One of the most common questions we receive at Avalution is, “How can my organization increase coordination between different groups performing preparedness activities, specifically ‘the business’ and IT?” We have seen many organizations’ business and IT teams struggle to come to an agreement on common requirements, such as application recovery time objectives (RTOs) and data loss tolerances (RPOs). The business tends to complain that IT does not listen to their recovery requirements, while IT tends to complain that the business is far too aggressive and unrealistic on recovery requirements. This article provides recommendations on how the business and IT can work more seamlessly toward the “right” level of preparedness for your organization. Continue reading
A critical and foundational element of business continuity planning is a clear understanding of the business environment, together with the critical products and services and processes that contribute to the creation of business value. To recover successfully, an organization must connect its critical products and services to the key elements that produce them. In addition to facilities, equipment, people, technology and data, these elements include suppliers and the goods they supply, the internal process stream (or streams that transform the resources and input), and the consumers of the output. Overall, a business continuity professional must have a clear understanding of day-to-day business processes and resources in order to be successful in planning for disruptive incidents.
The question then becomes how to develop a repeatable process that provides this clear understanding without making it an end unto itself and creating unsustainable overhead. Even better, how can the business continuity professional leverage tools and methodologies in use by other disciplines to improve performance throughout the organization? Continue reading
NOTE: The content of this perspective was initially presented September 13, 2011 at DRJ Fall World in a presentation titled, “Connecting with Management and Staying Relevant.” During the presentation, attendees were asked to complete a Self-Assessment Survey answering various questions regarding management involvement within their organizations’ business continuity programs. Avalution used the information gathered during that session in order to frame this perspective and offer feedback based on the recommendations presented at DRJ.
Management involvement and support is vital to the growth and ongoing success of an organization’s business continuity program. Management buy-in ensures alignment with the organization’s overall strategic direction and business objectives, and allows the program to obtain appropriate resources and visibility. Without adequate management involvement and support, a business continuity program risks losing effectiveness and alignment with business strategy, misspent or unfit resources, imbalance between capability and requirements, or in the worst case, management cutting business continuity all together because they do not see the value in the investment. Continue reading
A Business Continuity Scoping Approach That Contributes to Better Management Engagement and Prioritization of Risk Management Efforts
One of the most common questions business continuity professionals ask is how to keep management involved in the ongoing preparedness effort and prioritize the implementation of business continuity strategies with limited resources. Business continuity professionals strive to have engaged, interested management teams, but often struggle to achieve this goal. Whether management disinterest has been present from the beginning of the preparedness effort, or whether interest has waned over time, there is one key strategy that Avalution strongly suggests organizations implement in order to achieve greater levels of both management involvement and input regarding business continuity planning: scoping and planning based on the recovery of products and services. Continue reading
We often receive requests for proposals (RFPs) to perform a business impact analysis (BIA) – some dictating the preferred approach, some leaving it open. A recent RFP requested a consultant-executed BIA (and did not dictate the desired approach), but the use of consultants was eliminated due to budgetary constraints. As a result, they began the process to internally build and administer a questionnaire-based BIA approach. Why? They thought this approach would be more efficient when compared to an interview-based data gathering effort, thus preserving the internal team’s time to perform other activities.
The key question is this – is a questionnaire-based approach more efficient and what are the possible drawbacks? This perspective explores this issue and summarizes the pros and cons associated with the exclusive use of questionnaires versus an interview-based data gathering approach. Continue reading
Business continuity professionals often perform a business impact analysis (BIA) as one of the first steps in establishing their organization’s business continuity program or management system. The scope of the BIA (and the business continuity program as a whole) is commonly determined by reviewing an organizational chart and establishing a one to one relationship between departments and BIAs. While this is a very comprehensive approach, it can be very time consuming and unnecessarily drain valuable resources. In addition, the results of this process (e.g. recovery objectives) are typically subjective and lacking in cohesiveness with management objectives. Continue reading
The business continuity industry has heard a lot about Plan, Do, Check Act (PDCA) recently. Nearly every emerging standard is following this approach, from BS 25999 and NFPA 1600 (2010 edition) to the new American business continuity standard being created by ASIS. However, there seems to be a lot of confusion about what PDCA is – and what it means for business continuity. Continue reading
UPDATE: The British Standards Institute (BSI) has issued a corrigendum in response to this article, slightly expanding the definition of MTPOD in a business continuity management system. The change makes explicit BSI’s intent that MTPOD be identified for critical products, services AND critical activities. The approach described in this article establishes a MTPOD for each critical activity by mapping the activity to a critical product or service. However, there may be some circumstances when a critical activity does not map directly to a critical product or service, but still requires an MTPOD. An example of this situation is the Payroll function. Some organizations define Payroll as a critical service in its own right, but other organizations consider critical products and services external facing only. In this situation, Payroll would need an MTPOD that indicates its criticality, independent of the organization’s critical products and services. Continue reading
Key Takeaway – Use a template to enable decentralized planning since it provides structure and consistency, as well as an outline of key concepts to address. However, establish the template as the minimum and pair the template with training to explain how the plan would be used during a disruptive event, and to enable the development of quality, detailed content. Continue reading
For financial institutions waiting for more formal guidance from the Federal Financial Institution Examination Council (FFIEC) before planning for a pandemic, the time is here. The FFIEC, an interagency council that prescribes uniform standards for the United States financial industry, recently followed up the industry’s “Interagency Advisory on Influenza Pandemic Preparedness” and NCUA’s “Letter to Credit Union 06-CU-06 – Influenza Pandemic Preparedness” with new guidance. Continue reading