Common Pitfalls in Business Continuity Management When Outsourcing
Avoid these mistakes when procuring IT services from external Service Providers. Learn more at the Copenhagen Compliance Conference on the 23-24th September 2013
Outsourcing business services (especially IT) is continuing to drive the business decisions of senior leaders as economic pressures force them to cut costs and increase competiveness. Business leaders should think twice about foregoing Business Continuity considerations when making outsourcing buying decisions. The following are five pitfalls to avoid, ensuring your business continuity needs are met.
Thinking "it won't happen here!"
Business Continuity Management (BCM) is a business strategy that identifies potential impacts which can threaten an organizations ability to function normally. Planning for these impacts provides a capability for an effective response, minimizing the impact of any disruption on the business. All too often, senior leaders think in terms of natural disasters like hurricanes and floods, and are willing to accept the risk of disruptions due to these events. Hence, they feel business continuity planning is not needed due to the perceived unlikelihood of such events ever happening in their geographic location. However, organizations face a multitude of threats such as hardware and software malfunctions, terrorism, cyber attacks, human error, computer based crimes, and power outages. All of which can severely affect business operations regardless of location.
Relying on SLA agreements
In selecting a Service Provider, while important, focusing too much on cost leads many businesses to select service solutions that do not, or at most only partially protects the continuity of their business. Due to cost, some business leaders eliminate Business Continuity altogether without understanding how it could significantly affect their business recovery efforts. Often times the expectation is that service availability in any event is covered by service level agreements (SLA) with Service Providers. In most contracts however, commitments and responsibilities in a disaster or force majeure situation are usually detailed in a separate section of the agreement. Normal SLA will not apply in these situations. The supplier delivers that which is stated in the contract and therefore not necessarily that which is most important to or the actual business priorities of the client! This situation may lead to conflicts in recovery priorities leaving the client at risk for extended business disruptions.
No link to business priorities
Organizations often limit the scope of their Business Continuity efforts to information technology. Backup of data and systems recovery are usually considered independent of business processes. However, Business Continuity goes well beyond Disaster Recovery by encompassing every aspect of company operations that could be impacted by an event. This limited scope then makes it difficult for the business to guard against and respond effectively to unforeseen interruptions that affect key business operations. This may be explained by the fact that very few organizations have BCM programs which span the organization as a whole. Autonomous programs for Emergency Management, Business Continuity, and Disaster Recovery are dispersed throughout the organization with little to no coordination between them.
The IT Disaster Recovery Plan then must be viewed in the context of the wider BCM program. It must link to critical business processes and align to the actual priorities and objectives of the business. The intrinsic quality (usefulness) of continuity plans then depends on the completion of a thorough requirements analysis (Business Impact Analysis).
No commitment from senior management
Senior management must provide full support for the Business Continuity Management program. When selecting a Service Provider, management must include Business Continuity considerations in the conversation. This is important because senior management plays several roles that are crucial to getting the expected value from investments in BCM. These roles extend across the GRC perspective. Senior management will determine risk tolerances for critical business processes; approve appropriate continuity strategies; and authorize the BCM policy. Furthermore, senior management supports BCM compliance, ensuring adequate plans are in place and ongoing maintenance is achieved through audits and controls.
Failure to test and maintain continuity plans
As the needs of the organization changes, so too will it's business priorities. In turn, the systems and processes that support these priorities will also change. Therefore, business continuity plans must be maintained and tested regularly. A comprehensive business continuity plan will include test schedules, a clear reference to other emergency plans, and procedures for periodic updates. In addition, senior leadership and recovery personnel must know their roles during execution of the plan. Business continuity tests must include all stakeholders including Service Providers. Getting senior leaders to actively participate in testing is often a challenge, but is also of key importance for a successful BCM program. Any continuity plan that has not been regularly tested, with all stakeholders represented, is useless in a disaster situation.
Business Continuity Management is always your responsibility! Those organizations that avoid these five pitfalls and approach continuity from a comprehensive objective of planning for vulnerabilities wherever they're found in the value chain, will gain the most from investments in BCM.
Stanley Smith is an independent business and technology professional. He has worked with IT service providers for over 10 years. Currently, he helps law firms and legal professionals improve business processes and reduce risks through effective operations management. He holds an MBA with a specialization in Technology Management from Copenhagen Business School.