|
Edited by Kathy Rainey
Whether you are the CEO of a small publishing company
(as I am) or the CEO of a Fortune 500 company, our jobs are essentially
the same. We must grow the business, manage the business and protect the
business.
Traditionally most of our resources go toward building and
managing. It's not until a business disruption exposes our vulnerabilities
that we see clearly the gaps in our third responsibility.
The following essays will show you a number of developments
in the past year that have been, and are continuing to be, instrumental
in elevating business continuity to a level of importance never seen before.
Indeed, as a fellow CEO, it is my belief that in these turbulent times,
the protection of your business will command more of your attention than
it has in the past.
One of the most frustrating stories in the aftermath of
the 9/11 terrorist attacks was the Senate Intelligence Committee's conclusion
that the government had all the information necessary to thwart the attack,
but "they just didn't connect the dots." Various departments did not communicate
with one another, allowing the terrorists to execute their plans.
Likewise, communication is vital to
the protection of your business. The developments you will read
about below traditionally originate in different areas of your company.
The more successful you are at fostering communication among these different
areas - and better yet, bringing them together under one entity for an
integrated mitigation and response strategy - the better protected your
organization will be.
For example, you will read below that the threat of weapons
of mass destruction is more real than it has been in the past, and perhaps
your facilities department or your crisis management personnel have been
developing new procedures to respond to such an attack. The interesting
piece about continuity as it relates to supply chain management may be
something with which your director of operations is currently struggling.
The new regulations mandating better business continuity practices are
probably on the radar screen of your legal department. And perhaps your
marketing department is starting to see the value in promoting corporate
stability and dependability in sales and marketing communications.
As the CEO, you must ensure all these "dots" are connected.
You must integrate all these areas of your business - and all these factors
leading to business continuity - to increase survivability and productivity
in the long run. Will a committee made up of division or department representatives
be an effective means for working toward the goal of enterprise continuity?
Does the task merit a board level officer charged with bringing pieces
together? Communication among department heads and between you and your
suppliers, local government, shareholders, and stakeholders is essential
to growing your business, managing your business, and, now more than ever,
protecting your business. This time, we must connect the dots!
- Kathy Rainey, CEO and Publisher,
Disaster Resource Guide,
publisher@disaster-resource.com
1. THE
DRIVERS FOR BUSINESS CONTINUITY MANAGEMENT HAVE MOVED FROM INFORMATION
TECHNOLOGY TO SALES AND MARKETING, BECOMING A NECESSARY PART OF EVERY
SUCCESSFUL COMPANY'S STRATEGIC PLAN.
Continuity Planning as Part of Strategic
Planning
In the past, only companies in regulated industries were required to have,
first, disaster recovery plans, and then later, business continuity plans.
In other industries, business continuity planners tried scare tactics
to motivate management, with little or no long-term success. Business
continuity as part of regular business strategy has often been hoped for
but never demanded - until now.
We live in an increasingly hostile world. It is not just
the "CNN effect" that makes catastrophes commonplace. There really are
more natural, technological, and political disasters every day. Those
of us raised in the later half of the 20th century have enjoyed an unusually
calm period in the history of mankind. This is changing as we enter the
21st century.
The increasing frequency and severity of disasters means
the company prepared for the worst will come out the best. Consider the
following:
- An aging and crumbling infrastructure threatens our power and telecommunications.
- Religious and political terrorism threatens our staff and customers.
- Natural disasters such as hurricanes, floods, and tornadoes threaten
our buildings.
- Governance issues threaten our confidence.
Against this frightening backdrop, our customers are demanding
lower prices and higher quality. Some companies are moving with the tide
and "driving to the bottom" through outsourcing and offshore production.
Wiser companies are able to command a premium price for consistent quality
and assured delivery. Just as ISO certification was driven by customer
demand for consistent quality in the 1990s, the demand for assured delivery
in the face of increasing obstacles today is driving business continuity
management.
In manufacturing and the service industries, companies up
and down the supply chain are demanding assured delivery from suppliers.
Through the review or audit of suppliers' business continuity programs,
they hope to divide the resilient from the fragile. A solid business continuity
program, regularly exercised and maintained, is becoming a basic requirement
when bidding for business in many sectors of the economy.
