Saul Midler, FBCI, describes three main reasons why organizations often fail to achieve ‘right-sized’ business continuity.
For many businesses, right-sizing their business continuity is near impossible to get right. Many organizations diligently allocate budget to business continuity, but most of the time these resources are under allocated, misunderstood or charged to the wrong person to carry out.
In my opinion, businesses usually:
- Under-protect all areas of their business, as they aren’t sure exactly what they are protecting;
- Under-allocate enough time and/or resources to discovering the full extent of what needs to be protected, or planned for;
- Over-protect IT due to overzealous technology vendors; and
- Incorrectly focus on desired capability instead of impact to be avoided.
Technically, right-sizing is not achievable when organizations don’t invest enough time, money or capability to get it right:
It takes quality-time to understand the magnitude of loss over time as a result of operational disruption. Rather than considering the impact to the organization if products or services are disrupted, organizations only allocate enough time to guesstimate the impact if the technology failed. That then drives the information technology disaster recovery (ITDR) plan. This is a problem because business continuity becomes technology-driven instead of business-driven. Many organizations limit their planning to IT because it is conceptually easier and conceptually obvious.
Having invested in ITDR doesn’t mean that the remaining resources of the business (such as skilled staff, machinery, facilities, etc.) should be unheeded. Right-sizing your business capability means covering off all your resources and potential disruption causes.
Financial allocations for business continuity set by executive management may not reflect a true understanding of the magnitude of impact when business activities stop for a period of time. The challenge is that executive management tend to be driven from the risk assessment point of view: one that requires them to consider various threat scenarios and the likelihood (or probability) of those threats striking. This type of thinking is risky because it is limited by the assessor’s experience in knowing all the threats and assumes likelihood is a precise science. This falsely reinforces their belief system that it won’t happen to them and they don’t need to spend much on business continuity management. So, do they recognise the long-term damage restricting budgets will have on adequately preparing their business to respond to disruption? No, they don’t! One of the biggest mistakes executive management make is to deprive proper planning of business continuity.
Equally as important are the capabilities of the team or person tasked with managing your business continuity process. The person or team should be very clear about business continuity philosophies including the all hazards approach and when to separate this from risk management. They need to be experienced and capable of undertaking a defensible business impact analysis (BIA) and tag each business activity with a recovery time objective (RTO); identify critical resources; and be able to assess the actual time taken to restore each critical resource. Without a thorough understanding of the scale of business continuity planning, businesses rarely get the accuracy of right-sizing correct.
Right-sizing your business continuity capability is a juggling act between allocating enough resources to plan, to respond and recover effectively when your business is struck by disaster.
Do you have adequate, time, money and resources reserved for your business continuity planning?
Saul Midler FBCI is the managing director LINUS Information Security Solutions.LINUS’ Revive business continuity software was recently awarded Continuity & Resilience Product of the Year at the BCI Australasian Awards for the third year running. The Aussie team will be flying over to London to be inducted into the BCI Hall of Fame in November, and would like to invite you to join them in the afternoon of the 12th of November to discuss the state of the nation when it comes to business continuity, experience Linus Revive, and understand how it can drive additional value for your BCM processes. More details can be found here.