The importance of business continuity planning is a no-brainer--if you're a security leader who already thinks in terms of security and risk, that is. But convincing business executives, who typically think in dollars and cents, of such a plan's criticality may be a tougher sell. While the fundamental importance of business continuity is fairly obvious, the reason to spend lots of money on it may not be.
If you want to make an effective business case for business continuity, you need to make its effects tangible, before disaster strikes. That means emphasizing not just the criticality of risk mitigation, but also the business value and competitive edge that a strong business continuity plan can provide. "Far too often business continuity is thought of as an expense, overhead, or something we have to do to please the auditors," says Jack Smith, vice president and manager of global IT business continuity at ABN Amro in Chicago. "Look at it as a business opportunity and a competitive advantage instead."
Of course that's easier said than done. But here are a few tips to get you started.
1) Use regulatory compliance to your advantage.
Regulatory requirements are the obvious place to start in gathering support for business continuity planning. In certain industries, regulations will define your business continuity strategy. Especially if your company is in the healthcare, financial services or insurance industry, the need to comply with regulations may dictate your thresholds for recovery.Regulations can be an asset when you're trying to get buy-in from the board of directors and other executives, says Jim Grogan, vice president of consulting product development for SunGard Availability Services, a business continuity services provider. Educate yourself about the regulations for your industry--both ones that are in existence and those that may be on the horizon.
2) Aim to create a business continuity plan that reflects your company's culture.
As you get started, step outside of yourself and your own ideas and appreciate that business continuity means different things to different people, Smith advises. The type of business continuity plan you design and how you sell it will be influenced by your company's culture and organizational structure. Understanding this cultural landscape will help you craft a plan that is less likely to meet resistance from other parts of the business.
"Take a look at the various departments that make up the business," Smith says. "What are their priorities? What business functions are the most important? That's a great place to start."
3) Encourage grass-roots support by meeting individually with people in different business units.
A good business continuity plan is one that creates alignment among security, IT and corporate strategies and policies. Do the groundwork for that by meeting with the people in individual business units, says Grogan. Try to understand the mindset of the business unit leaders and their expectations for business continuity.
"There is typically a huge disconnect between business unit and IT/security executives, and they need to be on the same page," says Grogan. He suggests vigilance and constant dialogue to address changing security needs. "If the business isn't communicating with IT, then the business continuity strategy will miss the mark and have potentially serious business consequences," he says. More importantly, he says, if you don't have executives who believe the program has value and meets with corporate needs, you will probably never get funding for your plan in the first place.
4) Stay flexible.
Encourage and teach executives that business continuity plans are not one-size-fits-all, says Grogan. Asking for support for a business continuity program doesn't mean you're asking the business to treat every application and piece of infrastructure the same way. "Just because you need failover capability for one application doesn't mean you need that same capability for all files and systems," he says. "Creating a blended solution helps the business become confident they are spending money wisely based on business principals and policies." Again, this gives the plan a better chance of acceptance. Having a flexible system is also increasingly important as threats change. Natural disasters such as hurricanes and earthquakes are only part of the risk, alongside information security risks. "The chances of a data center experiencing a security breach are higher than its chances of catching on fire," says Grogan. Threats can come from anywhere on the Internet, which dictates the need for constant monitoring and reevaluation of plans once they are in place.
5) Find ways that business continuity can add to the bottom line.
Finally, try to approach business continuity as a way of doing business--not as an add-on. One way to get executives to see that is to convince them how having a strong plan in place protects the bottom line, Smith says. Having a good business continuity plan can even help win over new business.
"When [the] LaSalle [Bank Building] had a major fire in 2004, they continued to process," Smith says, speaking of a subsidiary of ABN Amro. "No critical functions were interrupted, despite it being one of the largest fires in the history of Chicago." Being known as the one company that has proven to be resilient out of a slew of competitors has brought in new business for LaSalle, he says. "Staying up when others may be down is good business--not to mention good public relations."
Staff Writer Katherine Walsh can be reached at firstname.lastname@example.org.