The drivers for business continuity management have therefore
moved from information technology, where they languished for years, to
sales and marketing. It only takes one client to refuse a bid because
of inadequate contingency plans to move business continuity into the mainstream.
By focusing on the client's requirements of continuous service and production,
business continuity management may finally shed its IT-based disaster
recovery roots and become a necessary part of every successful company's
strategic plan.
- Graeme Jannaway, managing director,
Jannaway & Associates,
graeme.jannaway@sympatico.ca
2. THE PROLIFERATION OF REGULATIONS
AT THE FEDERAL, STATE, AND LOCAL LEVELS IS CAUSING THE BUSINESS CONTINUITY
PROFESSION TO EXPAND, AND BC PROFESSIONALS ARE HAVING A GREATER INFLUENCE
ON THEIR ORGANIZATIONS.
Legislation, Regulations, and Their
Impact on BCP
The past year has seen a continuing increase in compliance initiatives
with which organizations must contend. External requirements for greater
preparedness seem without end.
Today, regulations such as NYSE 446 require firms to develop,
maintain, review, and update business continuity and contingency plans
that establish procedures to be followed in the event of an emergency
or significant business disruption. U.S. regulations and legislation,
such as The Patriot Act, Vital Interdiction of Criminal Terrorist Organizations
Act, HIPAA, and privacy regulations, will have far-reaching impact on
everyone. Sarbanes-Oxley is certainly a significant piece of legislation
that is still being sorted through by regulators, auditors, and management.
The essence of Sarbanes, for example, is quite simple: compliance
with applicable laws and regulations. But how does one know what compliance
is or what it ought to be? What about such international precedents as
BASIL or the ISO standards? The gap between "is" and "ought"
is not accidental but systematic, and it is a gap that may leave us permanently
torn. Needless to say, all these new regulations, with their vague but
nonetheless demanding language, present a challenge to today's business
leaders as they strive for compliance.
What does all this mean for the business continuity profession?
The proliferation of regulations at the federal, state, and local level
should mean the business continuity profession will expand, and business
continuity professionals will have a greater influence on the organizations
employing them or their consulting clients. It also means business continuity
professionals will have to become more educated in their profession, and
that business continuity, as it is variously defined, will have to rethink
its basis and redefine itself.
For business leaders, the increase in regulations means
an integrated approach to business continuity - one making business
continuity planning an integral part of the business process - should
be a priority. Today's business leaders cannot afford to let regulatory
compliance go unanswered. The many, and proliferating, regulations affecting
business have elevated compliance initiatives to the senior management
and board of director levels.
- Geary W. Sikich, principal,
Logical Management Systems Corp.,
gsikich@aol.com
3. THERE IS A GROWING BODY
OF JUDICIAL ACTION COMPELLING CRITICAL INFRASTRUCTURE OWNERS AND OPERATORS
TO ENHANCE SECURITY - OR FACE LIABILITY FOR FAILING TO DO SO.
What Homeland Security Means to
American Business
The Department of Homeland Security merged almost two dozen federal agencies
to fulfill a single mission: protect and defend the United States from
terrorism. Nonetheless, homeland security is not the singular responsibility
of government; the federal government continues to seek the aid and assistance
of the private sector. The Department of Homeland Security is in the process
of finalizing the National Response Plan, superseding the Federal Response
Plan as the core plan for integrating federal government domestic prevention,
preparedness, response, and recovery plans into one all-discipline, all-hazards
approach. Private sector companies and corporations will be encouraged
to make sure their plans are consistent with the National Response Plan.
More importantly, however, in the aftermath of the September
11 attacks, critical infrastructure owners and operators have been called
upon to implement additional security measures above and beyond those
undertaken by government. While the decision to augment security remains
largely voluntary, the private sector should note the change in the air:
A growing body of law and judicial action suggests that critical infrastructure
owners and operators may be compelled to enhance security - or face liability
for failing to do so.
It is now widely known that critical infrastructures are
professed terrorist targets. From power plants and bridges to agricultural
production facilities and banking, critical infrastructures represent
the foundation of the economy as well as the backbone of American life.
