This is the 4th in a series of articles discussing the future of Business Continuity Management. The series starts here.
In today’s business ecosystem, with RTO’s approaching zero and new threats emerge with regularity, organizations can ill afford to pay for Business Continuity teams that simply write Plans – to meet regulatory and audit requirements, or demonstrate preparedness to customers and potential customers.
Organizations have begun to see the limitations – or lack of value – in most written Business Continuity Plans. While IT Disaster Recovery Plans have long contained detailed instructions (the steps needed to rebuild a server, restore a network, or recover an application), Business Continuity Plans for business functions more often contain lists of things; bits of ordered but isolated data. Unless and until that data can be centralized and reorganized in a meaningful manner, it just sits there, virtually useless in an emergency. What BCM needs is information visibility.
In Business Continuity Planning the value of the data collected is not in the data itself, but in the information that data can provide by ‘connecting the dots’ between relevant bits of data. Meeting increasingly shorter RTO’s requires an understanding of more than what you have to recovery; it demands to know what to do to recover those things.
Information is the key to that capability. Information – connecting the dots between bits of data – not only facilitates viable, actionable Plan writing, but it helps identify the gaps, dependencies and priorities that determine what you should plan for.
Information – organized properly – enables decision support:
- Suppose every BIA determines which IT Applications are critical to the day-to-day operations of each Business Process. As data, this is simply a list of Apps, isolated by Business Process. As information it could provide IT an understanding of both who uses each App, and how important those users are to the organization. Connecting those dots turns data into useful information – and enables IT to better understand which Apps are most critical to the organization’s business continuity -and use that information to shorten RTO’s or update their DR priorities.
- Similarly, a BIA may collect each of the Locations in which a Business Process is performed. Simply connecting the dots creates an understanding of every Business Process that may be disrupted when any facility is compromised. When the criticality and RTO of each Business Process is also linked in that chain, the resulting information enables Incident Commanders to make informed decisions about which Business Processes to recover – quickly and effectively.
Accessible information can provide visibility:
- Connected relationships among bits of data allows the creation of dashboards of key indicators, makes Gantt charts and flow charts possible, and enables mapping of locations (facilities, employees, vendors).
- All of these are information that is ‘digestible’ – quickly, easily and without language.
Enterprise wide information can promote better analyses:
- End-to-end connections (from server to user, from location to process, etc.) that uncover downstream dependencies, gaps and anomalies (critical, short RTO business processes supported by processes with weeks-long RTO’s).
- End-to-end connections enable “What if?” analyses to understand vulnerabilities, to use that knowledge to develop better, more comprehensive plans – and to develop ‘muscle memory’ by leveraging that information for exercise purposes.
In the end, simply collecting data isn’t enough. The demands of today’s ‘always-on’ business ecosystems require information to develop better plans, run more cogent exercises – and manage any disruptive incident that may impact day-to-day operations.
