Taking BCP to the Next Level
I've been asked this question a number of times recently, perhaps a reflection on the uncertain times we currently live in. Here are some possible answers, depending upon where you are in your Business Continuity process:
- Put procedures in place to keep the plan up to date. Will the update process automatically happen when something changes? Or will you only find out during your annual review (or when something happens) that the plan is out of date.
- Test and Exercise the plan. Not necessarily an expensive fully-fledged disaster rehearsal, but desktop tests, and technical backup and recovery tests. The aim is to assure yourself that you know what to do in the event of a major incident, and that the information and resources required to continue or recover operations are actually in place. Such tests can be carried out internally, or with the assistance of independent observers to create test scenarios and to evaluate the results.
- Third Party Readiness Review. Not as formal (or expensive) as an audit, a third party consultancy (such as ourselves) examines the plan (as written) and your company or organization's operations and looks for risks that haven't been addressed, unrealistic or missing assumptions in the plans, and forms an opinion as to how well the plan will work in various scenarios. Unlike an audit, it is assumed that the facts in the plan are correct. For example, if your plan says you have a backup generator which will has sufficient capacity to run your entire building, no check is made that this is true or that all electrical systems are connected to the generator. Opinions may be expressed, however, that it is unlikely that this is true, and that the statement should be checked.
- Plan Audit. More formal than a third party review, an audit attempts to give a great deal of assurance that what is stated in the plan is actually correct and that procedures are being followed. Since it requires data gathering and fact checking, it is more expensive than a third party readiness review.
- Plan Certification. While it's great that you are sure your plan will work, how do you prove this to your customers? While the plan protects your business interests, will it protect those of your customers? How do they know if your opinion is correct? You say that it will. An independent consultancy has reviewed the plan and states that it will. But how can the customer distinguish a meaningful opinion from a meaningless one? It could review the plan. It could review the reviewer. But in a world with multiple key suppliers, this is too expensive. To solve this problem, you need standards and independent certification. Although there are several standards available for Business Continuity and Disaster Recovery (eg. NFPA 1600, CSA 1600Z, ...) currently only one has a certification component. In a similar manner to the Quality Assurance ISO 9000 series, the BS 25999 standard allows an organization to be certified as having an effective business continuity process in place. One day there may be an ISO standard in this area: there is a good chance that any future ISO standard will be based upon this one.
Organizations without a large number of business-to-business customers may not find full certification cost-effective, but each level will provide additional confidence that the company's plan will function in an emergency.
Michael Z. Bell