With 85 to 90 percent of the nation's critical infrastructures in private
hands, some lawmakers believe that at least part of the responsibility
for security rests with the critical infrastructure owners themselves.
The Maritime Transportation Security Act (MTSA), for example,
creates new roles, responsibilities, and duties for all segments of the
maritime supply chain. Under MTSA, the maritime industry has significantly
greater security responsibilities that were unimaginable before 9/11.
Conservative estimates suggest that MTSA compliance will cost the maritime
industry more than $7 billion over the next 10 years. Similarly, pending
congressional legislation, such as the Chemical Facilities Security Act
of 2003, would mandate security duties for the chemical industry.
Perhaps the decisions of the courts represent the most compelling
evidence that owners and operators of critical infrastructures have an
increased "security duty." When Boeing moved to dismiss a lawsuit filed
by victims of 9/11, federal judge Alvin Hellerstein refused to grant Boeing's
request. To the contrary, the judge held that "… it was reasonably foreseeable
that a failure to design a secure cockpit could contribute to a breaking
and entering into, and takeover of, a cockpit by hijackers or other unauthorized
individuals…." (Order and Opinion Denying Defendants' Motion to Dismiss
at 38, In Re September 11 Litigation. S.D.N.Y. (No. 21 MC 97)). Arguably,
the nation's critical infrastructure owners and operators should take
note, for this ruling, though preliminary, signals a possible paradigm
shift in the legal liabilities associated with terrorism and further reflects
the apparent sentiments of some in Congress.
- Steve Roberts, consultant, and
Tom Hutton, senior principal,
SRA International,
tom_hutton@sra.com
4. THE PUBLIC AND PRIVATE
SECTORS ARE STARTING TO WORK MORE CLOSELY TOGETHER ON BUSINESS CONTINUITY
AND EMERGENCY MANAGEMENT.
Public and Private Working Together
It would be a gross understatement to say the public and private communities
are working together now more than ever before. The scope of the work
accomplished recently and the work ongoing are unprecedented. Recent events
over the last few years have opened up joint emergency planning efforts
around the world between government agencies and the business sectors
- the common good being the economic well being of the city or state and
the safety of its citizens.
In years past, the public and private sectors were leery
to trade information and develop emergency and continuity plans together.
Each sector was satisfied with developing plans in a vacuum in order not
to impart too much of their inabilities or lack of response or recovery
capabilities. But that's all changed, and both sectors are freely exchanging
information and seeking out each other's competencies, mostly due to the
dramatic changes in our world today. Today emergency managers are working
with companies to develop joint response plans for their business continuity
programs, and businesspeople are now positioned in Emergency Operation
Centers. There are even a number of public emergency agencies that have
designated personnel to directly work with the business community.
What changed? Of course, terrorism has been a motivation
for developing partnerships so both sectors build mitigation, response,
and recovery plans for the communities in which they live. But there is
also a realization from past disaster events that rapid restoration of
the local business community leads to the overall well being of the area.
When ATMs are back online, when phone service is restored, when local
restaurants are opened, the community impacted by a devastating disaster
is optimistic about its survival and future. Both public and private sectors
also understand that when the business community can feel confident it
can withstand even the most devastating outages, it will continue to operate
in the states, cities, and neighborhoods. This type of partnership planning
fosters the economic well being of the community, as businesses want to
stay and new companies want to open.
The private sector has many resources to share with the
emergency management officials in their regions. For example, Business
Executives for National Security (www.bens.org)
helps enhance the nation's security and make America safe by sharing business
experience and resources with the public sector; and the Business Network
of Emergency Resources, or BNet (www.bnetinc.org),
works with agencies to develop initiatives fostering partnerships for
the purpose of reducing emergency-related business losses.
- Mark Haimowitz, FBCI,
Avaya Inc., BNet president,
markhaim@avaya.com
5. PRESERVATION OF CUSTOMER
TRUST, ACHIEVED IN LARGE PART WITH SECURITY AND PRIVACY PRACTICES, IS
ESSENTIAL NOW - AND WILL BECOME EVEN MORE IMPORTANT - TO THE SURVIVABILITY
OF BUSINESSES.
