Thursday, May 29, 2008

ERM-BC-COOP: There IS a difference . . .

[This article also appeared in Disaster-Resource.com's Continuity e-Guide at http://www.disaster-resource.com/newsletter/subpages/v237/meettheexperts.htm]


There IS a difference between "Business Continuity" and "Disaster Recovery," and it is substantial.

Disaster Recovery, a/k/a "DR" or "D/R" is the reactive part of a Business Continuity, a/k/a "BC" or "B/C," plan.

The distinctions have, over the years and because of various reasons, been blurred.

Originally, D/R amounted to restoring InfoTech.

Rebuild the infrastructure (servers, networks) and restore data.

Then, enlightened InfoTech managers decided it would be good to ask InfoTech's customers which of their products the customers needed most so restoration could be prioritized.

The beginning of the Business Impact Analysis, the "BIA."

Problem was, the BIA was a tool of the reactive restoration effort.

The BIA also ignored any risk analysis and associated avoidance or mitigation measures.

InfoTech now had a prioritized recovery list, but little else.

Yet "business continuity" was a part of InfoTech all along even if it wasn't recognized as such.

A little thing hardware manufacturers include in product specs:

  • MTBF: Mean Time Between Failures
  • MTTR: Mean Time To Repair

The biggest problem with InfoTech D/R, however, is that it was InfoTech "centric."

InfoTech went out to the business units for the BIA, and then went back behind the data center door.

No one considered risks to the business units; InfoTech was, after all, the glamour child.

But it wasn't, in most cases, the profit center.

Once someone realized that lacking a profit center generating a profit for the organization there was little raison d'etre for InfoTech, then the focus began to shift from the data center to InfoTech's customers - the profit center and its other resources.

At the same time, someone took heed of the Purolator "Pay me now or pay me later" commercial and decided a little risk avoidance or mitigation might prove financially beneficial.

Trouble is, to fully benefit from the avoidance/mitigation mind set, someone had to identify - and quantify - risks.

Enter risk management.

Find the risks.

Identify ways to avoid or mitigate each risk.

Rate the risk according to probability and by impact on the organization.

D/R has now moved out of the reactive "restore what failed" mode to the proactive B/C "meet the Service Level Agreements" mode, the business continuity/continuation mode.

Still, B/C, as practiced in (too) many organizations, is short-sighted.

It looks at obvious and traditional risks, but fails to go beyond those risks.

Why?

Often senior management withholds the mandate to do more.

Enterprise Risk Management, "ERM," is, to this scrivener, "B/C on steroids."

ERM should be able to look at all risks, from all sources both traditional and non-traditional.

All of an organization's doors must be opened to the ERM practitioner, and the practitioner must be allowed a look at the organization's short and long-term plans. (Actually, B/C planners should see the plans as well so modernization can be implemented early if the opportunity arises.)

ERM practitioners should be invited into all phases of the operation.

Planning to buy property? Involve the ERM practitioner to look at such mundane, things as location (flood plain, access?) , construction (safe room, environment?).

Allow the ERM practitioner to look at processes - that's part of the job, anyway - and invite the practitioner to make recommendations to enhance (or eliminate) processes.

It is understood that the ERM practitioner, as were the B/C and D/R planners, is an expert only in his or her discipline; the practitioner/planner must work with Subject Matter Experts (SMEs) both within and without the organization to fully benefit the organization.

D/R still plays a very big role in both B/C and ERM, but it has expanded to include all the resources a profit center requires to remain a profit center, but for all that, it still is D/R and still reactive.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

No comments: