethodologiesA critical and foundational element of business continuity planning is a clear understanding of the business environment, together with the critical products and services and processes that contribute to the creation of business value.  To recover successfully, an organization must connect its critical products and services to the key elements that produce them. In addition to facilities, equipment, people, technology and data, these elements include suppliers and the goods they supply, the internal process stream (or streams that transform the resources and input), and the consumers of the output.  Overall, a business continuity professional must have a clear understanding of day-to-day business processes and resources in order to be successful in planning for disruptive incidents.

The question then becomes how to develop a repeatable process that provides this clear understanding without making it an end unto itself and creating unsustainable overhead.  Even better, how can the business continuity professional leverage tools and methodologies in use by other disciplines to improve performance throughout the organization? Continue reading

What Makes a Great Recovery Plan?

The goal of any recovery plan, regardless of the size or nature of the organization, is to protect life, minimize damage from an event, and quickly resume the delivery of critical products and services to meet customer requirements.  How this is accomplished, however, not only depends on the nature of the organization, but also its customers, size and resources, and culture.  The objective is to build plans that are based on realistic requirements, fit within the organization’s culture, and remain cost effective and appropriate.  The remainder of this article will discuss these characteristics and how they are incorporated into recovery plans. Continue reading

More than a Plan: Establishing a Disaster Recovery Program

Many organizations think having a disaster recovery plan is all the protection they need from disasters. However, there is so much more to disaster recovery than just a plan! That’s why most industry professionals see disaster recovery as an ongoing program or process that contains a number of distinct elements. Key process activities include: Continue reading

The Basics of ISO 31000 – Risk Management

ISO 31000 perspectiveAfter approval by the ISO member bodies, the ISO Technical Management Board Working Group on risk management released ISO 31000:2009, Risk Management – Principles and Guidelines in November of 2009. The authors designed the standard to be applicable for any organization and any risk type, but, unlike the familiar ISO quality standards, ISO 31000 is not certifiable.

For those familiar with the AS/NZS 4360:2004 standard on risk management, this ISO standard should be easily recognizable. With the exception of wording changes, ISO 31000 is essentially the same standard. Continue reading

Managing Expanding Supply Chain Risks

Supply ChainAs has been confirmed by the events of the last year, risks to an organization can come from any number of often unpredictable sources, and can result in an impact far more serious and long-lasting than anyone would have imagined.  Relationships that up to now have been assumed to be secure, from banking relationships to the stability of a country’s financial system, have been called into question. Continue reading

How Enterprise Risk Management Can Improve Your Credit Rating

credit ratings perspectiveRecently, Standard & Poor’s announced that they will begin to evaluate Enterprise Risk Management (ERM) processes with non-financial companies in the third quarter of 2008.  S&P also indicated that it will begin to consider ERM program maturity and capability in determining ratings as of the fourth quarter. Continue reading

Proactive versus Reactive – Business Continuity’s Role in Treating Risk, Not Just Reacting to It

proactive vs reactiveAs our industry evolved, we moved from methodologies based on information technology-focused disaster recovery to more holistic, but still reactive, business continuity.  Now, our industry’s rhetoric, and a growing number of its standards, point to more proactive practices, commonly called business resiliency.  Still, all of the approaches start from the same point; something bad has or will happen. Even business resiliency is primarily concerned with structuring an organization to withstand events, not prevent or avoid them altogether. Continue reading

Effectively Operating in Recovery Mode

glen's perspectiveThe goal of business continuity is to re-establish critical business processes in a timeframe and at a level that will sustain the business after a disaster. To establish a program that is able to operate effectively in recovery mode, an organization must develop recovery strategies and plans that satisfy the requirements determined during a Business Impact Analysis (BIA), take into account the human and technological constraints inherent to their business model, rigorously challenge all assumptions made during the planning process, and validate the recovery process through ongoing exercises. Continue reading