The Worldwide State of Privacy Laws
The public's desire to control their privacy is demonstrated by the FTC-managed
National Do Not Call Registry: 370,000 numbers were registered in the
first four hours of its availability on June 27, 2003, and as of March
3, 2004, consumers had registered over 57.3 million telephone numbers.
This quest for privacy is one that transcends telemarketing and goes beyond
U.S. borders. It is not a new issue, but one gaining momentum and increasingly
bubbling up on the short list of the public's concerns.
The U.S. government most noticeably started addressing privacy
with the passage of the Privacy Act of 1974. In 1980 the Organization
for Economic Cooperation and Development (OECD) released their guidelines
for the protection of privacy and trans-border flows of personal information.
This served as the warm-up for a series of worldwide privacy laws established
since. Most ostensibly was the 1995 European Union (EU) Data Protection
Directive, which was modeled closely after the OECD guidelines. Many countries
soon followed suit and are continuing to enact privacy laws. Legislation
in Canada, Australia, New Zealand, Argentina, and other Latin American
countries and proposed laws in other countries such as Japan closely follow
the OECD and EU privacy requirements model. The EU group of countries
is just one example of a worldwide community that blocks the flow of personally
identifiable information about its citizens to any nation that does not
have adequate data protection and privacy standards. Countries around
the world are passing privacy laws to ensure trade with other countries
with strict privacy requirements is not interrupted.
The trend for passing privacy laws in the United States
also continues. In recent years many new federal regulations such as the
Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability
Act (HIPAA), and hundreds of privacy laws at the state and local levels
have been enacted. Organizations have been challenged to keep up with
all the privacy and security laws in each of their office and customer
locations.
When an individual's privacy has been infringed upon, he
feels a loss of control over his life. Once an organization loses its
customers' trust because of a privacy incident, it is extremely difficult,
if not impossible, to regain the trust of the public and its remaining
customers.
Business leaders and continuity professionals are becoming
increasingly aware that the preservation of customer trust, achieved in
large part with security and privacy practices, is essential now - and
will become even more important in the coming years - for business survivability.
- Rebecca Herold, CISSP, CISM, CISA, FLMI,
vice president of Privacy Services and chief privacy officer,
DelCreo Inc.,
rebeccaherold@rebeccaherold.com
6. UNIVERSITIES AND BUSINESS
CONTINUITY ASSOCIATIONS ARE CONTINUING TO DEVELOP BUSINESS CONTINUITY,
SECURITY, AND RISK AND EMERGENCY MANAGEMENT PRACTICES INTO A PROFESSIONAL
DISCIPLINE.
Building the Profession: Education
and Standards
Major changes have been occurring at an increasing frequency in this discipline
which not too long ago focused primarily on data center recovery. Increasing
threats, both man-made and natural, incredibly rapid technological evolution,
new business concepts and processes, a global economy, and an increasing
stakeholder awareness have made business continuity truly a professional
discipline and not just an unavoidable task to satisfy auditors and regulators.
Focusing in particular on expanding professional development,
good practices, and the promotion of meaningful standards and guidelines,
DRI International (DRII) and the Business Continuity Institute (BCI) are
launching new initiatives. BCI recently announced a new Specialist certification
category and is about to pilot a recertification program. DRII is expanding
its course offerings and has made available many of its courses and its
certification examination online. Both institutes, acting in collaboration,
have published an updated set of certification standards, and BCI has
published a Good Practices Guide.
DRII has established four new management committees - the
Strategic Alliances Committee, the Legislative Affairs Committee, the
International Affairs Committee, and the Educational Advisory Council
- to work closely with its board of directors to ensure progress continues
in these critical areas.
Several U.S. universities, such as the University of North
Texas in Denton, Texas, and George Washington University in Washington,
D.C., have established degree programs in emergency management. Cal State
University at Long Beach has a Masters program in emergency management.
The University of Richmond has initiated a program and has taken over
the Harris certification program. In the UK, Coventry University has launched
a degree and certificate program in BCM, with BCI providing input into
the development of the curriculum.
