The specialised nature of business continuity means that many organisations need to utilise the skills of a dedicated coordinator and the resources of an external partner to ensure that business continuity arrangements are established that are appropriate, comprehensive, cost effective and practical. But choosing such a coordinator and partner is not an easy task when there are so many alternatives available, all claiming to provide the exact skills and level of service you require.
This article aims highlights the factors that need to be considered when you are selecting for these important roles.
What to look for in a business continuity coordinator
What is a business continuity coordinator? A business continuity coordinator is the designated individual who is responsible for establishing business continuity arrangements for an organisation. There are three ways this role can be fulfilled:
1. Allocate the tasks to an existing employee
2. Employ a dedicated business continuity coordinator
3. Hire a business continuity coordinator from an external organisation that specialises in business continuity management.
In many smaller organisations the first option is usually chosen, due to the nature of the business and the amount of time required putting the arrangements together. But for many organisations the cost of funding the necessary training and the time required for the employee to carry out their own job as well as the business continuity role, will mean that this option is not realistic.
Most organisations choose to either recruit a fully skilled coordinator to be a full-time employee or utilise the services of a consultant from an organisation that specialises in business continuity management. Which one of these options is ultimately selected will be dependent on whether there is enough business continuity work to keep the coordinator busy, initially creating and then maintaining and exercising the plan.
Whichever of the options are selected by your organisation, the skills required of the coordinator are the same.
Specific business continuity skills required
DRI International recommends that the following skills and attributes should be demonstrable by the person chosen:
• Project initiation and management – this will require them to establish the need for the business continuity function, including: resilience strategies, recovery objectives, business continuity and crisis management plans and including obtaining management support and organising and managing the formulation of the function or process either in collaboration with, or as a key component of, an integrated risk management initiative.
• Risk evaluation and control – the ability to determine the events and external surroundings that can adversely affect the organisation and its resources (facilities, technologies, etc.), the damage such events can cause and the controls needed to prevent or minimise the effects of potential loss. They will also need to provide cost-benefit analysis to justify investment in controls to mitigate risks.
• Business impact analysis – the need to identify the impacts resulting from disruptions that can affect the organisation and techniques that can be used to quantify and qualify such impacts. As well as identifying time-critical functions, their recovery priorities and interdependencies so that recovery time objectives can be set.
• Developing BCM strategies - determine and guide the selection of possible business operating strategies for continuation of business within the recovery point and time objective, while maintaining the organisation’s critical functions.
• Emergency response and operations - develop and implement procedures for responding to and stabilising the situation following an incident, including establishing and managing an emergency operations facility to be used as a command centre during the emergency.
• Developing and implementing business continuity and crisis management plans - designing, developing and implementing plans that provide continuity within the recovery time and recovery point objectives.
• Awareness and training programs - preparing a program to create and maintain corporate awareness and enhance the skills required to develop and implement the business continuity program or process and its supporting activities.
• Maintaining and exercising plans - pre-planning and coordinating plan exercises and evaluating and documenting plan exercise results. Developing processes to maintain current continued capabilities in accordance with the organisation’s strategic direction. Verifying that the plan will prove effective by comparison with a suitable standard and reporting the results in a clear and concise manner.
• Crisis communications - developing, coordinating, evaluating, and carrying-out plans to communicate with internal stakeholders (employees, management, etc.), external stakeholders (customers, shareholders, vendors, suppliers, etc.) and the media (print, radio, television, Internet, etc.) in the event of an interruption from a disaster.
• Coordination with external agencies - establishing applicable procedures and policies for coordinating continuity and restoration activities with external agencies (local, national, emergency responders defence, etc.) while ensuring compliance with applicable statutes or regulations.
Other skills necessary
In addition to the specific business continuity skills and experience, the multi-disciplinary nature of the job means that the individual has to posses a number of soft skills:
• Comfort in the job – a good business continuity coordinator is an evangelist for business continuity within the organisation. This means talking about it to anyone who will listen, from senior executives downwards. Everyone in the organisation will see the coordinator walking around the building and unless they are informed why, the reaction can be negative.
Internal stakeholders should be aware of the coordinator’s project before it officially begins, they must be able to talk one-on-one with individuals at their own level of comprehension.
• Curiosity – a coordinator who knows everything will certainly guarantee the plan will fail because they will make erroneous assumptions. In business continuity planning, assumptions are fatal flaws that must be avoided at all costs. Beyond assumptions, most people will not cooperate with someone who “knows everything already”. Cooperation from department subject matter experts is critical to any plan's success.
• Diplomacy - unless the coordinator is a senior director or officer of the organisation, they will have to depend on the goodwill of everybody impacted by the plan. Typically, that means operations level managers and their staff, as there must be involvement from subject matter experts if the plan is to protect the organisation as a whole.
• Documentation - business continuity planning is heavily dependant on documentation and the coordinator must be comfortable producing such deliverables. While a proposal may not be necessary, there still needs to be produced a statement of work and a project plan. The coordinator must be able to create concise documents for the responders, and must keep in mind that responder instructions may be given to someone other than the person who normally would perform the specific task, consequently details are critical.
• Marketing and selling the process - coordinators must constantly market and sell business continuity even when the function has senior management support, the coordinator needs to convince others that planning is good for them; that it protects them as individuals, protects their jobs, and it may help them get new hardware or software to enhance their efficiency and value to the organisation.
• Mentoring - subject matter experts know just about everything they need to know about their subject, but unless they also are also business continuity subject matter experts, they need direction from the coordinator. Mentoring is helping others develop skills they can use today and tomorrow.
• Organisation - a coordinator must have better-than-average organisational skills. They will be juggling multiple tasks and, in most cases, will be working in semi-isolation.
• Training - even in large organisations with training departments, coordinators still need training expertise. They must help professional trainers develop curricula. In the absence of trainers, the coordinator will need a proven methodology.
In addition to these specific business continuity skills, the ability of the coordinator to effectively relate to business stakeholders demands a significant working experience in business operations, preferably at management level.
The coordinator must apply their own experience of operational drivers, needs and problems to the business continuity planning demands of the organisation's business managers. Having 'walked the walk', the coordinator will be trusted when they 'talk the talk'.
In the final analysis, real business experience is probably more important than the individual skills described above.
What to look for in a business continuity partner
With the ever increasing number of organisations offering BC solutions it can appear difficult to differentiate the good from the indifferent. We have outlined below the factors that we believe are important and should be considered when choosing a business continuity partner.
A clear differentiation between business continuity and disaster recovery
Traditionally disaster recovery has been the start and finish of organisational strategy for dealing with an unplanned event. Disaster recovery ensures that IT systems and data can be restored after unscheduled downtime. But over the last few years the growth of business continuity management has meant a shift in focus to the prevention of such events rather than the cure of disaster recovery. This has meant that disaster recovery has now become a subset of the whole process.
It is important that your prospective partner understands this clear differentiation and can provide recovery services that focus not only on the technology that support the critical business processes, but also the non-computing resources such as end-user workspace and telephony. In addition it is important these services are fully integrated, not just bolted together to suit.
This level of service can only be provided by a dedicated business continuity organisation or a separate division of a larger group.
Multi-vendor, multi-platform capabilities
The heterogeneous nature of the modern computing infrastructure means, that for even the smallest organisation, a multi-vendor and multi-platform environment will be utilised.
Your prospective business continuity partner must be able to replicate this environment as a starting point for recovering your critical business processes. This requires significant investment, on their part, in the physical hardware and software that are required to replicate your critical systems.
Other factors to consider include:
• Will they be able to support changing technologies alongside your own investment?
• How much do they invest in technology for business continuity solutions?
• What is their commitment to supporting older technology, which part of your organisation may depend upon?
Physical location of resources
While it is possible for a partner to centralise the location of a large proportion of their business continuity IT investment, the same cannot be said of providing physical space and resources for your displaced staff to operate from during the emergency.
It goes without saying that the geographical location of such resources must be reasonably local to your existing place of work. Unacceptable travel times not only impact financially in terms of overtime and travel costs, but the European Working Time Directive and the inability of staff to continue with their domestic responsibilities, could bring the best prepared plan to a grinding halt.
One area that many organisations, looking to partner with a business continuity supplier, fail to consider is the number of subscribers that are already signed up for the service. When a serious unplanned event occurs the likelihood will be that it will effect many organisations within the locality, and all these may be subscribed to the same BC partner and resources. In such a situation how can you be sure that you will be able to obtain access to the services you have paid for? The key is to find out well in advance:
• What is the maximum number of subscribers allowed on the service?
• How many clients are currently subscribed to the service?
• What is the waiting time for booking test-slots?
• What are the syndication ratios for equipment utilisation?
By analysing the answers to these questions it should be possible to spot whether a particular location is over-subscribed, saving you potential problems down the line.
Given the geographic nature of threats such as bombs, fire and flooding it is also important to consider how many other clients are within a specific radius of your potential partner’s site. If there were an incident, then you would be competing for recovery space with these other clients.
Typically exclusion zones are linked to subscription rates and you should ensure that they are enforced by any potential partner. For example it might be prudent to obtain a guarantee that no other organisation within 500m of your site is subscribed to the same recovery centre suite.
Skills and experience
A critical factor to consider when choosing a business continuity partner is the skills and experience of the organisation and their staff. Points to consider include:
• How many years have they provided dedicated business continuity services?
• How many recovery tests do they perform annually?
• How many disasters have they successfully managed?
• Do they have a wide range of experience across many industries and disaster scenarios?
• Do they maintain a dedicated support team who understand their role in the recovery process?
• What are their skill profiles and real-world experience?
• What certifications and qualifications relating to business continuity do they possess?
• Do they understand the integration of IT with business strategy?
• Do they have a good understanding of e-commerce dependencies and business-critical processes that are vital to your organisation?
Quality and track record
The reputation of the prospective partner will be evident in the market generally and references should always be taken from satisfied customers whom they have assisted in a recovery situation.
In addition the following should also be considered:
• Is the partner ISO9000 registered?
• What steps do they take to keep abreast of developments in the business continuity industry?
• Do they conform to the information security management guidance detailed within ISO/IEC 17799?
• What contingency plans do they have in place to cover the disruption to their own premises?
On a more general level you need to be sure that your partner is going to be around when you need them by checking on their financial performance and viability.
The best way forward with a partner is to initially carry out a test of their capabilities to recover part of your business. Once they have satisfied you as to their capability to deliver what they promise, then, and only then, be prepared to sign the necessary long-term contract.
When a disaster could cost your organisation millions of pounds and the livelihoods of hundreds of your employees, it makes sense that the risks associated with partner choice and service delivery should be considered above pure cost in the decision making process.
This article was written by ICM Computer Group: www.icmore.co.uk
•Date: 27th April 2005 •Region: UK/World •Type:
Article •Topic: BC general
this article or make a comment - click