Wednesday, July 30, 2008

ERM-BC-COOP: Mitigation

Short story

I was talking with an Info Tech manager the other day about Info Tech "business continuity."

Business Continuity, I said, requires not only a Business Impact Analysis (BIA) which is part of Info Tech "business continuity," but mitigation as well.

Well, said the exec, we do have mitigation - we have plans to recover the applications elsewhere if something goes bump in the night here. That's mitigation.

Sounds good.

It IS mitigation.

But it's not RISK mitigation.

It's IMPACT mitigation.

While impact mitigation is an important part of business continuity, it really properly falls under the "disaster recovery" heading which, if truth be known, is what my exec calls Info Tech "business continuity."

Telling people I am an "Info Tech business continuity" planner bothers me.

Info Tech should have real business continuity.

Info Tech should look for risks to its processes and it should develop a true, independent business continuity plan based on its customers' requirements.

At the same time, all functional units should have true, independent business continuity plans (mini-plans, if you've read other John Glenn rants) which, like the Info Tech plan, need to roll up into an enterprise plan.

My exec's Info Tech "business continuity" plan totally ignores threats to the Info Tech processes. It considers the impact of an "application failure" on the business unit's finances (based on figures provided by the Info Tech customer/business unit Subject Matter Experts) and other nasty things that can happen - fines and customer penalties - but rarely considers loss or reduction of the organization's Return On Investment (ROI).

Worrying about threats to the Info Tech processes is "outside the scope" of the Info Tech "business continuity" plan.

Understanding that, I know - even if the Info Tech execs refuse to acknowledge it - that what Info Tech has is nothing more than disaster recovery under a different - and sadly inaccurate - name.

Mitigation? Yes, but only after the fact.

That is not, at least in my perspective of 13-plus in the business, "business continuity."

Let's call it what it is - disaster recovery.

No more, but maybe less.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

No comments: