Thursday, July 31, 2008

ERM-BC-COOP: Two eGuide articles

BC, DR, and COOP

Just read an article linked from the Continuity eGuide http://disaster-resource.com/newsletter/continuityv245.htm by Tod Newcombe titled "Should BC and DR Be Replaced by COOP?".

Good article. It even includes a quote from Dr. Jim Kennedy, principal consultant for business continuity and disaster recovery at Alcatel-Lucent and a long-time professional acquaintance.

But . . .

But the article, which initially appeared in Government Technology (http://www.govtech.com/gt/articles/374117) focuses almost exclusively on Info Tech. (Given the publication's audience, that almost rates a "duh!")

It addresses issues Chief Information Officers (CIOs) face.

It also suggests that business continuity is a sub-set of Continuity Of Operations (COOP), as disaster recovery is part of business continuity.

According to the article, "Kennedy recommends CIOs become champions for BC planning and find a champion on the business side to help when it comes time to implement and test the plans. But that's not all: CIOs also must ensure their plans have the support of senior-level managers. The National Association of State Chief Information Officers (NASCIO) insists today's government CIO needs to go one step further and ensure public-private partnerships -- especially with the industry sectors that deliver power and telecommunications -- are on board ahead of any crisis."

I have two problems with the article.

First, business continuity, by definition, means keeping the business going - meeting Service Level Agreements (SLAs) or mandates. In order to do that, Emergency Risk Management (a/k/a Business Continuity and COOP) practitioners need to protect the business processes and all the resources used by those processes.

Second, ERM should not be a function of the CIO.

ERM needs to be a function of a Chief Risk Officer or, failing independence, then a function of a Chief (Something) Officer who has fiduciary responsibility or the Chief Law/Legal Officer - someone who is independent of the individual functional units.

To my Winnie-the-Pooh mind, the only viable plan is an enterprise plan.

Even the US Federal government seems to agree with that: COOP used to be disaster recovery - save Info Tech and all is good; now it's protect the people and the organization (including Info Tech). The fact that the Government Accountability Office, GAO, annually criticizes Federal agencies for the quality of COOP plans is another matter. Still, at least there is "COOP awareness" and that's progress.

One thing the article did point out was "don't forget the details. One company had a detailed BC plan, but when a disaster struck, it failed to consider how it was going to feed workers who had to stay on the job for several days. Now it stocks the same ready-to-eat meals used by the military. Another mistake organizations make is not having an alternative work site, a problem that plagued firms devastated by the 9/11 terrorist attacks. What good is backed-up data if your workers have nowhere to work?"

Which, since it hints at the myriad of interdependencies in most organization, is one more reason to move Enterprise Risk Management - by any name - out of the data center and into the executive suite.


Insurance options

The second article that caught my eye was titled An Insurance Primer for Business Continuity Professionals by Kimberly R. Matlon, JD.

Ms. Matlon, a partner in R&A Crisis Management Services, writes at http://disaster-resource.com/newsletter/subpages/v245/meettheexperts.htm about a number of different insurance types.

She tells us that "Creating a resilient organization is a combination of purchasing and maintaining appropriate business insurance products, and developing and maintaining a comprehensive business continuity plan. " She adds that "There are a wide variety of commercial insurance products out there to protect your business. The most common of these are property, liability and insurance products that provide coverage for your workforce."

Well and good, but what about business interruption insurance?

What about checking vendor insurance coverages - governments and other "800-pound gorilla" clients do it all the time.

Ms. Matlon missed some critical coverage in her brief article, but she did at least point out the need for insurance.

Enterprise Risk Management practitioners need to locate knowledgeable insurance representatives - preferably from different vendors - not only to find out what coverages are available and appropriate, but what each coverage demands of the insured - for example, business interruption insurance requires extensive record keeping (which also means keeping a copy of the records off site) in order to collect.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

No comments: