Wednesday, February 15, 2012

ERM-BC-COOP

BC, DR mutually exclusive?

 

I was just poking around a major disaster recovery site. The site includes blog space and on it I read, in two installments, that disaster recovery planning, "DRP," is separate and apart from business continuity planning, "BCP."

Now I may be a new comer to the business, I only got started in 1994 on a real disaster recovery - vs. business continuity - project, so perhaps I can be forgiven if I disagree with the blogger.

Truth in blogging: The site's professional blogger is not a business continuity practitioner; the writer is a PR person who should be working under the supervision of an experienced practitioner.

This writer treats InfoTech as an independent entity, separate from the profit center and its other resources, e.g., HR, Facilities, Finance, Vendor Management.

There is "business continuity" for the "business" operations and there is "disaster recovery" for InfoTech.

With no apologies, I will offer my one-word opinion of this arrangement:
NONSENSE.

What the PR person fails to understand is that if the profit center (on the "BC" side of the data center door) can't function, there's no need for InfoTech.

Moreover, "disaster recovery" is not limited to InfoTech. If an event occurs, ALL functions must be "recovered."

I am a firm believer in functional unit mini-business continuity plans; have a plan for InfoTech, another for HR, still another for Facilities, ad infinitum. That's fine. If an event occurs in a functional unit, if that event can be rectified before it can impact any other functional units, wonderful. Use that functional unit's mini-plan to recover the unit. If the event will prevent the functional unit from meeting its Service Level Agreements (SLA's) to internal and external "clients" (other functional units and customers), then the issue is escalated to the enterprise business continuity plan.

What I cannot continence is separating InfoTech - or any other functional unit - from the overall business continuity plan.

While some glossaries will disagree, my basic definition of business continuity is risk avoidance and mitigation. Disaster recovery ignores both - in the DRP world, "avoidance and mitigation" means having a back up site. That is neither avoidance Nor mitigation; it is "survival mode."

I write with some experience. For several years I was Manager of IT Business Continuity for a Fortune 100 organization; trust me, there was no "business continuity."

At best, disaster recovery is an integral part of business continuity; it never should be a separate entity, glossaries not withstanding.

We - risk management practitioners - should have grown up enough to realize that in order to protect the organization, and that means avoiding and mitigating threats as well as responding to them when they occur, we must have business continuity and "disaster recovery" must be an integral part of it,

If I wrote it, you may quote it.

Longer articles at https://sites.google.com/site/johnglennmbci/

No comments: