Business continuity management (BCM) maturity levels differ across industry sectors. While some in the financial services or insurance sectors will have had BCM in place for quite some time, others are only starting their journey.
But no matter what the scenario, the secret to resilient and effective BCM is to adopt a structured, systemic approach to planning according to Michael Conway, director of business continuity consultancy provider, Renaissance.
“Lots of organisations might have a mature BCM program, but that doesn’t mean it’s right. It just means it’s been there for a long time. It may not be at the level it should be at and we’re seeing organisations engage us to do a review or a gap analysis to see where they’re at in relation to their peers.”
Some organisations choose to follow ISO22301 certification, a management systems standard for BCM. Others have developed their own methodology but Conway believes that the starting point must focus on setting policy.
“Professional practice would say to start with the policy and program element, embed business continuity into the organisation and then start drilling down.
“What is appropriate for your organisation? How is it going to be structured and who are the program sponsors? How you are going to embed business continuity within the organisation and ensure that it’s part of what the organisation does?”
The analysis stage involves identifying the critical business areas or what Conway calls “showstoppers” and putting in place an appropriate amount of protection.
“If you have a building with 500 people, we might survive with 40 – 50 per cent of our people available within 24 – 48 hours. So we might plan for some of them to work remotely or have some going to an alternative recovery facility or a hot site.
“If you’re an SME with 20 people it’s probably relatively easy to find somewhere quickly for 10 or 15 people but if you need to relocate a couple of hundred people, it’s not easy. And that’s just the people part.
“It’s now relatively easy to switch on technology at remote locations as long as you plan that and have that as part of your processes,” he said.
And advancements in technology are facilitating better BCM planning and execution, as Niamh Townsend, enterprise solutions director at Dell Ireland explains.
“Modern technology means that the ability to achieve a more granular Recovery Point Objective (RPO) or Recovery Time Objective (RTO) is now achievable at a much lower cost. Snapshots on Dell Storage solutions do not absorb the same level of storage as some of our competitors, enabling organisations to achieve RPOs that in the past would have required a heavy investment.
“RTO is also benefiting from technology. For instance our DR backup to disk solution is capable of mounting a Virtual Machine on the appliance itself. Imagine a scenario where the Exchange email server goes down. Instead of having to recover to a different box, the server is simply mounted on the DR appliance and made available to all, while the real server is repaired or replaced,” she said.
“Ultimately the key to successful BCM will be the implementation and validation stages when you’re actually implementing it, ensuring that it works and testing it by exercising it,” said Conway. “That’s the glue that holds it all together. The rest to some extent is theory until you actually prove it.
“BCM is a lifecycle where we take the lessons, learnings and validation and re-analyse what you need to be doing. Business is dynamic and this needs to be reflected in in BCM planning,” he said.