Tuesday, August 19, 2008

ERM-BC-COOP: GTAG, you're it

I was introduced this morning to the Institute of Internal Auditors'(IIA) Web site (http://www.theiia.org/).

I was pointed there by another practitioner who agrees with me that "auditors are our friends."

The IIA publishes a series of documents called GTAGs; translation: Global Technology Audit Guides. There are 11 linked from http://www.theiia.org/guidance/technology/gtag/ .

GTAG 10 is titled Business Continuity Management.

It's a free PDF download and worth every bit of the 1.65M of space it will take up on a hard drive.

GTAG 10's authors - whose bios are included at near the end of the document, are real-world risk managers and come from a variety of industries.

I confess I was ready to hit the email when I read in the Page 1 Executive Summary that "The goal of business continuity management (BCM) is to restore critical business processes after a disaster has been declared."

While I agree with the focus on the business, my knee-jerk reaction was "where's avoidance and mitigation?" These two gems separate BC from DR more than anything else (in my book).

Page 2 was no better: BCM capabilities are focused on the recovery of critical business processes to minimize the financial and other impacts to a business caused during a disaster or business interruption."

But then I read:

2. Can the organization prove the business continuity risks are mitigated to an approved acceptable level and are recertified periodically?

and hope began to shine forth.

I found myself nodding my head in agreement as I read on Page 3 how IIA defines BCM:

Business continuity management is the process by which an organization prepares for future incidents that could jeopardize the organization’s core mission and its long-term viability. Such incidents include local events like building fires, regional events like earthquakes, or national events like pandemic illnesses. The key components of the BCM are:

  • Management Support — Management must show support to properly prepare, maintain, and practice a business continuity plan (BCP) by assigning adequate resources, people, and budgeted funds.

  • Risk Assessment and Risk Mitigation — Potential risks due to threats such as fire, flood, etc., must be identified, and the probability and potential impact to the business must be determined. This must be done at the site and division level to ensure the risks of all credible events are understood and appropriately managed.

  • Business Impact Analysis (BIA) — The BIA is used to identify business processes that are integral to keeping the business unit functioning in a disaster and to determine how soon these integral processes should be recovered following a disaster.

  • Business Recovery and Continuity Strategy — This strategy addresses the actual steps, people, and resources required to recover a critical business process.

  • Awareness and Training — Education and awareness of the BCM program and BC plans are critical to the execution of the plan.

  • Exercises — Employees should participate in regularly scheduled practice drills of the BCM program and BC plans.

  • Maintenance — The BCM capabilities and documentation must be maintained to ensure that they remain effective and aligned with business priorities.

Crisis Management Planning and Disaster Recovery of IT were separate headings.

I might quibble about the order of Risk Assessment and Risk Mitigation and Business Impact Analysis (BIA) in the IIA's list, and I firmly believe crisis management is part and parcel of business continuity, and that IT disaster recovery in part of the business continuity recovery process.

But all-in-all, IIA's document seems to have gotten off to a good start.

IIA really won me over when, on Page 6 it listed people as Number 1 under the Common Disaster Impacts heading. Following People were Facilities and equipment, Communication infrastructure, Supplies, and Information and IT systems.

I agree with so much of what is presented in GTAG 10, Business Continuity Management, I could have authored (most of) it.

For the ERM/BC/COOP practitioner, GTAG 10 is an excellent resource if for no other reason that it comes from auditors.

While many middle- and upper-level managers cringe when they hear the words "The auditors are coming," I delight in them.

Auditors, if they have any concept of business continuity, can be an asset to the practitioner.

Auditors, if they lack any concept of business continuity, should find a practitioner to give them an over view - or point them to this document and to the IIA.

There are a number of very good "what's business continuity and how to do it" documents out in the world; the International Facility Management Association has one.

What sets this publication apart is that auditors, unlike - say - facility managers, (should) have a broad view, a view that is focused on the enterprise rather than only a small part of the enterprise.

From my perspective, GTAG 10 is a keeper.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @ JohnGlennMBCI.com

No comments: