Critical. Authoritative. Strategic.


CBR is proudly produced & published
by Technews
Issue Date: May 2001 (es)

Information security specialist AVS continues to provide peace of mind

1 May 2001

For a variety of reasons, business continuity planning in a significant number of organisations across the country, is still not providing the assurance that stakeholders are looking for. One reason is the prevalent confusion between the terms disaster recovery (DR) and business continuity (BC), with these terms being used interchangeably. Although those tasked with this responsibility are rapidly making progress in this regard, many decision-makers do not see a distinction between the terms, and cannot provide the required executive support and insight.
In addition, due to the criticality of IT in the business arena today, most contingency planning efforts tend to revolve around IT. The resulting lack of ownership and sometimes even participation by the lines of business, has not only hindered the progress of BC planning, but has also left IT with serious concerns about DR planning. Some of the issues that IT is grappling with include solutions that either fall short of, or exceed business needs. This results in difficulties in justifying the cost and a growing divide between BC and DR programmes.
Differentiating between BC and DR
The differentiation between BC and DR is important due to the influence this has on the roles and responsibilities implicit in the definition.
* Business continuity refers to the ability to protect the business as a whole, by fulfilling a crisis management role, managing risks, and also ensuring that adequate integration between disaster recovery and business recovery exists for business resumption (and ultimately business survival) after a disruptive event of any scale.

* Disaster recovery is the provision of IT-related equipment, facilities, data and skills enabling companies to recover specific business systems in the event of a disruptive incident.

* Business recovery addresses the needs of the various business functions which make up an organisation, (and which often include an IT element), to survive a disruptive incident by effectively resuming the affected business function(s).
Risk management and BCP
It is important to note that the organisation should be engaged in both proactive and reactive BC planning. Risk management is a proactive approach to identifying, quantifying and mitigating all the threats that a company faces. BC planning (which includes DR and business recovery) is a reactive approach that defines who will do what, where and how in order to resume normal operations after a disruptive incident has occurred.
To address the challenges facing most companies, a structured approach to BC is a key ingredient in a successful BC programme. The benefits of a structured approach include creating general awareness, preparing staff and management for the potential magnitude and scope of such a programme and creating synergy. This should also facilitate developing a roadmap that allows for stages (pilot areas, phases, milestones etc) that can be aligned with business priorities and constraints.
A structured approach
The IBM methodology, a structured approach used around the world, provides a perspective on the value of the various elements of business continuity planning. It also gives an idea of the sequence if one were to commence from the beginning of the lifecycle. The methodology is cyclical because business continuity planning must be viewed as an ongoing and essential aspect of business operations. It is also the prerogative of each individual company to determine where in the methodology to begin. This will be determined by the need for quick wins, the amount of information already available and other BC cultural and maturity indicators. The IBM methodology consists of several activities, categorised into three phases.
The analysis phase
The analysis phase determines the organisations current risk profile. To understand the effect of these risks on the business, a business impact analysis is conducted to determine how much data loss each business function can tolerate, and to estimate the financial and nonfinancial impacts. A recoverability assessment examines the current recovery capability of both IT infrastructure and business processes to develop recovery projections. This assessment also highlights weaknesses that must be addressed, as well as strengths that can be leveraged to improve the overall recovery profile.
The design phase
The design phase is really the time for decision-making, with objective and validated information needed to facilitate sound business decisions. Management decisions are based on the information gathered during the analysis phase, which then forms the framework (business continuity strategy) that will guide all subsequent business continuity planning efforts and expenses. The business impact is translated into workplace and IT recovery requirements. Risks identified and quantified (in the analysis phase) are viewed in the context of any 'gap' revealed between recovery requirements and current recovery capability during the design phase.
The next aspect in the design phase involves investigating all possible alternatives to meet the workplace and IT recovery requirements within the agreed framework. Only when an intensive study of all options and associated costs, benefits, risks and other key criteria is complete, should the next phase commence. This means that suggested solutions must be approved by the IT or business owners, prior to any commitment (financial, contractual or other) being made. This is essential, since the business units that will bear the consequences of outages (business function and/or IT), are in the best position to make the cost-benefit decisions.
The implementation phase
The implementation phase involves setting up the agreed recovery solutions. This could include buying equipment and supplies, external service contracts, reciprocal agreements and other solution components. Key issues here are integration into the day-to-day fabric of the organisation, maintenance, testing, audit and execution. Comprehensive disaster recovery, business recovery and crisis management plans generally govern these aspects. In complex environments, these plans would be supported by descriptive procedures.
Generally, effective business continuity planning is not cheap or easy. But when one weighs it against the implications of being out of business, it is one of those small 'insurance policies' that one should take and religiously follow. The amount of effort and funds invested each year is well worth the money. This is quite likely a view that will gain increasing executive support, given that business continuity planning accountability has been clearly assigned to the board, by both the King Commission II (document on good corporate governance standards) and the Second Basle Accord (risk management guideline for the banking business continuity community).
Source: Harvey Naidoo, IBM Global Services

Others who read this also read these articles

Search Site

Search Directory

  • Search for:


Previous Issues