Many other universities are investigating expansion of current
business management and information technology curricula to include course
work in emergency management, risk management, and business continuity
management. The Educational Advisory Council of DRII is researching schools
offering courses in BC and emergency management. One goal of the Council
is to track an educational and career path for students and practitioners
in business continuity, security, and risk and emergency management that
leads to a corporate executive position identified as chief risk officer.
The Council is working toward identifying and defining the functions,
skills, and knowledge needed by this individual with regard to regulatory
issues, physical and intellectual security, environmental health and safety
concerns, crisis management, legal implications, etc.
With all the new and continuing initiatives, it is clear
tomorrow's business continuity professional will be better educated and
prepared - and will reap the benefit of significantly higher levels of
management awareness and commitment.
- John Copenhaver, chair of DRII,
and Larry Kalmis, chair of BCI,
john.b.copenhaver@marshmc.com,
lkalmis@virtual-corp.net
7. THE FINANCIAL AUDIT FUNCTION
WITHIN ORGANIZATIONS IS BECOMING INCREASINGLY CONCERNED WITH RISK MANAGEMENT,
CONTINUITY, AND RESILIENCE.
Audit, Benchmarking, Maturity, and
Compliance
This year brought a number of significant changes to the general audit
framework: business continuity, disaster recovery, and crisis management
have emerged as core disciplines to be reviewed.
The Civil Contingencies Bill, PAS 56, and the control self-assessment
tool for the BCI Good Practice Guide are indicative of this new mega-trend.
If the 1990s was the decade of building and implementing sustainable BCM
processes, we have now moved on toward control, monitoring, and benchmarking.
Large strategic initiatives such as Basel II for the financial sector
require objective criteria for evaluating continuity and disaster recovery
within organizations.
With growing maturity of the business continuity and risk
management cultures, audit and compliance issues are firmly embedded in
the overall approach toward risk and, most importantly, corporate governance.
Several European countries have introduced corporate governance codices
with specific audit and compliance provisions. In the Asia-Pacific region,
various governments have embarked on self-assessments to determine the
state of business continuity, disaster resilience, and crisis management
capabilities. These developments are being reinforced by U.S. laws and
standards.
From a business perspective, the increasing level of optimization,
"lean" organizations, and constant restructuring multiply the operational
risks and potential threats. The "crisis-prone organization" of the 1970s
may well return, as has been observed in recent research. As a result,
even financial audit is becoming increasingly concerned with risk management,
continuity, and resilience. A multitude of global surveys published by
the "Big 4" accounting firms have clearly identified business continuity,
IT disaster recovery, and crisis management as important audit and compliance
issues. Professional audit associations have published extensive research
on benchmarking and review techniques. If the question until now was how
to introduce BCM, it is rapidly changing to how to know it works.
This is just the beginning. The BC profession and practice
have reached a new maturity level, moving from the initial "ad hoc" and
"repeatable" stages to the "managed" stage of the capability maturity
model. It is likely that the need for management, gap analysis, and continuous
improvement will be reinforced by new regulatory initiatives. The significant
number of current discussion papers, consultative documents, and exposure
drafts will eventually form standards, principles, and regulations.
- Rolf von Roessing, senior manager,
KPMG,
rvr@scmltd.com
8. ORGANIZATIONS ARE RECOGNIZING
THE GROWING THREAT OF THE USE OF WEAPONS OF MASS DESTRUCTION IN TERRORIST
INCIDENTS.
WMD/CBRN: Is Fear Exceeding Reality?
Almost by definition terrorism will continually seek to change its face.
In the past few years we have seen new adversaries, new motivations, and
new methods surface to challenge many of our most fundamental assumptions
about terrorists and how they operate.
The situation is changing once again. Until recently, terrorism
was seen as a form of limited violence, as compared to traditional warfare
where one nation's army attacked another. But events in the United States
and now Madrid have fundamentally changed the picture. A Rubicon has been
crossed and as a result our understanding of war, terrorism, invasion,
weapons of mass destruction (WMD), and chemical, biological, radiological,
and nuclear weapons (CBRN) has significantly changed. It seems certain
that sooner or later, at least the United States, UK, or Israel will suffer
a WMD/CBRN attack - albeit only on the scale of the 1995 sarin gas attack
by Aum Shinrikyo on the Tokyo subway system that killed 12 and sent more
than 5000 people to hospitals.
