The BCI has published its latest thought leadership report, which looks at how business continuity professionals should work with their counterparts in IT and/or cyber security to increase resilience across the organization.
The key findings of the Technology & Business Continuity in Organizational Resilience survey-based report, which is sponsored by Sungard AS, include:
Business continuity departments which are closely engaged with their IT departments have the most resilient IT systems and processes: IT and IT resilience departments which work closely with business continuity, practicing ‘non-siloed’ working practices have the most resilient working practices: although 89 percent of respondents ranked business continuity as one of their top five capabilities in the foundation of a resilient organization, the widely considered view by professionals contributing to this report is that the foundations of resilience are built on the sum of many departments, led by strong leadership.
Should IT resilience be managed by business continuity or IT? The BC department is more likely to put together the IT resilience business impact analysis (BIA) than the IT department, but IT is responsible for IT resilience in two-thirds of organizations. This leads to inevitable conflict between the departments in some organizations, and the lack of defined responsibilities can result in system failures and unwanted downtime.
A separate BCI Good Practice Guidelines (GPG) for IT Resilience could serve to create further siloing, but most agree further detail on IT resilience is needed in the current GPG: Nearly nine out of ten professionals believe greater detail on IT resilience is needed, either within the current GPG or in an entirely new document.
Communication failures can lead to failures in resilience processes: a fifth of organizations are not confident that business critical activities could be continued or restarted in line with their business continuity plan (BCP), and one in ten organizations have failed to map critical processes. Many respondents attributed this failure to a lack of communication between departments, with priority products and services not agreed between departments. The presence of incumbent legacy systems also remains a reason for process failures.
Due diligence of third party IT providers is not being routinely carried out: Less than half of respondents report that their IT providers’ KPIs meet their organizations continuity requirements, suggesting that there is a high degree of trust placed on third party providers to be able to provide reliable systems and services.
Different departments have different priorities when it comes to IT resilience: when creating a BCP, those working within IT disaster recovery or IT service continuity prioritise IT infrastructure, whilst those in BC prioritise IT applications. Although in many organizations the difference is not defined, the results demonstrate how both departments should be involved when creating the BCP to ensure no bias is created.
A significant minority of organizations admit to not having their DR procedures up to date, and less than a fifth are able to carry out a full DR test: Less than two-thirds of organizations report having DR procedures up-to-date and under a fifth admit being able to carry out a full disaster recovery test within their organizations. Demand for continuous uptime and financial constraints from the wider organizations were the principal reasons cited.
A lack of consideration for the potential impact of a pandemic and/or a consideration that all staff may need to work from home at short notice meant some organizations suffered unnecessary downtime: nearly a third of organizations encountered disruption as they had insufficient hardware to allow staff to work remotely, with remote access and VPN issues also causing significant disruption for a quarter of organizations. Ensuring the breadth of disruption a pandemic can cause to an organization and/or considering how an organization is prepared for all staff to immediately move to a remote working model should now be considered crucial by organizations to stop similar disruption recurring in future crises.