Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

Be Prepared
SECURITY SHELF

Be Prepared 

For example, last week one local organization had their headquarters locked down due to its proximity to a shooting, a second building evacuated due to a fire alarm, and a power loss at a third location. Events like these have the potential to present significant operational challenges to the unprepared.

DRI International defines Business Continuity Management (BCM) as “a management process that identifies risk, threats and vulnerabilities that could impact an entity’s continued operations and provides a framework for building organizational resilience and the capability for an effective response.” The DRI framework includes ten Professional Practice Areas. These include several program and plan management activities along with areas such as risk evaluation, business impact analysis, the development of business continuity strategies, emergency response, crisis communications, and coordination with external agencies.

While BCM is a specialization, organizations should integrate BCM activities into their overall risk management framework. Many view security risk management and business continuity management as separate activities, but identifying critical assets and personnel, identifying significant events, and determining the potential impact on the organization is an integral part of both processes. The Government of Canada, for example, should have combined the Threat and Risk Assessment (TRA) and the Business Impact Assessment (BIA) long ago to facilitate a more integrated approach to risk management.

A formal business continuity planning methodology makes good sense for large corporations. However, smaller enterprises may find it overbearing in terms of time, money, and other required resources. This creates a dilemma for small business: Formal BCM activities are expensive, yet they are more likely to suffer a full interruption because their business resources tend to be concentrated in the same building or city. Larger businesses with locations in multiple cities may have more options when it comes to managing a disruption.

For those requiring a less formal approach, a simpler framework is to consider critical functions, interrupting events, and create a continuity plan along with a list of action items.

Businesses can be dissected into various functions. A formal BIA documents each business function along with information such as the amount of time the function can be unavailable before the business is impacted, the impact on customers, regulatory impact, and financial impact. Based upon this information critical functions can be identified and prioritized. For example, many small businesses can tolerate days of down-time in accounting, especially if payroll services are outsourced. However, being unable to provide products and services to customers for the same amount of time might create significant immediate and long-term business losses. The key for a small organization is to identify critical business functions and focus on making them more resilient.

On the surface it often appears that an overwhelming number of potential events could interrupt a business. However, by generalizing, categorizing, and focusing on the impact (instead of the specific details of the event) it is possible to reduce potential interruption events to a manageable list. From a business continuity perspective, the precise reason that staff are unable to enter the office is probably irrelevant. We can categorize the current office state as open, locked down, evacuated, or destroyed. Similarly, staff are either at work, able to work but unable to reach the office, or unavailable. The status of IT systems can be more complex, but to the end user, the system required to fulfil any important business function is either available or not. Following this approach leads to events such as “head office closed”, “employees unavailable for work”, and “primary datacenter disaster” instead of listing the dozens of reasons those scenarios might occur.

Once lists of critical business functions and potential interruption events are drafted, developing a simple business continuity plan is a matter of determining which events will impact each business function and creating a plan to address them. In theory, a model that takes into account the financial impact of each business function and the likelihood of each event will lead to a prioritized list for planning purposes. But determining likelihood is not an exact science and relying on the past as an statistical indicator of future events, as suggested by many methodologies, doesn’t make sense in a time of rapid change. Most small organizations would be better off creating a simple two-dimensional table of critical business functions vs. potential interruption events, eliminating those cells that don’t matter, and planning for the rest.

During the planning process the business will gain an understanding of the actions that must be taken to facilitate response to potential events. For example, one common approach to deal with a closed office or treacherous driving conditions is to have employees work from home. If employees can’t access critical IT systems remotely, or managers don’t have a way to contact staff who are unable to report to the office, action is required to make the plan viable. As the Boy Scout motto says, Be Prepared.

Related posts