Many experts believe the financial cost and logistical requirements
necessary to design, build, deliver, and activate any WMD preclude a sudden
attack by a terrorist organization against the West. The shift has therefore
been toward much better intelligence gathering and evaluation so we can
be alerted to a possible terrorist attack. This leads to actions such
as the grounding of recent flights to the United States from the UK and
France, and on a wider level, it might soon be necessary to consider the
complete evacuation of a town or even city rather than just a single aircraft.
This would of course make our security services de facto agents of the
terrorists, since mass evacuation on this scale could cause panic and
injuries, the risk being that we would trigger a response irrespective
of threat actuality - and thus play into the hands of the terrorists.
We are therefore in a world where we measure success against terrorists
using WMD/CBRN not by capturing the perpetrators and confiscating the
weapons, but chiefly by being able to predict or at least second guess
where they might strike next.
In the UK, the emergency services and other responding agencies
have always worked closely together to deal with the scene of a disaster.
They have carried out their roles in accordance with a range of guidance
issued by government departments, specialist agencies, and by the emergency
services themselves. Most recently, the Civil Contingencies Bill (stimulated
by 9/11) is now going through Parliament. This brings together and refines
some actions hanging over from the Cold War and the emergency procedures
that are used to respond to industrial accidents and civil emergencies.
It also sets up special reaction forces using our army (in the UK there
is no prohibition using regular soldiers on our streets). It is designed
to enable the emergency services, the military, local authorities, health
professionals, and government departments and agencies to work together
more effectively during an incident, especially one involving WMD/CBRN.
- Peter Power, managing director,
Visor Consultants Ltd.,
info@visorconsultants.com
9. BUSINESS CONTINUITY MANAGEMENT
HAS RAPIDLY ESTABLISHED ITSELF AS AN INTEGRAL PART OF THE SUPPLY CHAIN
MANAGEMENT PROCESS.
BCM in Supply Chains
Given the number of former military personnel in business continuity,
it is hardly surprising that supply chain management has become a key
focus in BCM. In battle conditions, a break in supply lines may mean the
difference between life and death. In business the consequences of a supply
chain failure may be less dramatic but nevertheless vital to avoid.
So, is the management of supply chains a BCM issue at all?
Prior to Y2K, most organizations did not think so - surely dealing with
crises and problems is what logistics managers did every day!
However, the analysis undertaken to manage the Y2K event
gave rise to many disturbing conclusions. Not only were organizations
at risk from their own problems, but also the problems of their vendors.
Nowhere was this more obvious than in the supply of utilities and services
where, in the pursuit of cost savings, companies had negotiated single
sources of supply. The problem was wider, however, in that many other
key vendors emerged, each with a capability to cause serious disruption
should they fail. The trend to outsource manufacturing, particularly offshore,
added to both the length of the supply lines and the potential for disruption.
BCM is about identification of single points of failure,
understanding the impact of such failure, and mitigating the effect by
designing plans and solutions. This was exactly what was needed for supply
chain vulnerability assessment. In two sectors, manufacturing and retail,
business continuity has rapidly established itself as an integral part
of the supply chain process. Clearly retail and manufacturing are two
sides of the same problem, as retailers buy from manufacturers. However,
manufacturers also buy raw materials and components from other manufacturers.
Non-availability can stop production lines and continuous processes at
a stroke. In the area of just-in-time (JIT) production and delivery, this
can be disastrous in terms of lost productivity and compensation clause
claims.
Many smaller manufacturers are now finding that without
BCM in place they cannot get contracts with major customers who are writing
it into their agreements with all vendors. Retailers by contrast are usually
at the end of the supply chain and are in a position to demand resilience
and guaranteed supply from their vendors. Most large retailers are now
asking their vendors about plans and looking for proof of testing and
audit. A statement of BCM compliance in any contract is now almost mandatory,
while undertaking an audit of key vendors' BCM provisions is becoming
more commonplace.
