By Ian Masters
Before looking into business continuty, it is necessary to assess the potential risks affecting your business, the likelihood they will occur and the disruption they could cause. This will aid you in deciding what level of protection is required and may help in determining some realistic Recovery Time and Recovery Point Objectives, (RTO & RPO). Another major factor affecting these objectives will be cost. The cost associated with the loss of a particular business function, be it IT related or not, or the perceived cost of lost reputation or potential revenue.
IT IN TODAY¡¯S BUSINESS
Now with the way the world is evolving, IT is becoming increasingly important in everyday business and life. The rapid development of the Internet has made it easier to reach and communicate with your clients and suppliers, and whether you choose to be an e-tailer or are forced by suppliers to order online, IT functions will probably be at the core of your business. This may be in the form of communications, customer/supplier management or just product/company information. How critical IT functions are to your business is dependent on the business itself but IT is certainly more important today than it has ever been. As the majority of us rely so heavily on email for communication, I challenge anyone who is happy to tell their board of directors that email is not working and ¡°might not be back online for a while¡±!
So now it becomes at least a little easier to see why, in so many cases, the person responsible for IT ends up wearing the business continuity ¡°hat¡±. Whether this is the right choice or not is a topic in itself, but in the majority of SMEs it is still the IT department who end up with the responsibility for business continuity. It is only when we start to look at the much larger enterprises that there are dedicated business continuity professionals (and even they may use outside help).
CRITICAL SKILLS
So what skills are required to be an effective business continuity professional? In my opinion, the first and most important skill is communication. Whoever is given the responsibility must be able to communicate at all levels within the organization and, more importantly, sometimes with the media. When disasters strike, the media will want to know what has happened, how it happened, whose fault it was, what you are doing to recover and how you are managing the relationships with your clients and suppliers. Giving an inappropriate answer to any of these questions could see your organization losing face in front of customers and suppliers and ultimately allowing your competitors to capitalize on your own shortcomings.
However, managing the situation correctly will improve your reputation. Secondly, I believe, come organizational skills. Business continuity is a massive undertaking affecting every system, department and person within the business. Everything will have to be documented, in duplicate, and the plan should be executable even in your absence. You are not just responsible for creating the plan and deciding on appropriate levels of protection and recovery methods but also for training your staff. Each and every member of staff must understand their role (or how to respond) during a disaster. Remember these are not the only skills required and I am looking at a fairly basic level, but without these key skills your business continuity plan is unlikely to get off the ground, let alone be effective.
TACKLING BUSINESS CONTINUITY
From reading so far you will understand that unless you are a really small business this is probably not going to be a lone effort. You will need to build a team of reliable staff who can help you research, design, co-ordinate and implement your plan. Some of these people will work with you in IT, but you will also need the help of people from other departments. For example, it may be useful to enrol the help of your health and safety officer. They should already have a procedure in place for fire related emergencies and will have been responsible for ensuring all staff know how to react in an emergency. Even if you decide to tackle this on your own, you will need to communicate with each department to decide what systems are critical to their operation and to understand the inter-dependencies of your departments.
So where do you start? You will need to get buy-in from the director, owner or whoever takes overall responsibility for the company, without this your plan will fail. You will need to be able to explain the risks to the business; physical, environmental and localized, and what impact these could have on the business. It may also be true in smaller companies that the board will make the decision as to what level of protection is required, for which systems and processes, and how quickly you should be able to recover. Plus they will need to commit a budget to the planning, implementation and testing of the plan. From here, at least you will be able to investigate what systems and procedures are needed to fulfil these requirements and whether it can be achieved within the budget. It may not always be possible, compromises may have to be made and the board will need to be fully aware of these and agree to them, otherwise it will be your neck on the chopping board after an incident.
It might also be worth getting some outside help. There are many specialist firms and consultants who can bring a lot of expertise and added value to your plan and can save you a lot of time during the initial research and planning stages. For example, business impact analysis is a complex process that can be applied and will provide you with valuable information about your business and the potential impact of incidents. I would also recommend looking at third party help when testing your plan. Remember, a business continuity plan is only as good as its last test. Plus, your company is probably growing and evolving and that means you need to make regular updates to the plan. Using a third party will help to highlight weak points in the plan, which can then be rectified. Testing also helps to reinforce your staff training and forms part of that training, ensuring that everyone reacts appropriately. The benefit of testing a plan is that it is pre-scheduled: customers and suppliers can be pre-warned and it demonstrates your commitment to business continuity. Your longevity is important and your responsible behavior will help strengthen the relationships with your customers and suppliers.
So as a final thought, is it practical to pass the business continuity planning to your IT professional? Well in a lot of cases, yes. As we all become more and more reliant on technology and as it forms the core of many of today¡¯s businesses, it makes sense that the IT professional takes ownership of it, certainly in smaller organizations. However, I feel very strongly that IT cannot go it alone. Internal and possibly external help will be required and without the commitment of others, the plan is doomed to fail (if you even manage to get it off the ground!).
Ian Masters is Sales Director of Double-Take Software (www.doubletake.com).
For more information, please send your e-mails to swm@infothe.com.
¨Ï2007 www.SecurityWorldMag.com. All rights reserved.
|