Outsourcing business services (especially IT) is continuing to drive the business decisions of senior leaders as economic pressures force them to cut costs and increase competitiveness. Business leaders should think twice about preceding Business Continuity considerations when making outsourcing buying decisions. The following are five pitfalls to avoid, ensuring your business continuity needs are met.
Thinking “it won’t happen here!”
Business Continuity Management (BCM) is a business strategy that identifies potential impacts which can threaten an organisation’s ability to function normally. Planning for these impacts provides a capability for an effective response, minimising the consequences of any disruption to the business. All too often, senior leaders think regarding natural disasters like hurricanes and floods and are willing to accept the risk of disruptions due to these events. Hence, they feel business continuity planning is not needed due to the perceived unlikelihood of such events ever happening in their geographic location. However, organisations face a multitude of threats such as hardware and software malfunctions, terrorism, cyber attacks, human error, computer-based crimes, and power outages. All of which can severely affect business operations regardless of location.
Relying on SLA agreements
In selecting a Service Provider, while important, focusing too much on cost leads many businesses to choose service solutions that do not, or at most only partially protects the continuity of their business. Due to cost, some business leaders eliminate Business Continuity altogether without understanding how it could significantly affect their business recovery efforts. Often the expectation is that service availability, in any event, is covered by service level agreements (SLA) with Service Providers. In most contracts, however, commitments and responsibilities in a disaster or force majeure situation are usually detailed in a separate section of the agreement. Typical SLA will not apply in these cases. The supplier delivers that which is stated in the contract and therefore not necessarily that which is most important to or the actual business priorities of the client! This situation may lead to conflicts in recovery priorities leaving the client at risk for extended business disruptions.
No link to business priorities
Organisations often limit the scope of their Business Continuity efforts to information technology. Backup of data and systems recovery are usually considered independent of business processes. However, Business Continuity goes well beyond Disaster Recovery by encompassing every aspect of company operations that could be impacted by an event. This limited scope then makes it difficult for the business to guard against and respond effectively to unforeseen interruptions that affect critical business operations. This may be explained by the fact that very few organisations have BCM programs which span the organisation as a whole. Autonomous programs for Emergency Management, Business Continuity, and Disaster Recovery are dispersed throughout the organisation with little to no coordination between them.
The IT Disaster Recovery Plan then must be viewed in the context of the wider BCM program. It must link to critical business processes and align to the real priorities and objectives of the business. The intrinsic quality (usefulness) of continuity plans then depends on the completion of a thorough requirements analysis (Business Impact Analysis).
No commitment from senior management
Senior management must provide full support for the Business Continuity Management program. When selecting a Service Provider, Management must include Business Continuity considerations in the conversation. This is important because senior management plays several roles that are crucial to getting the expected value from investments in BCM. These roles extend across the GRC perspective. Senior management will determine risk tolerances for critical business processes; approve appropriate continuity strategies, and authorise the BCM policy. Furthermore, senior management supports BCM compliance, ensuring adequate plans are in place and ongoing maintenance is achieved through audits and controls.
Failure to test and maintain continuity plans
As the needs of the organisation changes, so too will its business priorities. In turn, the systems and processes that support these priorities will also change. Therefore, business continuity plans must be maintained and tested regularly. A comprehensive business continuity plan will include test schedules, an explicit reference to other emergency plans, and procedures for periodic updates. Also, senior leadership and recovery personnel must know their roles during execution of the program. Business continuity tests must include all stakeholders including Service Providers. Getting senior leaders to actively participate in testing is often a challenge, but is also of fundamental importance for a successful BCM program. Any continuity plan that has not been regularly tested, with all stakeholders represented, is useless in a disaster situation.
Business Continuity Management is always your responsibility! Those organisations that avoid these five pitfalls and approach continuity from an overall objective of planning for vulnerabilities wherever they are found in the value chain will gain the most from investments in BCM.
This blog is written by Copenhagen Compliance associate Stanley Smith, our business and technology and IT professional for improving business processes and reduce risks through effective operations management. He holds an MBA with a specialisation in Technology Management from Copenhagen Business School.