BUSINESS
CONTINUITY MANAGEMENT:
ITS INCREASING ROLE IN THE WORLD OF CORPORATE PLANNING
AND MANAGEMENT
By Tim Lovoy
Business continuity
management is assuming a greater role in corporate planning and
management due to concerns about terrorism - in all its forms
- as well as more traditional incidents that can disrupt business
and government. But much more work still needs to be done, and
business executives face numerous questions when it comes to the
issue of business continuity management (BCM). Questions such
as:
- What has
led to the deployment of BCM functions in other companies?
- How much
should be budgeted for this activity?
- What level
of staffing should be dedicated to BCM?
- How much
can business continuity management impact my company's competitive
position?
- How important
is it to address third-party organizations in the BCM process?
- What is
my company's risk tolerance compared to that of my competitors?
- How important
is it to test BCM plans, and why should we conduct tests?
- How does
general management view BCM spending?
It is critical
for business leaders to assess the state of business continuity
management within the organization, relative to similar companies.
Business executives should ask, "How does the level of business
continuity management preparedness for my organization compare
to that of others in the marketplace?"
Five years
ago, only 30% of respondents to a survey conducted by Deloitte
& Touche LLP, a professional services firm, had corporate
business continuity management plans (including crisis management).
Now, in a repeated survey, more than 50% have formal crisis management
and emergency response team plans in place that are tested at
least annually. With today's real-time business environment, it
is crucial for companies to get their message to employees and
business partners in a timely fashion. It also seems that the
increased accountability being directed at officers of the company
has influenced the implementation of formal communication and
decision-making procedures. With the continuing issuance of new
regulations and industry recommended practices, expected behavior
is constantly changing. It has become more and more difficult
to keep up with both new regulations, and the interpretation of
acceptable compliance.
Many companies
are taking the conservative approach of implementing more, rather
than less, in an effort to try to keep up. The new survey showed
that 20% of the responding companies still rely on internal audit
or a compliance function to manage regulatory compliance. However,
about 80% of the respondents indicated their business units maintained
awareness of legal and industry issues. Thirty-five percent of
the respondents felt they were fully compliant with all regulations
affecting them, and that executive management was engaged in this
area.
The governance
of business continuity management continues as an area of weakness
for many companies. Only about a third of the respondents felt
they had a comprehensive BCM governance structure in place, and
only half of these include executive involvement in setting and
driving their programs. Two-thirds of those surveyed indicated
they still do not have a process to ensure that an appropriate
BCM program is maintained. One reason for this is that most organizations
lack a senior management BCM champion who can influence both the
company culture and budgeted funds. Also, business units are reluctant
to spend the time and money to implement "optional"
programs because it puts them at a competitive disadvantage to
their peers from a financial analysis standpoint (assuming a disaster
does not occur).
There were
some interesting key findings in the survey relative to technology
issues.
Survey responses confirmed what might be inferred from the history
of business continuity management: recoverability of information
technology assets leads the way. More than 60% of the respondents
indicated that their companies had disaster recovery plans for
most of their centralized IT platforms (mainframe, mid-range,
LAN/WAN, and client-server). Moreover, they reported that these
plans were integrated with business unit recovery plans, or at
least that the business units participated to a degree in the
testing of the disaster recovery plans. However, more than 20%
said they felt that their IT recovery plans were still focused
only on "bringing the box back."
Responses
concerning facilities and infrastructure also indicated that a
significant number of organizations were attentive to the recoverability
of their physical premises. More than 40% said that their facilities
plans had been integrated with business unit plans and were tested
annually. A few even indicated that they were exploring and implementing
a cooperative response with the public sector (i.e., fire and
police authorities). However, an equal number reported either
that building security and safety plans existed without reference
to business requirements, or that the need for alternate workspaces
had not gone beyond the awareness stage.
The remaining
respondents indicated that facilities plans were being developed
and that backup and recovery from utility failures had been discussed
but not addressed.
Telecommunications
recovery presents a more varied picture. While a third of the
respondents said that their recovery plans addressed all telecommunications
needs and were tested annually, or even that technologies such
as wireless and radio frequency were built into their plans, more
than 20% stated that their companies had limited awareness of
the impact of a complete telecommunications failure. Almost half
indicated that their recovery plans addressed some but not all
of their telecommunications needs.
Overall, the
picture painted by the respondents is one in which computing and
facilities are more recoverable than telecommunications and vital
records. One way to view these responses is that management may
be more focused on recovery of tangible assets that would require
heavy capital expenditure for replacement at the time of a disruption,
but see alternatives for resources that can be more readily replaced
or restored without such large financial implications. It is noteworthy
that 80% of the respondents reported that at least something was
being done to respond to their telecommunications needs in an
emergency. Not surprisingly, the overall view was that more needs
to be done to integrate the recovery capabilities for the technical
infrastructure with the continuity needs of the business.
In conclusion,
more and more organizations have recovery strategies and recovery
plans for their business operations. One reason for this might
be that IT has become a mission critical enabler for most organizations,
and the need for IT applications to achieve high availability
and reliability is significant. However, technology is only one
consideration in business continuity planning. With other aspects
of business continuity strategy less developed in many organizations,
there's still more to be done for companies to achieve highly-effective
business continuity plans.
 |
Tim
Lovoy is the National Audit and
Enterprise Risk Services Leader (AERS)
for the Technology, Media &
Telecommunications practice
of Deloitte & Touche LLP.
He can be reached at tlovoy@deloitte.com.
The
views expressed in this article
are those of the author and do
not necessarily represent those
of Deloitte & Touche LLP.
|