- Lyndon Bird, managing director,
Continuity Planning Associates Ltd.,
lyndon.bird@cpa-ltd.com
… And One to Grow On
10. LET'S FACE IT - EVEN
WITH ALL THESE POSITIVE STEPS TAKEN IN THE PAST YEAR, THE PROFESSION STILL
STRUGGLES FOR RECOGNITION, AND WILL CONTINUE TO DO SO UNTIL IT BECOMES
A WELL-DEFINED AND BROADLY ESTABLISHED DISCIPLINE. PAUL KIRVAN, FBCI,
CBCP, CISSP HAS A VISION FOR HOW BCP CAN EVOLVE.
Operations Assurance: A New Strategy
for Business Protection
With increased threats to business and government from physical and cyber
sources, the issues of business continuity, security, and crisis management
have never been more important. However, these three functions are often
located in various parts of an organization, and there continues to be
a "silo" mentality in most businesses regarding the relationship of these
areas.
Assuming the disciplines exist in an organization, they
typically operate autonomously and only interact when absolutely necessary.
It is time to think of these issues in the greater context
of corporate governance. Governance in most cases is 100 percent involved
with the financial model of the enterprise. Every day the board of directors
of virtually every company challenges the CEO or managing director to
verifiably reduce total operating costs, improve productivity in an already
well-understood critical success strategy, or enable previously unavailable
strategic capabilities. These people should also be responsible for ensuring
that the business is protected.
Operations assurance is the process by which business continuity,
security (all forms), and crisis management are integrated into a unified,
holistic approach to corporate governance, with the mission of ensuring
uninterrupted operation of business and government. The second part of
this model is to establish a senior- or board-level activity that assumes
overall responsibility for these disciplines as part of corporate governance,
thus ensuring a single point of responsibility for continuity of operations.
With this concept of corporate governance - and the need
to maintain uninterrupted operations - we clearly see the need for business
continuity, security, and crisis management. But they can no longer remain
independent; they must move closer, in a more synergistic and collaborative
fashion. It is not necessary to dissolve these disciplines into a single
entity - yet. Rather, it may be better, as an initial focus, to identify
the best practices and policies of each and evolve them into a new, more
relevant corporate activity that is part of corporate governance; namely,
operations assurance.
Assuming we can integrate the best practices of these three
disciplines into something greater than the sum of the individual parts,
we have the beginnings of a new direction. The success of this direction
rests on several truths:
- The business continuity, security, and crisis management disciplines
can no longer ignore their interdependence.
- There is a growing need for integration of these disciplines within
corporate governance.
- The resulting discipline - operations assurance - needs senior management
attention and access to funding.
- The new discipline must play both strategic and tactical roles in
business and government.
Whether this concept is ultimately termed operations assurance,
global assurance, risk management, or otherwise coined, the vision of
tighter integration of the primary disciplines - business continuity,
security, and crisis management - is one that will lead to an evolution
of the business continuity profession. The BC community must embrace this
vision, mobilize it, document it, standardize it, regulate it, and promote
it as a front-line profession along with the likes of accounting, engineering,
and law.
- Paul Kirvan, FBCI, CBCP, CISSP,
editor in chief, CPM Global Assurance
pkirvan@witterpublishing.com
ACKNOWLEDGEMENTS
Special thanks to the following individuals who helped
identify and develop these top issues: Judy Bell, Disaster Survival Planning
Network and DRG board chair; Geary Sikich, Logical Systems Management;
Pat Moore, Belfor USA; Shad Burcham, County of King OEM; Mohammed Dhooma,
CIBC; Norm Meier, The Catalyst; Michael Galin, Celestica; Paul Kirvan,
CPM Global Assurance and DRG board member; Cole Emerson, KPMG & DRII past;
Graeme Jannaway, DRI Canada; Brenda Jones, ACP national chair; Ed Deveau,
NEDRIX chair; Larry Kalmis, BCI chair; Skip Skivington, Kaiser Permanente;
and Adrian Gordon, Canadian Centre for Emergency Preparedness.
|
